As ransomware attacks on critical infrastructure become more common, new research shows that cybercriminals’ methods are constantly adapting.
The Hacker News highlights that cybercriminals may give up the traditional phishing emails as a means of gaining access to corporate infrastructures. In fact, as Proofpoint points out in a write-up “Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains”.
“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network”. The cybersecurity firm claims to track at least 10 different threat actors who act as middlemen to find vulnerable organizations and sell accesses on dark web forums.
Ransomware malware is growing increasingly sophisticated
Bank Trojans were used as ransomware loaders in the majority of cyberattack campaigns revealed in the first 6 months of 2021. Some are well-known in the market, counting Qbot, Dridex, BazaLoad, and Qtrifilio. A few of the brokers were identified by tracking backdoor access advertised on hacking forums.
In general it all starts with an email containing an infected Officer document attached. Once opened, the malware enters the system and maintains an open gate for later use, which can mean selling the access to a second actor. A real-life example would be launching a Cobalt Strike beacon and installing ransomware.
With 54 attacks that spread just over a million messages in the first half of the last year, ransomware remains a serious threat. In fact, due to the high payments, working from home prevalence, collaborations facilitated via forums and other conditions, nowadays cybercriminals have ideal conditions for carrying out their deeds. Given the destructive impact of the actions, governments worldwide should take the issue seriously.