Ransomware Delivered via Phishing Emails in Vogue

What happened?

• In June, Proofpoint researchers observed an increase in email-based attacks that used ransomware as a first-stage payload.
• It is a noteworthy change as attackers, in the last one year, have majorly used downloaders as the first stage payload, which then deliver ransomware as the second- or later-stage payload.
• This may indicate a return of the large scale ransomware spam campaigns as seen previously in 2018.
• The latest wave of attacks feature different ransomware families targeting numerous industrial sectors in the US, France, Germany, Greece, and Italy.

How does this work?

• A variety of lures are involved to trick people, including subject lines related to the COVID-19 pandemic.
• The attackers also craft phishing messages in native languages to improve effectiveness of their lures.
• One of the largest campaigns is led by Avaddon, with subject lines claiming to relate to a photo of the target. On opening the attachment, Avaddon is downloaded using PowerShell.
• The Philadelphia ransomware is also reportedly back after a three years break, and now attacking food and manufacturing companies in Germany.

Why rise in the use of phishing emails?

• One reason might be the number of people working remotely due to the ongoing crisis and the dependence on emails.
• Email permits attackers to exploit human behavior to be successful with just a single click.
• The threat actors may also be testing waters to see what success rates are available with phishing emails.

The bottom line