theDocumentId => 1341327 Ransomware Operators' Strategies Evolve as Attacks Rise

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/16/2021
05:18 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Operators' Strategies Evolve as Attacks Rise

Security researchers find ransomware operators rely less on email and more on criminal groups for initial access into target networks.

Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows.

Related Content:

Ransomware? Let's Call It What It Really Is: Extortionware

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called "access facilitators" distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.

The security firm's Threat Research team analyzed data from 2013 to the present to understand trends surrounding ransomware and email as an access vector. Researchers found ransomware sent directly to victims via email attachments or links happened at "relatively low, consistent volumes" before 2015, at which point these types of ransomware attacks began to skyrocket. Locky, for example, hit 1 million messages per day in 2017 before its operations stopped.

These "first-stage" ransomware campaigns sharply dropped off in 2018 as attackers shifted away from email to deploy their initial payload. There were several reasons for the change: Threat detection improved, individually encrypted machines led to limited payouts, and the rise of wormable and human-operated threats gave them the power to become more disruptive.

"Many IT and information security teams in corporate settings were able to quickly adapt to the handling of a ransomware incident on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on," explains Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As a result, ransomware teams weren't getting the payout they hoped for and rethought their strategies.

"Threat actors moved to downloaders as a first stage to give themselves more choice and flexibility," she continues. "It is a natural evolution." Now, ransomware is rarely distributed via email: Only one strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021, researchers note in a new report.

Banking Trojans were the most popular malware distributed via email in the first half of 2021, representing nearly 20% of malware Proofpoint observed. Criminal groups who already spread banking Trojans can also become part of a ransomware affiliate network; researchers currently track at least 10 attack groups acting as initial access facilitators or likely ransomware affiliates.

Malware and Attack Groups to Watch
Before its takedown earlier this year, Emotet previously served as a top distributor of malware that led to ransomware infections between 2018 and 2020. Since it was disrupted, researchers have seen consistent activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and other malware serving as first-stage payloads in attempts to further infection, including ransomware.

Researchers also track downloaders, such as Buer Loader and BazaLoader, which are commonly used as an initial vector for ransomware. Over the last six months, Proofpoint has seen almost 300 downloader campaigns distributing nearly 6 million malicious messages.

Their findings reveal overlap between threat groups, malware, and ransomware deployments. Conti ransomware, for example, has been linked to first-stage loaders including Buer, The Trick, Zloader, and IcedID. Similarly, the IcedID loader has been associated with Sodinokibi, Maze, and Egregor ransomware.

High-volume attack groups using this tactic include actors tracked as TA800, TA577, and TA570, though there are many others outlined in the researchers' blog post. TA577, for example, has been tracked since mid-2020 and conducts broad attacks across industries and regions using payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Its activity has increased 225% in the last six months alone, researchers report.

It's worth noting ransomware isn't the only second-stage payload associated with this malware, and ransomware attackers rely on other vectors to distribute payloads. Some exploit flaws in software running on network devices exposed to the Internet, or insecure remote access services. Other common targets include Remote Desktop Protocol, VPNs, and other externally facing network appliances, DeGrippo says. They're not limited to existing malware backdoors.

"Regardless of the broker economy, the initial vectors are now much more open and available," she explains. "Threat actors have specialized and brought great efficacy to their campaigns with that specialization."

What happens to initial access once it's sold varies depending on the attacker, DeGrippo says. Some attackers maintain the access and sell it; some patch the holes they used to gain a foothold and remove traces of their presence. There has also been an increase in double and triple extortion, selling stolen data on Dark Web markets or publishing it unless ransom is paid.

Ransomware on the Rise
These findings emerge as Check Point Research reports a 41% increase in ransomware attacks since the beginning of 2021 and a 93% increase year-over-year. The weekly average of ransomware attacks jumped in May to 1,115; by the first half of June, that number hit 1,210.

Industries seeing the highest spikes in ransomware attempts include education, which saw a 347% increase in weekly attacks, transportation (186%), retail/wholesale (162%), and healthcare (159%).

Since the beginning of 2021, Latin America, with a 62% increase, had the highest spike in ransomware attack attempts by geographical region, followed by Europe (59%), Africa (34%), and North America (32%).

And as attacks continue to increase, new ransomware variants emerge. NCC Group this week published findings on a new Fivehands variant deployed by an affiliate using publicly available tools to advance their attack. Open source intelligence indicates a link to the group UNC2447, pointing to multiple traits, including aggressive tactics when urging targets to pay the ransom.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32794
PUBLISHED: 2021-07-26
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did no...
CVE-2021-36563
PUBLISHED: 2021-07-26
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS pay...
CVE-2021-37392
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected use...
CVE-2021-37393
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user...
CVE-2021-37394
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.