Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:18 PM
Connect Directly

Ransomware Operators' Strategies Evolve as Attacks Rise

Security researchers find ransomware operators rely less on email and more on criminal groups for initial access into target networks.

Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows.

Related Content:

Ransomware? Let's Call It What It Really Is: Extortionware

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called "access facilitators" distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.

The security firm's Threat Research team analyzed data from 2013 to the present to understand trends surrounding ransomware and email as an access vector. Researchers found ransomware sent directly to victims via email attachments or links happened at "relatively low, consistent volumes" before 2015, at which point these types of ransomware attacks began to skyrocket. Locky, for example, hit 1 million messages per day in 2017 before its operations stopped.

These "first-stage" ransomware campaigns sharply dropped off in 2018 as attackers shifted away from email to deploy their initial payload. There were several reasons for the change: Threat detection improved, individually encrypted machines led to limited payouts, and the rise of wormable and human-operated threats gave them the power to become more disruptive.

"Many IT and information security teams in corporate settings were able to quickly adapt to the handling of a ransomware incident on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on," explains Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As a result, ransomware teams weren't getting the payout they hoped for and rethought their strategies.

"Threat actors moved to downloaders as a first stage to give themselves more choice and flexibility," she continues. "It is a natural evolution." Now, ransomware is rarely distributed via email: Only one strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021, researchers note in a new report.

Banking Trojans were the most popular malware distributed via email in the first half of 2021, representing nearly 20% of malware Proofpoint observed. Criminal groups who already spread banking Trojans can also become part of a ransomware affiliate network; researchers currently track at least 10 attack groups acting as initial access facilitators or likely ransomware affiliates.

Malware and Attack Groups to Watch
Before its takedown earlier this year, Emotet previously served as a top distributor of malware that led to ransomware infections between 2018 and 2020. Since it was disrupted, researchers have seen consistent activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and other malware serving as first-stage payloads in attempts to further infection, including ransomware.

Researchers also track downloaders, such as Buer Loader and BazaLoader, which are commonly used as an initial vector for ransomware. Over the last six months, Proofpoint has seen almost 300 downloader campaigns distributing nearly 6 million malicious messages.

Their findings reveal overlap between threat groups, malware, and ransomware deployments. Conti ransomware, for example, has been linked to first-stage loaders including Buer, The Trick, Zloader, and IcedID. Similarly, the IcedID loader has been associated with Sodinokibi, Maze, and Egregor ransomware.

High-volume attack groups using this tactic include actors tracked as TA800, TA577, and TA570, though there are many others outlined in the researchers' blog post. TA577, for example, has been tracked since mid-2020 and conducts broad attacks across industries and regions using payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Its activity has increased 225% in the last six months alone, researchers report.

It's worth noting ransomware isn't the only second-stage payload associated with this malware, and ransomware attackers rely on other vectors to distribute payloads. Some exploit flaws in software running on network devices exposed to the Internet, or insecure remote access services. Other common targets include Remote Desktop Protocol, VPNs, and other externally facing network appliances, DeGrippo says. They're not limited to existing malware backdoors.

"Regardless of the broker economy, the initial vectors are now much more open and available," she explains. "Threat actors have specialized and brought great efficacy to their campaigns with that specialization."

What happens to initial access once it's sold varies depending on the attacker, DeGrippo says. Some attackers maintain the access and sell it; some patch the holes they used to gain a foothold and remove traces of their presence. There has also been an increase in double and triple extortion, selling stolen data on Dark Web markets or publishing it unless ransom is paid.

Ransomware on the Rise
These findings emerge as Check Point Research reports a 41% increase in ransomware attacks since the beginning of 2021 and a 93% increase year-over-year. The weekly average of ransomware attacks jumped in May to 1,115; by the first half of June, that number hit 1,210.

Industries seeing the highest spikes in ransomware attempts include education, which saw a 347% increase in weekly attacks, transportation (186%), retail/wholesale (162%), and healthcare (159%).

Since the beginning of 2021, Latin America, with a 62% increase, had the highest spike in ransomware attack attempts by geographical region, followed by Europe (59%), Africa (34%), and North America (32%).

And as attacks continue to increase, new ransomware variants emerge. NCC Group this week published findings on a new Fivehands variant deployed by an affiliate using publicly available tools to advance their attack. Open source intelligence indicates a link to the group UNC2447, pointing to multiple traits, including aggressive tactics when urging targets to pay the ransom.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-01-28
Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscree...
PUBLISHED: 2022-01-28
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
PUBLISHED: 2022-01-28
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in ...
PUBLISHED: 2022-01-28
laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value w...
PUBLISHED: 2022-01-28
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis sug...