We recently released our global Cloud Report as well as our Europe, Middle East and Africa version, highlighting cloud activity from January through March of 2016. Each quarter we report on aggregated, anonymized findings such as top used apps, top activities, top policy violations, and other cloud security findings from across our customers using the Netskope Active Platform, including by industry. Netskope is the only Cloud Access Security Broker (CASB) that reports at this level of granularity on cloud app activities, data violations, and policy infractions across sanctioned and unsanctioned apps worldwide.
This report took up where we left off last quarter on our cloud malware research, in which we found that 4.1 percent of enterprises’ sanctioned apps are laced with malware. This quarter that number has risen to 11.0 percent, or nearly triple since last quarter. This is before counting unsanctioned apps, which we are researching and will incorporate into future reports. When we do, we expect these numbers to increase dramatically. Beyond sharing volume of detections, this quarter’s report breaks down those malware into the following observed categories, several of which are known to be used to distribute or propagate ransomware:
- JavaScript exploits and droppers
- Microsoft Office macros
- Backdoors
- Mobile malware
- Spyware and Adware
- Mac malware
The malicious JavaScript files detected in our users shared cloud storage were generally highly obfuscated and contained either exploits, or more commonly downloaders. In the case of downloaders, these were usually the attachments that were received as a part of a phishing attack, and subsequently shared with peers of the victim in the cloud.
The trend of using JavaScript attachments in phishing attacks is something that has been supplementing the ongoing use of Microsoft Office macros in recent months. Upon receipt of these malicious JavaScript and Office attachments, many victims will share them in the cloud with their colleagues. Many of these would install ransomware such as Locky and TeslaCrypt on each victim’s endpoint.
We also rated discovered malware in terms of its severity based on the extent to which it affects user privacy and computer security and causes damage to files, computers, or networks. 73.5 percent of detected malware this quarter ranks “high” in terms of severity, with 8.3 percent “medium,” and 18.2 percent “low.”
Perhaps the most shocking is we found that 26.2 percent of discovered malware files had been shared, either internally (with one or more people inside of the organization), externally (with one or more people outside of the organization), or publicly (with a publicly-accessible link). Sync and share, two important capabilities that characterize the clo