Friday, November 20, 15:31
Home security What are the malware that usually install ransomware?

What are the malware that usually install ransomware?

If you see any of these malware on your corporate networks, stop doing everything and check all your systems.

malware ransomware

This article focuses on known malware strains that have been used over the past two years to install ransomware. The list was made with the help of several security researchers from Advanced Intelligence, Binary Defense and Sophos, the following list should serve as a "risk guide" for each organization.

Once one of these malware detectors is detected, system administrators should shut down their systems (put them offline) and check for and remove the malware as a top notch. priority.

1. The Emotet is considered the largest botnet malware on the market today.

Typically, the Emotet team sells access to its infected systems to other gangs malware, which later sell their own access to ransomware gangs.

Today, the most common ransomware chain linked to Emotet is: Emotet - Trickbot - Ryuk

2. The Trickbot is a botnet malware similar to Emotet. Trickbot infects its victims, but it is also known to buy access to systems infected with Emotet.

Over the past two years, security investigators have seen Trickbot sell access to its systems to cybercrime gangs that later developed Ryuk and later the ransomware Conti.

3. The BazarLoader is currently considered a modular backdoor developed by a team of links or started by the main Trickbot gang. Anyway, no matter how was created, the group follows the model of Trickbot and has already partnered with ransomware gangs to provide access to the infected systems.

Currently, BazarLoader is considered as the starting point for Ryuk ransomware infections.

4. The QakBot, Qbot or Quakbot is sometimes referred to in the infosec community as "slower" Emotet because it usually does what Emotet does, but a few months later.

With the Emotet gang allowing its systems to be used to develop ransomware, the QakBot team recently partnered with different ransomware gangs. First with MegaCortex, then with ProLock and currently with the Egregor ransomware gang.

5. The SDBBot is a malware that operates from a group referred to as TA505. It is not a common strain of malware, but it has been considered the point origin of the incidents where Clop ransomware was developed.

6. The Dridex is another malware targeting banks that has been presented as a "malware downloader", following the examples set by Emotet and Trickbot in 2017.

While in the past, the Dridex botnet has been used spam campaigns to distribute Locky ransomware to random internet users, in recent years hackers have been using infected computers to disperse either BitPaymer or DoppelPaymer ransomware strains - for more targeted attacks against high value targets.

7. The Zloader is moving fast and has already partnered with ransomware operators Egregor and Ryuk. If there's one malware feature that has the ability to extend connections, it's Zloader.

8. The Buer, or the Buer Loader, is a malware feature that launched late last year, but has already established a reputation and links with cybercriminals to work with ransomware groups.

According to Sophos, some of the cases where the Ryuk ransomware was discovered were linked to Buer infections a few days ago.

9. The Phorpiex or Trik, is one of the smallest malware botnets, but that does not mean it is less dangerous. Avaddon ransomware infections observed earlier this year have been linked to Phorpiex. Although neither Avaddon nor Phorpiex are well known, they should be treated with the same level of care as Emotet, Trickbot and others.

10. The CobaltStrike it is not botnet malware. It's actually a tool penetration testing developed for cyber security researchers and often used by various malware gangs.

Companies are not infected with CobaltStrike. However, many ransomware gangs develop CobaltStrike components as part of invasions their. The tool is often used as a way to control multiple systems within an internal network and as a precursor to the actual ransomware attack.

We have included CobaltStrike in our list at the request of our sources, who consider it as dangerous as a normal malware strain. If you see it on your network and you do not do a penetration test, stop everything you do, put the systems offline and check all your systems to detect the attack.



Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


What are the malware that usually install ransomware?

If you see any of these malware on your corporate networks, stop doing everything and check all your systems.

The LidarPhone attack turns smart brooms into microphones

A group of academics released a new study this week in which they turned a smart vacuum cleaner into a microphone capable of ...

Fake QR codes expose your cell phone to hackers

Nowadays, QR codes are everywhere, as they are easy to use and fast. The word itself means "quick response". The scan ...

Hackers from China, Russia, Iran and North Korea are targeting Canada!

A report published by the Cyber ​​Security Center of Canada, entitled "National Cyber ​​Threat Assessment 2020", warns of risks associated with ...

Apple will pay $ 113 million for deliberate slowdown of iPhones

Apple has agreed to pay millions of dollars in 34 states due to its previous controversial practice of deliberately slowing down older iPhones ...

Chinese hackers target Japanese organizations

Chinese hackers are behind a large-scale hacking campaign targeting Japanese organizations. It is said that these are the ...

Mount Locker ransomware targets “TurboTax” tax software!

The Mount Locker ransomware gang is preparing for the tax period, aiming for TurboTax returns for encryption. Mount Locker ...

Jupiter, Saturn and Moon will form a triangle tonight

It is really sad that the sky has to offer us so many wonderful spectacles while we are locked in our house because of the pandemic ...

Facebook: Sues Turkish developer for Instagram clone sites

Facebook has sued a Turkish developer for operating a network with at least 20 Instagram clone sites.

Is the Muslim Pro app selling its data to the US military?

Singapore is investigating allegations that the mobile app, Muslim Pro, has sold its data to the US military ....