Ransomware Attacks Delivered Via Phishing Campaigns on the Rise

June 30, 2020 - Proofpoint researchers detected an increase in the number of email-based phishing campaigns used to deploy ransomware attacks as a first-stage payload over the last month. A stark contrast to the past year, where hackers primarily leveraged downloaders as the initial payload. 

According to the latest report, the small increase in the amount of ransomware sent via phishing emails may be sign of what’s to come in the near future, as these attacks bear hallmarks to larger ransomware campaigns deployed in 2018. 

“This recent emergence of ransomware as an initial payload is unexpected after such a long, relatively quiet period,” researchers explained. “The change in tactics could be an indicator that threat actors are returning to ransomware and using it with new lures.” 

“Various actors trying ransomware payloads as the first stage in email has not been seen in significant volumes since 2018,” they added. “While these volumes are still comparatively small, this change is noteworthy. The full significance of this shift isn’t yet clear, what is clear is that the threat landscape is changing rapidly, and defenders should continue to expect the unexpected." 

The hackers are targeting a wide range of sectors throughout the world, including the US. The emails are tailored using native language messages and lures. Proofpoint detected several ransomware families being used in these campaigns, such as Mr. Robot, Philadelphia, and Avaddon, a new ransomware family. 

As with typical ransomware campaigns, each variant encrypts victims’ files and holds the data for a ransom demand. 

Researchers observed as much as 350,000 messages sent each day, per campaign. Meanwhile, between June 4 and June 10, more than 1 million messages featured the Avaddon variant. On June 6 alone, more than 750,000 messages were sent and contained Avaddon. 

Proofpoint also shed light on each of these campaigns, including the newer variant known as Avaddon, which is particularly notable as it has its own branding and frequently used in large-scale campaigns. It’s a ransomware-as-a-service campaign, much like the notorious NetWalker family. 

“When opened, the included attachment downloads Avaddon using PowerShell,” researchers explained. “Once Avaddon runs, it shows the ransom message... and later demands $800 payment in bitcoin via TOR. The Avaddon attackers also provide 24/7 support and resources on purchasing bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom.” 

The Mr. Robot variant is specifically leveraging the COVID-19 pandemic to lure targeted users into clicking the malicious link. Subject lines include COVID-19 test results and virus analyses. The Philadelphia variant primarily targeted German companies. 

The report should serve as a reminder that hackers are continually changing attack methods and developing the sophistication of their attack methods, while often relying on old standbys to ensure a financial payout. 

The healthcare sectors has continued to see a steady stream of attacks that remained constant over the last six months. COVID-19 has also spurred ransomware attacks tied to the pandemic, including human-operated campaigns and double extortion attempts.