![]() ![]() Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks. Proofpoint tracks these malware families under the “banking” family. Over the last six months, banking trojans were associated with more than 16 million messages, representing the most common malware type observed in our data.Īdditionally, Proofpoint tracks downloaders such as Buer Loader and BazaLoader that are often used as an initial access vector for ransomware attacks. However, international law enforcement disrupted the malware in January 2021, wiping out its infrastructure and preventing further infections. The versatile and disruptive malware Emotet previously served as one of the most prolific distributors of malware enabling costly ransomware infections between 20. It is possible that initial access brokers and malware backdoor developers directly collaborate with – or operate as – ransomware-specific threat actors. Confirmation of actor collaboration between access brokers and ransomware threat actors is difficult due to threat actors working hard to conceal their identity and evade detection. Proofpoint currently tracks around a dozen threat actors likely operating as initial access brokers, and many of the email threat campaigns distributing malware loaders observed by Proofpoint have led to ransomware infections. ![]() It is important to note ransomware is not the only second-stage payload associated with the identified malware. In addition to email threat vectors, ransomware threat actors leverage vulnerabilities in software running on network devices exposed to the internet or insecure remote access services for initial access. Proofpoint has unique visibility into initial access payloads – and threat actors that deliver them – often used by ransomware threat actors. These criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations. According to Proofpoint data, banking trojans – often used as ransomware loaders – represented almost 20% of malware observed in identified campaigns in the first half of 2021 and is the most popular malware type Proofpoint sees in the landscape. Proofpoint has also observed evidence of ransomware deployed via SocGholish which uses fake updates and website redirects to infect users, and via Keitaro traffic distribution system (TDS) and follow-on exploit kits which operators use to evade detection. Typically, initial access brokers are understood to be opportunistic threat actors supplying affiliates and other cybercrime threat actors after the fact, for example by advertising access for sale on forums. But for the purposes of this report, we consider initial access brokers to be the groups who obtain initial access via first-stage malware payloads and may or may not work directly with the ransomware threat actors. Preventing ransomware via email is straightforward: block the loader, and you block the ransomware. Ransomware attacks still use email - but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for all-except, of course, the victims. Multiple threat actors use the same malware payloads for ransomware distribution. There is not a 1:1 relationship between malware loaders and ransomware attacks.Just one ransomware strain accounts for 95% of ransomware as a first-stage email payload between 20. Ransomware is rarely distributed directly via email. ![]() ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |