Ransomware Operators' Strategies Evolve as Attacks Rise

Security researchers find ransomware operators rely less on email and more on criminal groups for initial access into target networks.

Kelly Sheridan, Former Senior Editor, Dark Reading

June 16, 2021

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows.

Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called "access facilitators" distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.

The security firm's Threat Research team analyzed data from 2013 to the present to understand trends surrounding ransomware and email as an access vector. Researchers found ransomware sent directly to victims via email attachments or links happened at "relatively low, consistent volumes" before 2015, at which point these types of ransomware attacks began to skyrocket. Locky, for example, hit 1 million messages per day in 2017 before its operations stopped.

These "first-stage" ransomware campaigns sharply dropped off in 2018 as attackers shifted away from email to deploy their initial payload. There were several reasons for the change: Threat detection improved, individually encrypted machines led to limited payouts, and the rise of wormable and human-operated threats gave them the power to become more disruptive.

"Many IT and information security teams in corporate settings were able to quickly adapt to the handling of a ransomware incident on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on," explains Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As a result, ransomware teams weren't getting the payout they hoped for and rethought their strategies.

"Threat actors moved to downloaders as a first stage to give themselves more choice and flexibility," she continues. "It is a natural evolution." Now, ransomware is rarely distributed via email: Only one strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021, researchers note in a new report.

Banking Trojans were the most popular malware distributed via email in the first half of 2021, representing nearly 20% of malware Proofpoint observed. Criminal groups who already spread banking Trojans can also become part of a ransomware affiliate network; researchers currently track at least 10 attack groups acting as initial access facilitators or likely ransomware affiliates.

Malware and Attack Groups to Watch
Before its takedown earlier this year, Emotet previously served as a top distributor of malware that led to ransomware infections between 2018 and 2020. Since it was disrupted, researchers have seen consistent activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and other malware serving as first-stage payloads in attempts to further infection, including ransomware.

Researchers also track downloaders, such as Buer Loader and BazaLoader, which are commonly used as an initial vector for ransomware. Over the last six months, Proofpoint has seen almost 300 downloader campaigns distributing nearly 6 million malicious messages.

Their findings reveal overlap between threat groups, malware, and ransomware deployments. Conti ransomware, for example, has been linked to first-stage loaders including Buer, The Trick, Zloader, and IcedID. Similarly, the IcedID loader has been associated with Sodinokibi, Maze, and Egregor ransomware.

High-volume attack groups using this tactic include actors tracked as TA800, TA577, and TA570, though there are many others outlined in the researchers' blog post. TA577, for example, has been tracked since mid-2020 and conducts broad attacks across industries and regions using payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Its activity has increased 225% in the last six months alone, researchers report.

It's worth noting ransomware isn't the only second-stage payload associated with this malware, and ransomware attackers rely on other vectors to distribute payloads. Some exploit flaws in software running on network devices exposed to the Internet, or insecure remote access services. Other common targets include Remote Desktop Protocol, VPNs, and other externally facing network appliances, DeGrippo says. They're not limited to existing malware backdoors.

"Regardless of the broker economy, the initial vectors are now much more open and available," she explains. "Threat actors have specialized and brought great efficacy to their campaigns with that specialization."

What happens to initial access once it's sold varies depending on the attacker, DeGrippo says. Some attackers maintain the access and sell it; some patch the holes they used to gain a foothold and remove traces of their presence. There has also been an increase in double and triple extortion, selling stolen data on Dark Web markets or publishing it unless ransom is paid.

Ransomware on the Rise
These findings emerge as Check Point Research reports a 41% increase in ransomware attacks since the beginning of 2021 and a 93% increase year-over-year. The weekly average of ransomware attacks jumped in May to 1,115; by the first half of June, that number hit 1,210.

Industries seeing the highest spikes in ransomware attempts include education, which saw a 347% increase in weekly attacks, transportation (186%), retail/wholesale (162%), and healthcare (159%).

Since the beginning of 2021, Latin America, with a 62% increase, had the highest spike in ransomware attack attempts by geographical region, followed by Europe (59%), Africa (34%), and North America (32%).

And as attacks continue to increase, new ransomware variants emerge. NCC Group this week published findings on a new Fivehands variant deployed by an affiliate using publicly available tools to advance their attack. Open source intelligence indicates a link to the group UNC2447, pointing to multiple traits, including aggressive tactics when urging targets to pay the ransom.

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights