Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:18 PM
Connect Directly

Ransomware Operators' Strategies Evolve as Attacks Rise

Security researchers find ransomware operators rely less on email and more on criminal groups for initial access into target networks.

Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows.

Related Content:

Ransomware? Let's Call It What It Really Is: Extortionware

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called "access facilitators" distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.

The security firm's Threat Research team analyzed data from 2013 to the present to understand trends surrounding ransomware and email as an access vector. Researchers found ransomware sent directly to victims via email attachments or links happened at "relatively low, consistent volumes" before 2015, at which point these types of ransomware attacks began to skyrocket. Locky, for example, hit 1 million messages per day in 2017 before its operations stopped.

These "first-stage" ransomware campaigns sharply dropped off in 2018 as attackers shifted away from email to deploy their initial payload. There were several reasons for the change: Threat detection improved, individually encrypted machines led to limited payouts, and the rise of wormable and human-operated threats gave them the power to become more disruptive.

"Many IT and information security teams in corporate settings were able to quickly adapt to the handling of a ransomware incident on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on," explains Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As a result, ransomware teams weren't getting the payout they hoped for and rethought their strategies.

"Threat actors moved to downloaders as a first stage to give themselves more choice and flexibility," she continues. "It is a natural evolution." Now, ransomware is rarely distributed via email: Only one strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021, researchers note in a new report.

Banking Trojans were the most popular malware distributed via email in the first half of 2021, representing nearly 20% of malware Proofpoint observed. Criminal groups who already spread banking Trojans can also become part of a ransomware affiliate network; researchers currently track at least 10 attack groups acting as initial access facilitators or likely ransomware affiliates.

Malware and Attack Groups to Watch
Before its takedown earlier this year, Emotet previously served as a top distributor of malware that led to ransomware infections between 2018 and 2020. Since it was disrupted, researchers have seen consistent activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and other malware serving as first-stage payloads in attempts to further infection, including ransomware.

Researchers also track downloaders, such as Buer Loader and BazaLoader, which are commonly used as an initial vector for ransomware. Over the last six months, Proofpoint has seen almost 300 downloader campaigns distributing nearly 6 million malicious messages.

Their findings reveal overlap between threat groups, malware, and ransomware deployments. Conti ransomware, for example, has been linked to first-stage loaders including Buer, The Trick, Zloader, and IcedID. Similarly, the IcedID loader has been associated with Sodinokibi, Maze, and Egregor ransomware.

High-volume attack groups using this tactic include actors tracked as TA800, TA577, and TA570, though there are many others outlined in the researchers' blog post. TA577, for example, has been tracked since mid-2020 and conducts broad attacks across industries and regions using payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Its activity has increased 225% in the last six months alone, researchers report.

It's worth noting ransomware isn't the only second-stage payload associated with this malware, and ransomware attackers rely on other vectors to distribute payloads. Some exploit flaws in software running on network devices exposed to the Internet, or insecure remote access services. Other common targets include Remote Desktop Protocol, VPNs, and other externally facing network appliances, DeGrippo says. They're not limited to existing malware backdoors.

"Regardless of the broker economy, the initial vectors are now much more open and available," she explains. "Threat actors have specialized and brought great efficacy to their campaigns with that specialization."

What happens to initial access once it's sold varies depending on the attacker, DeGrippo says. Some attackers maintain the access and sell it; some patch the holes they used to gain a foothold and remove traces of their presence. There has also been an increase in double and triple extortion, selling stolen data on Dark Web markets or publishing it unless ransom is paid.

Ransomware on the Rise
These findings emerge as Check Point Research reports a 41% increase in ransomware attacks since the beginning of 2021 and a 93% increase year-over-year. The weekly average of ransomware attacks jumped in May to 1,115; by the first half of June, that number hit 1,210.

Industries seeing the highest spikes in ransomware attempts include education, which saw a 347% increase in weekly attacks, transportation (186%), retail/wholesale (162%), and healthcare (159%).

Since the beginning of 2021, Latin America, with a 62% increase, had the highest spike in ransomware attack attempts by geographical region, followed by Europe (59%), Africa (34%), and North America (32%).

And as attacks continue to increase, new ransomware variants emerge. NCC Group this week published findings on a new Fivehands variant deployed by an affiliate using publicly available tools to advance their attack. Open source intelligence indicates a link to the group UNC2447, pointing to multiple traits, including aggressive tactics when urging targets to pay the ransom.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file