As you’re probably already aware, ransomware is a major concern for businesses and, really, anyone who cares about data protection (which should be just about everyone). But did you know there’s a single botnet out there (Emotet) that’s responsible for dropping the majority of ransomware payloads? Or that some of what were once humble banking Trojans can now spread like worms to gather intel and domain credentials to eventually paralyze a given network?
These days, it’s not uncommon for malware to be, effectively, modularized. In this case, the modularization refers to using different types of malware for different purposes, in ways that can be mixed and matched for a given situation to increase the likelihood of a successful attack. As an example, a criminal who wants to breach a business might start with a targeted malicious spam campaign, hoping to get an unsuspecting user to unknowingly download a malicious payload, such as a Microsoft® Office document that contains Emotet. Emotet, which can create backdoors to for Trojans and ransomware, might then drop the popular info-stealing Trojan TrickBot.
TrickBot would then move laterally throughout the network like a worm, spreading from computer to computer using various exploits. As it spread over weeks, or even months, it would steal as many credentials as it could, with the ultimate aim of gaining domain-level access. Trojans like TrickBot are typically designed to hang out under the radar for as long as the attackers need while they perform recon on the network. This recon would help them determine which systems and network resources to disable, steal from, lock up or take offline.
Eventually, once they obtained domain credentials, the criminals who deployed the campaign in the first place would know all the highest value targets on the network and would also have the power to disable backups and protections. After that, they could drop all manner of malware or ransomware, such as Conti/Ryuk, BitPaymer or REvil, onto any machine.
The business owners might initially scoff at the ransomware attempt, trusting in their solid backup and disaster recovery solution to get them through. But they’d soon realize that their backups had stopped working weeks (or months!) prior, while their IT teams were never the wiser. This would be the panic moment, in which the business is suddenly faced with the reality that their data is gone, and they can’t get it back without paying a hefty ransom.
And if the loss of their data weren’t enough to motivate the business to pay, another new malware trend this year is the use of data leak/auction sites to further incentivize victims to reach for their (crypto) wallets. Criminals use these sites to expose or sell any sensitive data they acquired in the ransomware attack. The damage to a business’ reputation and customer trust – that’s on top of the significant fines that might be imposed by a privacy-related regulatory body, such as GDPR – could be devastating.
According to the threat research experts at our partner OpenText™ company, Webroot™, these types of combined attacks are pretty standard at this point. Using Emotet or a malicious spam campaign, attackers often launch various Trojans—others include Dridex, QakBot, IcedID and Urnsif—which can spread, steal credentials, install droppers, and await a command from the attackers about which kind of malware to drop and when. And then they drop it.
You may look back at our example above and imagine that, if you could just figure out how to get your employees to stop clicking phishing emails, you could avoid all this hassle, and you’d be mostly right. But ransomware like Conti, CrySiS or Maze can just as easily end up on your systems through an RDP attack, either by brute-forcing or guessing weak RDP passwords, or by stealing the credentials outright using one of the aforementioned Trojans. Addressing the phishing click-through issue would definitely go a long way, but there are other equally necessary steps to ensure your business is resilient against modern cyberattacks.
Multi-layered attacks call for multi-layered protection.
To stay safe, businesses need to combine their efforts.
- Lock down RDP. Make sure to use RDP solutions that encrypt the data and use two-factor or multi-factor authentication when remoting into other machines.
- Educate end users about phishing. That means not only running training and simulations, but also making sure they know when and how to report a suspicious message.
- Disable macros in Microsoft® Office applications for the majority of employees.
- Install reputable cybersecurity software. Choose a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
- Set up a strong backup and disaster recovery plan. Test it regularly and set alerts and regular reporting so admins can easily see if something’s amiss.
Want to read more about the malware we mentioned?
Visit the Webroot blog to get more details about the different botnets, Trojans and ransomware variants we mentioned, and why they made Webroot’s 2020 list of Nastiest Malware.