Ransomware attacks still use email — but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains.
Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organisations increasingly specialise to the tune of greater profits for all—except, of course, the victims.
According to Proofpoint’s 2021 Voice of the CISO report, 68% of surveyed CISOs in the UAE feel at risk of suffering a material cyberattack in the next 12 months and out of those 22% believe ransomware are one of the attack type they might face.
Preventing ransomware via email is straightforward: block the loader, and you block the ransomware.
Typically, initial access brokers are understood to be opportunistic threat actors supplying affiliates and other cybercrime threat actors after the fact, for example by advertising access for sale on forums.
These criminal threat actors compromise victim organisations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations.
According to Proofpoint data, banking trojans – often used as ransomware loaders – represented almost 20% of malware observed in identified campaigns in the first half of 2021 and is the most popular malware type.
The versatile and disruptive malware Emotet previously served as one of the most prolific distributors of malware enabling costly ransomware infections between 2018 and 2020. However, international law enforcement disrupted the malware in January 2021, wiping out its infrastructure and preventing further infections.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks. Over the last six months, banking trojans were associated with more than 16 million messages, representing the most common malware type observed in our data. In the last six months, Proofpoint identified almost 300 downloader campaigns distributing almost six million malicious messages.
Depending on the compromised organisation and its profit margins, backdoor access can be sold anywhere from a few hundred to thousands of dollars and can be purchased with cryptocurrency, most commonly bitcoin.
Here are some of the most active threat actors:
TA800 is a large cybercrime actor that attempts to deliver and install banking malware or malware loaders including The Trick, BazaLoader, Buer Loader, and Ostap. Its payloads have been observed distributing ransomware.
TA577 conducts broad targeting across various industries and geographies. The activity observed by this actor increased 225% in the last six months.
TA569 is a traffic and load seller known for compromising content management servers and injecting and redirecting web traffic to a social engineering kit.
TA551 frequently leverages thread hijacking to distribute malicious Office documents via email and demonstrates broad geographic and industry targeting.
TA570 is one of the most active Qbot malware affiliates, its activity is up almost 12% over the last six months.
TA547 primarily distributes banking trojans to various geographic regions and over the last six months, the number of identified campaigns from this actor spiked almost 30%.
TA544 regularly installs banking malware and other malware payloads.TA544 has been observed distributing Ursnif and Dridex trojans and has sent over eight million malicious messages in the last six months.
TA571 typically distributes more than 2,000 messages per campaign.
TA574 distributed over one million messages in the last six months
TA575 distributes malware via malicious URLs, Office attachments, and password-protected files. On average, it distributes almost 4,000 messages per campaign impacting hundreds of organisations.
Ransomware continues to be distributed via email directly, as attachments or links in email, at considerably lower volumes. In 2020 and 2021 Proofpoint identified 54 ransomware campaigns distributing just over one million messages.
Ransomware threat actors currently carry out big game hunting, conducting open-source surveillance to identify high-value organisations, susceptible targets, and companies’ likely willingness to pay a ransom. Working with initial access brokers, ransomware threat actors can leverage existing malware backdoors to enable lateral movement and full domain compromise before successful encryption.
An attack chain leveraging initial access brokers could look like this:
- A threat actor sends emails containing a malicious Office document
- A user downloads the document and enables macros which drops a malware payload
- The actor leverages the backdoor access to exfiltrate system information
- At this point, the initial access broker can sell access to another threat actor
- The actor deploys Cobalt Strike via the malware backdoor access which enables lateral movement within the network
- The actor obtains full domain compromise via Active Directory
- The actor deploys ransomware to all domain-joined workstations
So far in 2021, Proofpoint continuously observes email-based threats including downloaders and bankers with multi-stage payloads that often lead to ransomware infections. The threat actors are conducting extensive reconnaissance, privilege escalation, and lateral movement within the environment before manually deploying the ransomware payload. One key metric to watch is dwell time. Short dwell times, high payouts, and collaboration across cybercriminal ecosystems have led to a perfect storm of cybercrime that the world’s governments are taking seriously.
With new disruptive efforts focused on the threat and growing investments in cyber defense across supply chains, ransomware attacks will decrease in frequency and efficacy.
Ransomware continues to be distributed via email and in 2020 and 2021 Proofpoint identified 54 ransomware campaigns distributing over one million messages.