skip to Main Content

Ransomware Domains Increase 35 Fold in Q1 2016, According to the Infoblox DNS Threat Index

Explosion in ransomware drives all-time high in malicious domain creation

Infoblox Inc. (NYSE:BLOX), the network control company, today released the Infoblox DNS Threat Index for the first quarter of 2016, highlighting a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015. This dramatic uptick helped propel the overall threat index, which measures creation of malicious Domain Name System (DNS) infrastructure including malware, exploit kits, phishing, and other threats, to its highest level ever.

Ransomware is a relatively brazen attack where a malware infection is used to seize data by encrypting it, and then payment is demanded for the decryption key. According to Rod Rasmussen, vice president of cybersecurity at Infoblox, “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises. The threat index shows cybercriminals rushing to take advantage of this opportunity.”

The FBI recently revealed that ransomware victims in the United States reported costs of $209 million in the first quarter of 2016, compared to $24 million for all of 2015. High-profile Q1 ransomware incidents include the February 2016 attack on Hollywood Presbyterian Medical Center in Los Angeles and the March 2016 breach at MedStar Health in Washington D.C.

Record Number of New Malicious Domains

The Infoblox DNS Threat Index hit an all-time high of 137 in Q1 2016, rising 7 percent from an already elevated level of 128 in the prior quarter, and topping the previous record of 133 established in Q2 2015. The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

Five New Countries Top List of Those Hosting Malicious Domains

The United States continues to be the top host for newly created or exploited malicious domains, accounting for 41 percent of the observations, a significant drop from last quarter’s 72 percent lion’s share. Five other countries and regions saw major increases in activities:

  • Portugal—17 percent
  • Russian Federation—12 percent
  • Netherlands—10 percent
  • United Kingdom—8 percent
  • Iceland—6 percent

Germany, which last quarter accounted for almost 20 percent of newly observed malicious domains and related infrastructure, nearly dropped off the list at less than 2 percent.

“Cybercriminals are as likely as anyone else to take advantage of sophisticated infrastructure, and all of the countries in this quarter’s list fit that description,” said Lars Harvey, vice president of security strategy at Infoblox. “But the geographic spread shows that much like cockroaches that scurry from the light, cybercriminals are quick to shift to a more advantageous location as needed.”

Exploit Kits Remain Top Threat

Exploit kits—toolkits for hire that make cybercrime easier by automating malware creation and delivery—remain the biggest threat, accounting for just more than 50 percent of the overall index. As in past quarters, Angler remains the most used exploit kit, but a new contender has emerged from far back in the pack: observations of Neutrino grew by 300 percent. Angler is notorious for pioneering the “domain shadowing” technique used to defeat reputation-based blocking strategies, and for infiltrating malicious URLs into legitimate ad networks, taking visitors to websites that insert malware even if they don’t click on the infected ads. Various iterations of recent Neutrino campaigns have been observed to infect victims’ systems with various versions of ransomware such as Locky, Teslacrypt, Cryptolocker2, and Kovter.

About DNS and the Infoblox DNS Threat Index

DNS is the address book of the Internet, translating domain names such as into machine-readable Internet Protocol (IP) addresses such as Because DNS is required for almost all Internet connections, cybercriminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.

For more details about the Infoblox DNS Threat Index methodology and to read the full report for the first quarter of 2016, go to

About Infoblox

Infoblox (NYSE:BLOX) delivers critical network services that protect Domain Name System (DNS) infrastructure, automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, Infoblox ( reduces the risk and complexity of networking.

Forward-looking and Cautionary Statements—Infoblox

Certain statements in this release are forward-looking statements, which involve a number of risks and uncertainties that could cause actual results to differ materially from those in such forward-looking statements. As such, this release is subject to the safe harbors created by U.S. Federal Securities Laws. The risks and uncertainties relating to these statements include, but are not limited to, risks that there may be design flaws in the company’s products, shifts in customer demand and the IT services market in general, shifts in strategic relationships, delays in the ability to deliver products, or announcements by competitors. These and other risks may be detailed from time to time in Infoblox’s periodic reports filed with the Securities and Exchange Commission, copies of which may be obtained from Infoblox is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements whether as a result of new information, future events, or otherwise.

Back To Top