Ransomware attacks have become a regular fixture in the headlines, wreaking havoc across industries, leaving organizations racing to restore operations, and customers worrying about the safety of their data. The fallout from a ransomware incident reaches well beyond operational disruptions—reputational damage, sharp declines in stock prices, and the risk of significant fines— creating a nightmare scenario for any organization.
Between Q1 and Q2 of 2024, there was a 20% surge in the number of organizations listed on ransomware leak sites, underscoring the escalating threat of ransomware attacks. Although there is no way to predict cybercriminal behavior or ensure the safe recovery of compromised data, organizations can use emerging insights and trends to remain vigilant and strengthen their defenses against these ever-evolving threats.
One common way that ransomware can infiltrate an organization’s systems is through phishing attacks and the use of malware delivering ransomware. Threat actors craft deceptive phishing emails designed to trick individuals into clicking a malicious link or downloading an infected attachment. The number of malicious emails bypassing security systems rose by an alarming 104.5% last year alone. As Secure Email Gateways (SEGs) struggle to keep pace with evolving and increasingly sophisticated phishing campaigns, it’s crucial to understand the common methods by which malware delivering ransomware makes its way into users’ inboxes.
Malware: The First Step in the Attack
Ransomware begins its journey into a system via malware, or more specifically, Remote Access Trojans (RATs) or Loaders. Think of RATs as a type of malware that gives hackers a backdoor into your computer. Once inside, they can steal information, take control, or install dangerous ransomware. RATs are some of the most generalized malware in terms of capabilities, however they often require more effort to set up and maintain than simple information stealers or keyloggers.
A prominent example of a RAT often used for delivering ransomware is the DarkGate RAT. This malware was most commonly seen being delivered in attached Office documents, prompting victims to click a malicious script link that downloads the DarkGate RAT binary. This Malware-as-a-Service (MaaS) is capable of the typical RAT functions as well as cryptocurrency mining, focused credential theft, loader capabilities, and anti-analysis behavior. It has been utilized by ransomware groups including BlackBasta to deploy ransomware, making it a notable factor in the threat landscape.
The novel use of Office Documents with embedded URLs makes this RAT particularly effective in bypassing SEGs. Not only that, but since Office files are commonly exchanged via email in business environments, they can be difficult to detect as malicious by unsuspecting users.
Other common RATs observed bypassing SEGs in 2024 that are capable of delivering Ransomware include Async RAT, Remcos RAT, XWorm RAT, and ConnectWise RAT. All of which are widely used by threat actors due to their free availability online and ease of use, allowing even inexperienced attackers to leverage basic malware to great effect. The most popular RATs seen in SEG protected environments are Async RAT and Remcos RAT. Async RAT is commonly delivered via a script that is downloaded from a link embedded in the email or in an attached PDF. Remcos RAT on the other hand is delivered through legitimate file-sharing sites that download a password-protected archive. The use of legitimate file-sharing websites allows emails delivering Remcos RAT to bypass a wide variety of SEGs.
While these just serve as examples of the various ways RATs can be delivered through email, it is important to note the common use of trusted online sharing tools and embedded links in these campaigns. The use of legitimate file sharing platforms including Microsoft Office and Google Drive make it harder to differentiate malicious behavior, underscoring the need for caution when interacting with any unexpected links or downloads.
From RATs to Ransomware: The Next Stage of the Attack
Understanding how these RATs spread through email is crucial, but it’s only part of the equation. Ransomware is most often delivered through the use of Initial Access Brokers (IABs). Threat actors will install a RAT that is capable of downloading additional malware, and then sell access to the infected computers. Ransomware groups will then buy access to specific infected machines, spreading laterally across the infected network to deploy ransomware to all systems within an organization.
Some ransomware groups intentionally target high-value enterprises. These groups are well-organized and highly strategic, knowing which targets will yield the most significant payouts. Some notable ransomware groups that were observed bypassing SEG’s in the last six months include LockBit 3.0, BlackCat, BianLian, Akira, and BlackSuit. Each of these groups has distinct associations and focuses on specific industries, demonstrating the varied and adaptive nature of modern ransomware attacks.
Prevention Through Awareness
Sadly, human error is one of the biggest vulnerabilities in any organization against these ransomware threats. Even with all the right defenses in place, it only takes one individual clicking an embedded link or downloading a malicious document to spread ransomware in an organization. This is why one of the most effective steps a company can take to bolster its proactive defenses is the implementation of security awareness training. Basic cyber literacy is becoming more common, but truly instilling a sense of suspicion when it comes to online interactions and activities takes time and a serious investment on the company’s part.
Additionally, security teams should closely examine real-world examples of malware that bypass SEGs, along with the tactics, techniques, and procedures used by ransomware groups, to gain a deeper understanding of the current threat landscape. Leveraging these attacks to inform both security strategies and awareness training will better prepare organizations to defend against real-world scenarios.
