The most dangerous viruses of 2016

2016 is coming to an end, and the 2-Spyware team is ready to overview the most dangerous viruses that emerged this year. Sadly, all these viruses are still widespread, and this situation is unlikely to change soon. There is no doubt that today’s Internet space is more dangerous than ever before, considering that 2016’s most prominent viruses were ransomware[1], tech support scam malware, data-stealing trojans and of course never-ending strains of adware and browser hijackers. There is no wonder why more and more virtual security threats appear – technology rapidly evolves, and so smart devices play one of the most important roles in our lives nowadays. Since we all store more or less private and valuable information on our computers and smart devices, use social media and share files using the world wide web, cybercrime industry grows[2] and brings the perpetrators enormous profits without much risk of capture. We would like to provide a list of prevailing and the most dangerous viruses of 2016, which are likely to be active in 2017 as well.

2016 Most dangerous viruses. Report by 2Spyware team

10. CrySiS ransomware virus. In 2016, we have seen a very successful example of a ransomware virus. CrySiS virus had hundreds of different versions, and all of them appeared to be professionally programmed malicious programs that encrypted files with a combination of AES and RSA ciphers[3]. It is easy to recognize CrySiS malware because it always stamps filenames with a very long extension, which consists of [Original filename].id-[Victim’s ID].[culprit’s email address].xtbl. However, at the beginning of November, an anonymous has leaked CrySiS decryption keys in an online forum, and CrySiS decryption software soon emerged. However, authors of this ransomware project continue to release new and updated ransomware versions.

9. DNS Unlocker adware. This potentially unwanted program (PUP) is a very aggressive, nerve-racking and also difficult to eliminate computer parasite that fills every website with DNS Unlocker ads. This PUP inserts banners, opens new tabs or windows to load various sponsored content. Sometimes victims can no longer use infected browsers because this adware simply makes them crash shortly after launching them. The newest version of DNS Unlocker virus can infect Android, and iOS devices.

8. virus. It is a browser hijacker, also known as browser redirect virus. This shady program promotes search engine, which is considered highly suspicious. Unlike regular search engines, it might force you to visit affiliate websites by simply redirecting you to them. It can happen after clicking on one of search results, or on one of the shortcuts available on its main page. Visits to these affiliate websites can cause a lot of problems for the computer user because these sites are likely to be dangerous (for instance, promote rogue programs or updates). redirect virus infects the main web browsers and makes them respond slowly or even crash sometimes. Unlike other browser hijackers, this one is stubborn and cannot be removed that easily.

7. virus. browser hijacker is yet another browser redirect virus that has been actively distributed online in 2016. Although it cannot compete with critical viruses like ransomware, it is one of the most widespread browser hijackers that causes a headache for many computer users. This parasite tends to sneak into computer systems when bundled with free programs that unsuspecting users install. It changes the search engine, homepage and new tab settings in browsers that it infects, and, just like Delta-Homes hijacker, promotes questionable websites by causing redirections to them.

6. “Your Computer Has Been Blocked” virus. There are two viruses that share the same name. One of them is a screenlocker-type ransomware, which blocks access to the computer and accuses the victim of violating laws of USA. The virus displays a full-screen message filled with information about infringements that the victim has ostensibly committed. However, a better-known version of this virus decsribes the vast majority of Tech Support Scam viruses, which display a message via victim’s web browser, saying “Your Computer Has Been Blocked” and asking to call tech support scammers. Such false alerts are often filled with fake reports about non-existent computer infections, data breaches, and other problems that only certified “technicians” can fix.

5. Tech Support Scam virus. Tech support scams evolve and become more sophisticated – nowadays they use malware to convince victims to call them, instead of calling random people daily. Typical tech support scam viruses display annoying warning messages via victim’s web browsers, urging to call “certified Microsoft technicians” for help due to fake reasons. Alerts that such malware displays traditionally try to scare the victim by stating that the system is infected with viruses such as Zeus, that personal data can be lost and that there are hundreds of other security issues that the user needs to take care of immediately. Such viruses always provide a “toll-free” tech support scam number and ask the victim to call them. Then they try to sell useless software or convince the victim to give them remote access to the computer.

4. Facebook virus. The social media giant remains to be the top target for frauds who want to deceive naive people. One of the latest Facebook viruses used to infect accounts and use them to send out dozens of private messages or publish posts containing a malicious link to a “Private Video.” This link led to a site that urged the victim to install a malicious plugin “in order to watch the video.” However, a new Facebook virus strain has been spotted in 2016. Nowadays, scammers create fake phishing Facebook pages, called Ads-Info, Team Advert or similarly, and use them to repost posts of random Facebook users or pages. Scammers add a comment to such posts: “Your page will be unpublished!”[4] and ask the victim to verify the account via a provided link. The link leads to a professionally crafted phishing site that asks to enter Facebook login details. As soon as the victim enters the required data, scammers hack the account.

3. Zepto ransomware virus. Zepto is one of the earlier Locky virus’ variants, and it has a achieved huge success so far. This ransomware example was distributed in a form of JS or Word file and managed to easily infect unprotected systems. The virus encrypts all files with a combo of RSA-2048 and AES-128 ciphers, adds .zepto extensions to their names and then drops a ransom note called _HELP_instructions.html, which contains instructions on how to access personal payment page that offers Locky Decrypter[5]. The price of the decryptor varies from 0.5 BTC to 4 BTC. Sadly, no one managed to create an antidote for Zepto’s poison yet.

2. Cerber ransomware virus. Cerber is one of the top dangerous crypto-ransomware viruses nowadays, which is known as the “speaking ransomware.”[6] While the first and the second Cerber versions contained flaws that allowed malware researchers to create free decryption tools, subsequent versions appeared to be undefeatable. Authors of this fearsome ransomware project release new virus’ version once in a while, and currently, there are nine known versions of it, and 5 of them are modifications of the Cerber v4.0 ransomware. The virus recently started proliferating with the help of a new technique that contributes to disseminating the virus using Google and Tor2Web proxies[7]. One thing can be said about this ransomware – it evolves rapidly, its authors change distribution techniques and makes slight alterations to virus’ code frequently to inhibit malware researchers to analyse the new versions properly.

1. Locky ransomware virus. This virus shook the entire virtual world community in the beginning of 2016. We’ve seen this ransomware evolving, and eventually, it became the most dangerous virus of 2016. Its authors seem to be fans of Norse mythology, as it uses names of major Norse gods for new Locky versions, for example, Odin, Thor, Aesir, and others. Locky can be called an “ever-evolving” virus, as it changes over time and shows more and more new features. Locky malware received a lot of attention because it demonstrated an unique infiltration method – it used to infect computers via Word documents that required to enable Macros function, which activated the malicious code and downloaded the ransomware into the computer[8]. Locky virus has been spotted in obfuscated .xlsx, .docm, .js, .lnk files and has been spread with the help of exploit kits like Nemucod, Bizarro Sundown, and RIG. The latest Locky’s example is known under Osiris name, but unfortunately, the chances are high that we will see more variants in 2017.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

Read in other languages