Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows.
Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called "access facilitators" distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.
The security firm's Threat Research team analyzed data from 2013 to the present to understand trends surrounding ransomware and email as an access vector. Researchers found ransomware sent directly to victims via email attachments or links happened at "relatively low, consistent volumes" before 2015, at which point these types of ransomware attacks began to skyrocket. Locky, for example, hit 1 million messages per day in 2017 before its operations stopped.
These "first-stage" ransomware campaigns sharply dropped off in 2018 as attackers shifted away from email to deploy their initial payload. There were several reasons for the change: Threat detection improved, individually encrypted machines led to limited payouts, and the rise of wormable and human-operated threats gave them the power to become more disruptive.
"Many IT and information security teams in corporate settings were able to quickly adapt to the handling of a ransomware incident on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on," explains Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As a result, ransomware teams weren't getting the payout they hoped for and rethought their strategies.
"Threat ..
Support the originator by clicking the read the rest link below.
