New research shows that corporate email inboxes are still an important target for many cybercriminals, but as defense tools improve, ransomware operators are looking for new ways to enter corporate networks.
Ransomware attackers have begun to use criminal organizations (mainly banking Trojan horse dealers) to deploy malware. These so-called “visit promoters” use malicious links and attachments sent via email to distribute backdoors to victims. Proofpoint reports that once they penetrate the target, the attacker can sell their access to the ransomware organization for profit.
The threat research team of the security company analyzed data from 2013 to the present to understand the trends surrounding ransomware and email as access media. Researchers found that prior to 2015, the incidence of ransomware sent directly to victims via email attachments or links was “relatively low and consistent,” at which time such ransomware attacks began to soar. For example, Locky processed 1 million messages per day in 2017 before its operations ceased.
As attackers shifted from email to deploying their initial load, these “phase one” ransomware activities dropped sharply in 2018. There are several reasons for this change: improved threat detection, limited expenditures due to separately encrypted machines, and the rise of worm-able and human-manipulated threats make them capable of becoming more destructive.
“Many IT and information security teams in corporate environments can quickly adapt to handling ransomware incidents on a single laptop or host computer, treating it as stolen hardware in some respects, just reformatting and moving on,” Senior Engineer Sherrod DeGrippo explained. Proofpoint Threat Research and Detection Supervisor. As a result, the ransomware team did not get the rewards they hoped, and reconsidered their strategy.
“Threatening actors moved to the downloader as the first stage to provide themselves with more choices and flexibility,” she continued. “This is a natural evolution.” Nowadays, ransomware is rarely distributed via email: the researchers point out in a new report that between 2020 and 2021, among the ransomware as the first phase of email payload, Only one strain accounts for 95%.
Banking Trojans were the most popular malware spread via email in the first half of 2021, accounting for nearly 20% of the malware observed by Proofpoint. Criminal groups that have spread banking Trojans may also become part of the ransomware affiliate network; researchers are currently tracking at least 10 attacking organizations that act as initial access facilitators or possible ransomware affiliates.
Malware and attack groups worthy of attention
Prior to its delisting earlier this year, Emotet was a major distributor of malware and caused ransomware infections between 2018 and 2020. Since it was compromised, researchers have seen malware from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and other malware as the first phase of the payload, attempting to infect further, including ransomware.
Researchers also track downloading programs, such as Buer Loader and BazaLoader, which are often used as the initial vector for ransomware. In the past six months, Proofpoint has discovered nearly 300 downloads and distributed nearly 6 million malicious messages.
Their findings revealed the overlap between threat groups, malware, and ransomware deployments. For example, Conti ransomware has been associated with first-stage loaders including Buer, The Trick, Zloader, and IcedID. Similarly, the IcedID loader is also associated with Sodinokibi, Maze and Egregor ransomware.
The high-volume attack group that uses this strategy includes attackers tracked as TA800, TA577, and TA570, although many other attackers are also outlined in the researcher’s blog post. For example, TA577 has been tracked since mid-2020, and uses payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike for a wide range of cross-industry and cross-regional attacks. Researchers report that its activity has increased by 225% in the past six months alone.
It is worth noting that ransomware is not the only second-stage payload related to this malware. Ransomware attackers rely on other carriers to distribute payloads. Some exploit flaws in software running on network devices exposed to the Internet, or insecure remote access services. DeGrippo said that other common targets include remote desktop protocols, VPNs, and other external-facing network devices. They are not limited to existing malware backdoors.
“Regardless of the broker’s economy, the original carrier is now more open and usable,” she explained. “Threat actors have been professionalized and through this specialization has brought tremendous effectiveness to their activities.”
DeGrippo said that once it is sold, what happens to the initial visit depends on the attacker. Some attackers maintain access rights and sell them; some mend the holes they used to gain a foothold and remove traces of their existence. There has also been an increase in double and triple blackmail, the sale of stolen data on the dark web market, or the release of data without paying the ransom.
Ransomware is on the rise
These findings are in a report by Check Point Research that ransomware attacks have increased by 41% since the beginning of 2021, and a year-on-year increase of 93%. The weekly average of ransomware attacks in May jumped to 1,115; by the first half of June, this number reached 1,210.
Industries where ransomware attempts have surged include education (347% increase in the number of attacks per week), transportation (186%), retail/wholesale (162%), and healthcare (159%).
Since the beginning of 2021, Latin America has grown at a rate of 62%, with the highest peak ransomware attack attempts by geographic region, followed by Europe (59%), Africa (34%) and North America (32%).
As attacks continue to increase, new variants of ransomware have emerged. The NCC Group released its findings this week about a new Fivehands variant deployed by an affiliate, which uses publicly available tools to advance its attacks. Open source intelligence indicates that the link to the UNC2447 group points to multiple features, including aggressive strategies when urging the target to pay the ransom.
Kelly Sheridan is a full-time editor of Dark Reading. She focuses on cybersecurity news and analysis.She is a business technology journalist. She has previously reported on Microsoft for InformationWeek, and has reported on finance in insurance and technology… View full bio