Ransomware attack campaigns typically use malware downloaders as the initial payload in their malicious phishing attachments. However, researchers have recently witnessed a series of attacks that buck the trend.

What happened?

  • In June, Proofpoint researchers observed an increase in email-based attacks that used ransomware as a first-stage payload.
  • It is a noteworthy change as attackers, in the last one year, have majorly used downloaders as the first stage payload, which then deliver ransomware as the second- or later-stage payload.
  • This may indicate a return of the large scale ransomware spam campaigns as seen previously in 2018.
  • The latest wave of attacks feature different ransomware families targeting numerous industrial sectors in the US, France, Germany, Greece, and Italy.

How does this work?

  • A variety of lures are involved to trick people, including subject lines related to the COVID-19 pandemic.
  • The attackers also craft phishing messages in native languages to improve effectiveness of their lures.
  • One of the largest campaigns is led by Avaddon, with subject lines claiming to relate to a photo of the target. On opening the attachment, Avaddon is downloaded using PowerShell.
  • The Philadelphia ransomware is also reportedly back after a three years break, and now attacking food and manufacturing companies in Germany.

Why rise in the use of phishing emails?

  • One reason might be the number of people working remotely due to the ongoing crisis and the dependence on emails.
  • Email permits attackers to exploit human behavior to be successful with just a single click.
  • The threat actors may also be testing waters to see what success rates are available with phishing emails.

The bottom line

The bottom line is that organizations can defend against ransomware by ensuring that their networks are patched with latest security updates and employees are trained to avoid falling victim to phishing messages.

Cyware Publisher