Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.

Precursor Malware Is an Early Warning Sign for Ransomware

Ransomware typically relies on malware downloaders and other delivery mechanisms. Detecting and removing precursor malware improves the odds that a ransomware attack has been blocked.

Edge Editors, Dark Reading

March 29, 2022

1 Min Read
Chart showing top 10 most active precursor malware in 2021, with Emotet in the lead for 10 our of 12 months.
Source: Lumu 2022 Ransomware Flashcard

Emotet made up nearly three-quarters of “precursor” malware detected by Lumu in 2021, the startup said in its 2022 Ransomware Flashcard. Phorpiex was the second most detected precusor malware in 2021, at 13%, Lumu said.

Threat actors rely on precursor malware to spread laterally through the network and escalate access before deploying the ransomware payload. A ransomware attack chain consists of initial access, which could be phishing, a vulnerability exploit, or malware; precursor malware such as Emotet, Dridex, and Trickbot; and the actual ransomware to encrypt the data and make it inaccessible.

In 2021, Lumu collected 21,820,764 indicators of compromise related to the precursor malware. Emotet was consistently the most active for each month of 2021, except for the two months when Phorpiex was more active. There were two peaks in activity in April and September.

Lumu noted that ransomware attacks rarely come of nowhere, as the attack groups rely on these malware strains to find target systems and set up for the data theft and encryption. Security teams looking for, and shutting down, any communications with malicious command-and-control servers could potentially fend off a ransomware attack before any data is compromised.

“A full-blown ransomware attack is the end result of a chain that starts with seemingly innocuous malware,” Lumu said in the Flashcard.

Originally a banking Trojan that evolved to include spamming and malware delivery, Emotet is now part of a ransomware chain with Trickbot to deploy Ryuk and Conti ransomware. Phorpiex, which has been involved with cryptojacking in the past, is associated with multiple ransomware strains and is being used to deploy Avaddon, Nemty, BitRansomware, DSoftCrypt/ReadMe, GandCrab, and Pony, Lumu said. Dridex, known for stealing bank credentials, deploys DoppelPaymer and BitPaymer, and Ursnif deploys Egregor.

About the Author

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights