If you see any of these malware on your corporate networks, stop doing everything and check all your systems.
This article focuses on known malware strains that have been used over the past two years to install ransomware. The list was made with the help of several security researchers from Advanced Intelligence, Binary Defense and Sophos, the following list should serve as a "risk guide" for each organization.
Once one of these malware detectors is detected, system administrators should shut down their systems (put them offline) and check for and remove the malware as a top notch. priority.
1. The Emotet is considered the largest botnet malware on the market today.
Typically, the Emotet team sells access to its infected systems to other gangs malware, which later sell their own access to ransomware gangs.
Today, the most common ransomware chain linked to Emotet is: Emotet - Trickbot - Ryuk
2. The Trickbot is a botnet malware similar to Emotet. Trickbot infects its victims, but it is also known to buy access to systems infected with Emotet.
Over the past two years, security investigators have seen Trickbot sell access to its systems to cybercrime gangs that later developed Ryuk and later the ransomware Conti.
3. The BazarLoader is currently considered a modular backdoor developed by a team of links or started by the main Trickbot gang. Anyway, no matter how was created, the group follows the model of Trickbot and has already partnered with ransomware gangs to provide access to the infected systems.
Currently, BazarLoader is considered as the starting point for Ryuk ransomware infections.
4. The QakBot, Qbot or Quakbot is sometimes referred to in the infosec community as "slower" Emotet because it usually does what Emotet does, but a few months later.
With the Emotet gang allowing its systems to be used to develop ransomware, the QakBot team recently partnered with different ransomware gangs. First with MegaCortex, then with ProLock and currently with the Egregor ransomware gang.
5. The SDBBot is a malware that operates from a group referred to as TA505. It is not a common strain of malware, but it has been considered the point origin of the incidents where Clop ransomware was developed.
6. The Dridex is another malware targeting banks that has been presented as a "malware downloader", following the examples set by Emotet and Trickbot in 2017.
While in the past, the Dridex botnet has been used spam campaigns to distribute Locky ransomware to random internet users, in recent years hackers have been using infected computers to disperse either BitPaymer or DoppelPaymer ransomware strains - for more targeted attacks against high value targets.
7. The Zloader is moving fast and has already partnered with ransomware operators Egregor and Ryuk. If there's one malware feature that has the ability to extend connections, it's Zloader.
8. The Buer, or the Buer Loader, is a malware feature that launched late last year, but has already established a reputation and links with cybercriminals to work with ransomware groups.
According to Sophos, some of the cases where the Ryuk ransomware was discovered were linked to Buer infections a few days ago.
9. The Phorpiex or Trik, is one of the smallest malware botnets, but that does not mean it is less dangerous. Avaddon ransomware infections observed earlier this year have been linked to Phorpiex. Although neither Avaddon nor Phorpiex are well known, they should be treated with the same level of care as Emotet, Trickbot and others.
10. The CobaltStrike it is not botnet malware. It's actually a tool penetration testing developed for cyber security researchers and often used by various malware gangs.
Companies are not infected with CobaltStrike. However, many ransomware gangs develop CobaltStrike components as part of invasions their. The tool is often used as a way to control multiple systems within an internal network and as a precursor to the actual ransomware attack.
We have included CobaltStrike in our list at the request of our sources, who consider it as dangerous as a normal malware strain. If you see it on your network and you do not do a penetration test, stop everything you do, put the systems offline and check all your systems to detect the attack.