Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:18 PM
Connect Directly

Ransomware Operators' Strategies Evolve as Attacks Rise

Security researchers find ransomware operators rely less on email and more on criminal groups for initial access into target networks.

Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows.

Related Content:

Ransomware? Let's Call It What It Really Is: Extortionware

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called "access facilitators" distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.

The security firm's Threat Research team analyzed data from 2013 to the present to understand trends surrounding ransomware and email as an access vector. Researchers found ransomware sent directly to victims via email attachments or links happened at "relatively low, consistent volumes" before 2015, at which point these types of ransomware attacks began to skyrocket. Locky, for example, hit 1 million messages per day in 2017 before its operations stopped.

These "first-stage" ransomware campaigns sharply dropped off in 2018 as attackers shifted away from email to deploy their initial payload. There were several reasons for the change: Threat detection improved, individually encrypted machines led to limited payouts, and the rise of wormable and human-operated threats gave them the power to become more disruptive.

"Many IT and information security teams in corporate settings were able to quickly adapt to the handling of a ransomware incident on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on," explains Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As a result, ransomware teams weren't getting the payout they hoped for and rethought their strategies.

"Threat actors moved to downloaders as a first stage to give themselves more choice and flexibility," she continues. "It is a natural evolution." Now, ransomware is rarely distributed via email: Only one strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021, researchers note in a new report.

Banking Trojans were the most popular malware distributed via email in the first half of 2021, representing nearly 20% of malware Proofpoint observed. Criminal groups who already spread banking Trojans can also become part of a ransomware affiliate network; researchers currently track at least 10 attack groups acting as initial access facilitators or likely ransomware affiliates.

Malware and Attack Groups to Watch
Before its takedown earlier this year, Emotet previously served as a top distributor of malware that led to ransomware infections between 2018 and 2020. Since it was disrupted, researchers have seen consistent activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and other malware serving as first-stage payloads in attempts to further infection, including ransomware.

Researchers also track downloaders, such as Buer Loader and BazaLoader, which are commonly used as an initial vector for ransomware. Over the last six months, Proofpoint has seen almost 300 downloader campaigns distributing nearly 6 million malicious messages.

Their findings reveal overlap between threat groups, malware, and ransomware deployments. Conti ransomware, for example, has been linked to first-stage loaders including Buer, The Trick, Zloader, and IcedID. Similarly, the IcedID loader has been associated with Sodinokibi, Maze, and Egregor ransomware.

High-volume attack groups using this tactic include actors tracked as TA800, TA577, and TA570, though there are many others outlined in the researchers' blog post. TA577, for example, has been tracked since mid-2020 and conducts broad attacks across industries and regions using payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Its activity has increased 225% in the last six months alone, researchers report.

It's worth noting ransomware isn't the only second-stage payload associated with this malware, and ransomware attackers rely on other vectors to distribute payloads. Some exploit flaws in software running on network devices exposed to the Internet, or insecure remote access services. Other common targets include Remote Desktop Protocol, VPNs, and other externally facing network appliances, DeGrippo says. They're not limited to existing malware backdoors.

"Regardless of the broker economy, the initial vectors are now much more open and available," she explains. "Threat actors have specialized and brought great efficacy to their campaigns with that specialization."

What happens to initial access once it's sold varies depending on the attacker, DeGrippo says. Some attackers maintain the access and sell it; some patch the holes they used to gain a foothold and remove traces of their presence. There has also been an increase in double and triple extortion, selling stolen data on Dark Web markets or publishing it unless ransom is paid.

Ransomware on the Rise
These findings emerge as Check Point Research reports a 41% increase in ransomware attacks since the beginning of 2021 and a 93% increase year-over-year. The weekly average of ransomware attacks jumped in May to 1,115; by the first half of June, that number hit 1,210.

Industries seeing the highest spikes in ransomware attempts include education, which saw a 347% increase in weekly attacks, transportation (186%), retail/wholesale (162%), and healthcare (159%).

Since the beginning of 2021, Latin America, with a 62% increase, had the highest spike in ransomware attack attempts by geographical region, followed by Europe (59%), Africa (34%), and North America (32%).

And as attacks continue to increase, new ransomware variants emerge. NCC Group this week published findings on a new Fivehands variant deployed by an affiliate using publicly available tools to advance their attack. Open source intelligence indicates a link to the group UNC2447, pointing to multiple traits, including aggressive tactics when urging targets to pay the ransom.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. A default password is persisted after installation and may be discovered and used to escalate privileges.
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0. A non-privileged user may escape a restricted shell and execute privileged commands.
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Authenticated remote command execution can occur via the management portal.
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Unauthenticated remote command execution can occur via the management portal.
PUBLISHED: 2022-12-04
CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)