Jump to content
  • This sneaky ransomware gang keeps changing tactics to spread its malware

    aum

    • 1 comment
    • 471 views
    • 4 minutes
     Share


    • 1 comment
    • 471 views
    • 4 minutes

    Attackers distributing Royal ransomware use sneaky techniques to trick the unwary into downloading file-encrypting malware.

     

    A new ransomware operation is using unusual techniques to breach networks and encrypt them with file-locking malware in order to hold victims to ransom.

     

    Royal ransomware first appeared in September this year and is being distributed by multiple threat groups, but one is showing what Microsoft Security Threat Intelligence describes as "a pattern of continuous innovation" to distribute and hide payloads, often until it's too late and the victim has had their network encrypted.

     

    The attacks, delivered in a variety of ways, are attributed to a group Microsoft tracks as DEV–0569 – a temporary name as the origin and identity of the group behind the activity is still uncertain.

     

    Some of the campaigns deliver Royal ransomware using a method commonly associated with cyber attacks; phishing emails used to deliver a malicious attachment, in this case, containing Batloader backdoor malware, which is used to download the ransomware payload.

     

    This isn't the only phishing method which the Royal ransomware attackers use to deliver the initial payload. Microsoft also notes that it's delivered via emails with links to what pose as legitimate installers and updates for commonly used business applications. Downloading these fake updates installs the backdoor, which is later used to deliver malware.

     

    More unusual techniques include using contact forms to gain access to targets and deliver malware. DEV-0569 isn't the first ransomware operation to distribute attacks in this way, but the attack method is still an uncommon one – and one which defenders may not consider.

     

    The attackers send messages to the targets via the contact forms on the targets' own websites, claiming to be from a national financial authority.

     

    If the victim responds to the message, the attackers reply again and attempt to trick the victim into clicking a link which installs Batloader.

     

    Recently, the attackers have been seen leveraging Google ads to help deliver malware via malvertising links which allow attackers to track which users and which devices click links. These links are used to identify potential targets distribute the Batloader payload.  

     

    Microsoft says it has reported this abuse to Google for awareness and consideration for action. ZDNET has contacted Google but is yet to receive a reply at the time of publication.

     

    In addition to malvertising and phishing links, it's also reported that DEV-0569 has performed 'hands-on' human operated attacks to install ransomware, gaining access to compromised networks exploiting vulnerabilities and remote access tools to manually download the Royal payload.

     

    Microsoft's researchers note "DEV-0569's widespread infection base and diverse payloads likely make the group an attractive access broker for ransomware operators" - meaning that even if they didn't install their own ransomware, they could sell access to networks to other ransomware operators and other malicious cyber threat groups.

     

    The attackers have also been witnessed using open source tools in attempts to disable anti-virus software to make it harder for their malicious activity to be detected.

     

    According to Microsoft, it's likely the group will continue to breach networks using a variety of different methods – but there are actions which can be taken to avoid falling victim to attacks.

     

    These include building resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection – and providing users with a method for reporting suspected attacks.

     

    It's also recommended that organizations practice the principle of least-privilege and maintain credential hygiene – in other words, only providing accounts with the access they absolutely need for that person to do their job, and to ensure that the account is secured with a strong password and multi-factor authentication. These can help prevent attackers from entering and moving around the network.

     

    Microsoft also suggests that organizations turn on tamper protection features to prevent attackers from stopping security services.

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    every time you think you win them,

    they become even smarter, 

    it all start and end with backup's & 

    better protection you your network.

    also you need to teach people how to use their brain,

    since it's start and end with people who clicked such links,

     

    I am wideness for such case, 

    a friend of mine got ransomware, 

    he was have big luck, he found 30 day's old backup

    so yes, he lost 30 day's of order's !!!

    but saved a lot in no need to re-build the whole server again !

     

    today he have, a backup in cloud

    for 60 days back !

    for any case, you will never know when it come

    it can pop up a message after long time

    and your file's already gone … 

    Edited by Dark Monkey
    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...