2016 brought us more traffic then ever and with that, we identified and protected our customers from a barrage of new attacks, threats, and actors. Understanding these evolutions are paramount to a strong defense. In this post we will visualize and summarize some of the biggest threats highlighted in the Cisco Annual Cybersecurity Report (ACR).

To create these visualizations, we selected a number of domains that we have tagged as the particular threat, then used the Investigate API  to pivot across co-occurring domains, IP addresses, file hashes, registrant information and other attributes to build a graph of their relationships. Finally we used OpenGraphiti to visualize these graphs and uncover their structure. The end result are the intriguing  visualizations below.

Red nodes are known-blacklisted domains, gray nodes are often benign domains, green nodes are popular known good domains, orange are IP addresses, and blue nodes are file hashes. The pulses indicate DNS traffic between nodes. Nodes with rings around them are the seed domains we initially pivoted on. In some cases we may have chosen to recolor certain nodes in order to provide a more clear visualization, or to emphasize a particular relationship.


Without a doubt, Locky was one of the noisiest threats of the past year. This commodity ransomware can be built and distributed by any ambitious tech-savvy criminal due to continued Ransomware as a Service (RaaS) offerings. Campaigns involving Locky often used Necurs to aggressively email its broad range of targets with attachments containing droppers or links to download sites. On one day in late 2016, one of our mailboxes saw Locky in one-third of all email it received. Throughout the year, attackers modified the file extension used after a file was encrypted, resulting in a number of mythology-inspired variants. Every week resulted in a new variant, until it reached meme level. The degradation of file extensions started on theme with Zepto, Odin, Thor, Aesir and Osiris but then plummeted quickly with extensions like ZZZZ and S**T.

This visualization has an interesting structure that looks somewhat like a skeleton key if you squint at it the right way. We chose this key imagery to symbolize the use of public/private keys by ransomware like Locky. Once the infect the system is infected, the malware communicates back to an attacker controlled server to retrieve the key it will use to encrypt the data it will ultimately hold for ransom. The cluster of red nodes at the tip of the key shows the tightly interconnected structure of the domains used to host malware and generate keys.



On board with the memo about the mythology naming convention, Cerber entered the Ransomware-as-a-Service scene in early 2016 with a splash. It quickly gained adoption and began to be distributed using popular exploit kits after toting offline encryption capabilities, a refusal to infect certain Eastern European/Northern Central Asia countries, and a mature approach to infection and evasion. Later improvements targeting databases indicate its creator’s vision is to target bigger companies who can pay out more – after all, from the criminal’s perspective, many organizations are getting off easy with a $500USD ransom.

Our visualization of Cerber is focused around one registrant – this registrant has 57 registered domains, of which, 46 are associated with Cerber. Visualizing these domains and their connections reveals the actor’s infrastructure and how it’s used to host Cerber and other malware.


Nemucod, a JavaScript downloader, played an important role throughout the year by achieving a foothold for further infection on the target’s system. Its size made it lightweight enough for use as an email attachment and regular obfuscation/encapsulation changes made it often successful in bypassing detection systems. Nemucod jumpstarted the infection by retrieving and executing the primary payload of the actor. This is most commonly ransomware such as Locky, but has also been used with adware and ad-clicking malware like Miuref, Kovter, and Diplugem.


Dridex is no stranger to top threat lists since the banking trojan and botnet first popped up in 2012. Infections rose steadily until 2015 when an international law enforcement operation resulted in the arrest of a key figure in its administration. That didn’t stop Dridex though, it continued to infect and enroll users into its botnet throughout 2016. Dridex is most widely known for its ability to inject into various web browsers to steal user credentials and take screenshots of banking websites. Its campaigns were among the first to weaponize Office Document Macros in email attachments for early stage infection.


GozNym, also known as Kryptik, has a checkered history. The malware was the result of the merger of an advanced banking trojan whose source code was leaked publicly and a downloader. Like Dridex, GozNym aimed to compromise infected users banking credentials. GozNym leveraged some of the most refined and tailored Macro-enabled Word Documents as the initial downloader. Once the malware was executed, it employed an impressive array of anti-detection and advanced runtime techniques, using return-oriented programming to execute functionality using already loaded modules.


The themes shared among these threats highlight the procedural trends actors continue to evolve year over year. We saw these trends play out before 2016, and we’ll undoubtedly see them continue through 2017.

Sent As An Email Attachment

Each of these threats are distributed via email as attachments. Locky and Cerber are distributed broadly while Kryptik and Dridex are often targeted. While exploit kits are also used to distribute these threats, email is still a very widely used distribution method.


Attachments mirror Nemucod in that they act as a downloaders to retrieve malware and infect their target. The downloaders are usually written in JavaScript and VBScript, and often enclosed within a Macro enabled Office document or Zip file. They contact a hardcoded address to download the malicious executable containing the payload.

Reliance on External Systems

All of these threats also utilize a communication channel back to another system other than the download location for various purposes. Ransomware needs to fetch its encryption keys while the banking trojans use a command and control channel for issuing remote commands. The banking trojan may also redirect web traffic to imposter banking websites for credential collection.

Targeting Windows

All of these threats target the Windows Operating System. While malware does exist for other operating systems and some malware, like Adwind RAT, is written to be cross platform, Windows still remains the primary target of most malware. This is likely due to its market share, specifically the dependance of business.

2017 and Beyond!

With 2017 underway, we are looking forward to new threats, themes and, of course, visualizations! We would love to hear what you think and the latest threats that you are visualizing.

This post is categorized in: