Precursor Malware is a Early Warning Sign for Ransomware
Emotet made up nearly three-quarters of “precursor” malware found by Lumu in 2021, the start-up stated in its 2022 Ransomware Flashcard. Phorpiex was the 2nd most found precusor malware in 2021, at 13%, Lumu stated.
Risk actors rely on precursor malware to spread laterally through the network and intensify gain access to prior to releasing the ransomware payload. A ransomware attack chain includes initial gain access to, which could be phishing, a vulnerability make use of, or malware; precursor malware such as Emotet, Dridex, and Trickbot; and the real ransomware to encrypt the information and make it unattainable.
In 2021, Lumu collected 21,820,764 signs of compromise associated to the precursor malware. Emotet was regularly the most active for each month of 2021, other than for the 2 months when Phorpiex was more active. There were two peaks in activity in April and September.
Lumu kept in mind that ransomware attacks rarely come of no place, as the attack groups count on these malware strains to find target systems and set up for the information theft and file encryption. Security teams looking for, and closing down, any communications with malicious command-and-control servers could possibly ward off a ransomware attack prior to any data is jeopardized.
“A full-blown ransomware attack is completion result of a chain that starts with relatively harmless malware,” Lumu said in the Flashcard.
Originally a banking Trojan that progressed to consist of spamming and malware shipment, Emotet is now part of a ransomware chain with Trickbot to release Ryuk and Conti ransomware. Phorpiex, which has actually been involved with cryptojacking in the past, is associated with several ransomware stress, as it is being used to deploy Avaddon, Nemty, BitRansomware, DSoftCrypt/ReadMe, GandCrab, and Pony, Lumu said. Dridex, understood for taking bank qualifications, releases DoppelPaymer and BitPaymer, and Ursnif deploys Egregor.