‘Precursor malware’ infection may be sign you're about to get ransomware, says startup

As more and more biz pays up to restore data, we're told

Ransomware is among the most feared of the myriad cyberthreats circulating today, putting critical data at risk and costing some enterprises tens of millions of dollars in damage and ransoms paid. However, ransomware doesn't occur in a vacuum, according to security startup Lumu Technologies.

A ransomware infection is usually preceded by what Lumu founder and CEO Ricardo Villadiego calls "precursor malware," essentially reconnaissance malicious code that has been around for a while and which lays the groundwork for the full ransomware campaign to come. Find and remediate that precursor malware and a company can ward off the ransomware attack is the theory.

"The moment you see your network – and by network, I mean the network defined the modern times, whatever you have on premises, whatever is out in the clouds, whatever you have with your remote users – when you see any assets from your network contacting an adversarial infrastructure, eliminate that contact because that puts you in your zone of maximum resistance to attacks," Villadiego told The Register.

If a company detects their network is contacting what looks like the command-and-control servers of malware, such as Emotet, Phorpiex, SmokeLoader, Dridex and TrickBot, shutting down those contacts right away "is going to eliminate the catastrophic effect, which is the ransomware attack," he said.

Lumu outlined the idea of the warning signs of an impending ransomware attack in a quick report – what the company calls a "flashcard" – this month. In it the startup outlines what it says is a vicious cycle of ransomware.

Citing statistics from cybersecurity consultancy CyberEdge, Lumu said that victims that pay the ransom are increasingly recovering their data, from 19.4 percent in 2018 to 71.6 percent last year. This has made companies more willing to pay the ransom – 38.7 percent in 2018, 57 percent now – despite recommendations and pleas from the government and cybersecurity experts not to pay.

With more companies paying, threat groups are incentivized to run ransomware attacks and invest more money into their efforts, the Lumu researchers wrote, adding that result is more infections. Several US agencies – the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and NSA – joined counterparts in the UK and Australia in February in issuing a joint advisory that indicated the threat of ransomware around the world will increase this year.

Addressing the precursor malware when it arises can reduce the incidence of ransomware, it's claimed. Of the more than 2,000 companies Lumu monitors, every ransomware attack came with other malware preceding it and paving the way.

"When we see the companies that were affected, there were a lot of signs that were happening months – and in some cases, more than three months – before they were affected by the ransomware attack," Villadiego said. "When you see a network that is contacting these precursors of ransomware, there are other pieces of malware that cause less harm."

The precursor malware will spread laterally through a company's network and devices, escalating access before a ransomware package is deployed, he said. Security pros within the company may see some kind of activity, and assume their firewalls or endpoint detection and response (EDR) software has caught it and protected them, whereas it's just the precursor that was picked up. At the same time, a company's security operations may be flooded with unrelated alerts that they are paying more attention to than that of the precursor malware, he said.

Meanwhile, the bad actors are being given months to set up a ransomware outbreak, the CEO said.

"What we make clear to the companies that we're protecting is, your point of maximum resistance to attacks is your point of lesser contact," he said. "Whatever that infrastructure is, that is going to be one of maximum resistance to attack ... My advice to security operators is to deal with small problems so you don't have to deal with a catastrophic event of a ransomware attack. And what is a small problem? A small problem in security is when your network is starting to contact these adversarial infrastructures, which typically goes unnoticed and typically doesn't create an event that compels the operators to act."

The company identified the malware backend that was most often detected being contacted. At the top of the list is Emotet, a banking trojan first discovered in 2014 that later evolved to include spamming and malware delivery services. Among the other malware were Phorpiex (a botnet first seen in 2016 that later included crypto-jacking and spreading ransomware), SmokeLoader (a backdoor for malware delivery), Dridex (known for stealing bank credentials) and TrickBot (a banking trojan).

Villadiego in 2018 founded Lumu, based in Doral, Florida. The company, which raised $7.5m in Series A funding a year ago and has about 80 employees, offers the Continuous Compromise Assessment model, which enables organizations to measure compromises within their systems in real time and automate the mitigation responses. The technology integrates with security tools enterprises are already using, delivers intelligence about compromises and lets organizations intentionally hunt for compromises.

Lumu assesses and collects information from such aspects as DNS queries, network flows, access logs, firewalls and proxies and correlates the data to identify whether any asset is trying to contact an adversarial infrastructure. Having that information enables organizations to end such contacts.

Enterprises are spending millions of dollars on security products and managed security services providers (MSSPs), but often their security teams are not looking for compromises.

"It's hard to find something that we're not looking for," he said, adding that many assume that their organization is secure. "That is the wrong mindset and the breaches that have happened demonstrate that. A better way to operate is by assuming you're compromised and let your network prove otherwise. Let the network prove you're not." ®

Broader topics

Narrower topics

Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading

Biting the hand that feeds IT © 1998–2022