Precursor Malware Is an Early Warning Sign for Ransomware

Emotet made up nearly three-quarters of “precursor” malware detected by Lumu in 2021, the startup said in its 2022 Ransomware Flashcard. Phorpiex was the second most detected precusor malware in 2021, at 13%, Lumu said.

Threat actors rely on precursor malware to spread laterally through the network and escalate access before deploying the ransomware payload. A ransomware attack chain consists of initial access, which could be phishing, a vulnerability exploit, or malware; precursor malware such as Emotet, Dridex, and Trickbot; and the actual ransomware to encrypt the data and make it inaccessible.

In 2021, Lumu collected 21,820,764 indicators of compromise related to the precursor malware. Emotet was consistently the most active for each month of 2021, except for the two months when Phorpiex was more active. There were two peaks in activity in April and September.

Lumu noted that ransomware attacks rarely come of nowhere, as the attack groups rely on these malware strains to find target systems and set up for the data theft and encryption. Security teams looking for, and shutting down, any communications with malicious command-and-control servers could potentially fend off a ransomware attack before any data is compromised.

“A full-blown ransomware attack is the end result of a chain that starts with seemingly innocuous malware,” Lumu said in the Flashcard.

Originally a banking Trojan that evolved to include spamming and malware delivery, Emotet is now part of a ransomware chain with Trickbot to deploy Ryuk and Conti ransomware. Phorpiex, which has been involved with cryptojacking in the past, is associated with multiple ransomware strains and is being used to deploy Avaddon, Nemty, BitRansomware, DSoftCrypt/ReadMe, GandCrab, and Pony, Lumu said. Dridex, known for stealing bank credentials, deploys DoppelPaymer and BitPaymer, and Ursnif deploys Egregor.