Cb Connect 2018 | Power of You | Register Now


Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center Stage in 2016

December 15, 2016 / Threat Research Team

Click here to download the full report.


In 2014, dubbed “the year of the data breach,” we saw cyber security escalate in the public’s consciousness. High-profile attacks thrust cyber security into the spotlight and forced executives, boards and consumers to take notice like never before.


carbon_black_threat_report_nonmalwareAs a result, 2015 saw significant increases in cyber-security investments. However, major hacks continued to hit a number of high-profile targets, ranging from Ashley Madison to Anthem and from OPM to the IRS. The notion that increased investments had curbed attacks was dashed as virtually every American was touched in some way by a cyber attack in 2015.


This unsettling trend continued in 2016. Major attacks against SWIFT, LinkedIn, Yahoo!, Oracle and the NSA made headlines at a blistering pace. Details emerged about how attackers took control of industrial control systems at three power plants in the Ukraine. Most notably, politically motivated attacks muddied the 2016 U.S. election as voter databases, electronic voting machines and the candidates themselves came under fire, seeding doubt in America’s democracy.

According to Carbon Black data, attackers are holding data for ransom at an alarming rate and are continuing to deploy attacks across every industry. In conjunction with the rise of ransomware and the continued ubiquity of mass malware, attackers are increasingly utilizing non-malware attacks in an attempt to remain undetected and persistent on organizations’ enterprises.

Non-Malware Attacks

These non-malware attacks are capable of gaining control of computers without downloading any files and are using trusted, native operating system tools (such as PowerShell) and exploiting running applications (such as web browsers and Office applications) to conduct malicious behavior.

Some leading attack campaigns in 2016, including PowerWare and the alleged hack against the Democratic National Committee (DNC) leveraged non-malware attack vectors to carry out nefarious actions.
carbon_black_threat_report_nonmalwareAs organizations plan to defend their enterprises against ransomware and non-malware attacks in 2017, it’s critical to understand the scope of the problem.

For its end-of-year threat report, Carbon Black analyzed more than a thousand of its most targeted customers (representing more than 2.5 million endpoints) to understand the prevalence and growth of attacks. For the purposes of investigating non-malware attacks, Carbon Black focused on instances of PowerShell and WMI used for malicious intent.

Research Highlights

  • Instances of severe non-malware attacks grew throughout 2016. Over a 90-day period, about one-third of organizations are likely to encounter at least one severe, non-malware attack, according to our research.


  • Instances of non-malware attacks leveraging PowerShell and Windows Management Instrumentation (WMI) grew throughout 2016. Such attacks spiked by more than 90%  in the second quarter of this year (+93.2%) and have stayed at escalated levels since.


  • In 2016, ransomware instances grew by more than 50% over 2015.


  • Ransomware is on track to be an $850 million crime in 2016, according to FBI data. That’s a substantial increase from 2015, when ransomware was a “mere” $24 million crime.cb_threat_report_cost_of_ransomware_to_business-2
  • Ransomware has emerged as the fastest-growing malware across all industries in 2016, with major percentage increases seen at technology companies, energy/utility companies and banking organizations when compared to 2015.


  • When considering the total amount of ransomware seen this year, manufacturing
    companies (16% of total ransomware instances), utility/energy companies (15.4% of all
    ransomware instances) and technology companies (12.6% of all ransomware instances) led the way.
  • “Locky” emerged as the go-to ransomware family of 2016, used in 1 out of every 4
    ransomware-based attacks.locky_ransomware_carbon_black
  • The top five ransomware families seen in 2016 were Locky, CryptoWall, CryptXXX,
    Bitman and Onion (CTB Locker).



  • While ransomware continues to generate headlines, it is still only a piece of the overall
    malware scope. Even with its rapid growth, ransomware still only accounts for 2% of
    total malware seen in 2016. In the graphic below, Locky, which was the most prevalent
    ransomware family seen in 2016 according to Carbon Black data, ranks 13th when stacked
    against other types of malware.




  • Overall, malware continues to target every industry with manufacturing companies (21.8%
    of total malware), non-profit organizations (16.4% of total malware), and utility/energy
    companies (15.6% of total malware) leading the way in 2016.cb_threat_report_percent-of-malware_by-industry


To view the report in its entirety, including security recommendations for ransomware, what a typical ransomware attack looks like, and security predictions for 2017, click the image below.


Additionally, to learn more on how to defend against non-malware attacks, view the recorded webinar: “The Rise of Malware-Less Attacks: How Can Endpoint Security Keep Up?”

TAGS: Carbon Black Threat Report / NGAV / Non-Malware Attacks / ransomware