Zero-Hour Ransomware Virus Attack

With names like Locky, Teslacrypt, Cerber and Dridex, countless variants of dangerous ransomware and other viruses flooded email during 2016 in an attempt to overwhelm spam filters and antivirus scanners, or simply catch IT admins off guard. Here's what it looks like from our perspective as a global Cloud antispam service:

Massive Zero-Hour Ransomware and Virus Attack

If there was ever a reason to move your spam and virus filtering to a premium Cloud service with 24/7 analysis and zero-HOUR (not zero-day) blocking, this was it. Not doing so greatly increases the risk of serious damage to your company's infrastructure, bank accounts and more. Let's take a look at how the virus surge affected spam filtering during the year.

Ransomware Surge Analysis by Month

There was a big surge in dangerous email ransomware (like Locky and Cryptolocker) and other viruses, during most of 2016. It began in March and lasted pretty much unabated through December. This 10-month flood of malware can easily be seen by comparing the months in 2016 to those in 2015, which was a more typical year.

Massive Ransomware Attack with Monthly Analysis of Virus and Spam Filtering

This chart has three series of data. The pink areas are the number of messages blocked by our traditional virus scanning engine. That number increases dramatically in March 2106 in response to the wave of malware and remains very large the rest of the year. But that's only part of the story.

Almost all of the red areas are the number of messages blocked by our zero-hour pattern filtering. our Pattern-Matching filter normally catches only the few spam messages not blocked by the three Global filters before it (Blacklist, URL and Phrase). However, our analysts updated it during the surge to block malware that followed certain patterns. This turned out to be a very effective tool and helped us maintain our filtering performance despite this massive campaign.

Finally, the yellow columns show how many messages other SpamStopsHere filters blocked. Almost all of these would likely be considered spam.

This chart also shows how few emails with viruses there usually are compared to spam (e.g., phishing scams, CEO spam, pump and dumps, etc.). You can see the surge in email viruses by comparing each SpamStopsHere filter to the same one during 2015. However, beginning in March the number of viruses surged to sometimes more than spam email.

Spam and Virus Filter Performance

We also collect data on how many messages each filter blocks every day and can see the data daily, monthly or annually. This is useful for reviewing the relative load on each of our filters. The data for 2015 (lighter colors) vs. 2016 (darker colors) is shown in the column chart below.

Zero-Hour Ransomware, Virus and Spam Filtering

Let's take a closer look at each filter:

  • Custom Blacklists: The amount of mail blocked by custom blacklists did not increase much. That's not surprising as our customers tend to do very little filter tuning due to our high blocking and low false-positives rates.
  • Global Blacklists, URL and Phrase Filters: Our own global blacklisting saw a moderate spike, which looks like it's due to that filter picking up more of the work of two other standard filters (URL and Phrase), both of which blocked significantly less email in 2016.
  • Global Country Filter and Real-Time Blacklist: Also as is typical, the Country and RBL filters caught very little spam, as they are placed after our first three primary filters (Blacklist, URL and Phrase). By the time email reaches this point, almost all of the spam has been removed, and most of what's left are viruses.
  • Virus Scanning: Our virus scanning engine (Business Edition and up) blocked much more in 2016 than 2015. However, the volume remained low compared to other filters. That's probably due to the rapidly-changing nature of the virus campaigns, especially ransomware. This shows that traditional antivirus is not very good at detecting such threats anymore. We're not saying to dump your virus scanner. Just make sure you have better tools than that, like premium Cloud-based filtering; which brings us to our pattern filter...
  • Pattern Filter: Our highly proprietary Pattern Filter detects tricks that spammers employ in order to fool typical spam filtering. During ordinary years (like 2015), the pattern filter doesn't catch a lot of spam, as it falls in line after our powerful Blacklist, URL and Phrase filters. But it does catch most of the rest of the spam that the others don't. However, in 2016, our threat analysts employed some clever techniques and used the pattern filter to detect huge amounts of the ransomware that began to surge in March. This became a very effective malware blocker, as you can see. This is a good example of the kind of expertise required to block today's very dangerous malware.
  • Optional Filters: This is a long list of highly specialized filters that customers can enable. These tend to be useful in special circumstances, so they aren't used much.
  • SPF and Custom Filters: SPF checking and custom customer filters only block a tiny amount of spam and viruses.


2016 was a very strange year for spam and virus filtering. However, our 24/7 professional analysts were able to keep up with the rapidly changing ransomware and other campaigns. If you're still relying on traditional (especially installed) virus scanning to protect your business, you should consider adding premium antispam and antivirus like SpamStopsHere that has a global view and can update every few minutes 24/7/365. The threats are very real, very dangerous, and can easily overwhelm a company's IT staff.

Try SpamStopsHere FREE for 30 days and leave the filtering to us.