Ransomware Incidents Continue to Dominate Threat …

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Cisco Talos’ IR engagements found attackers relied heavily on malware like Zloader and BazarLoader to distribute ransomware in the past three months.

Ransomware operators relied heavily on a handful of commodity Trojans, open source reconnaissance tools, and legitimate Windows utilities to execute many of their attacks during the past quarter, according to data from incidents handled by the Cisco Talos Incident Response (CTIR) team.

The data, collected from customer locations between November 2020 and January 2021, showed attackers continuing to overwhelmingly use phishing emails with malicious documents to deliver Trojans for downloading ransomware on victim systems.

But unlike in the recent past where the Emotet and Trickbot malware families were the primary vehicles for distributing ransomware, many of the Trojans used for this purpose in the past quarter were commodity tools such as Zloader, BazarLoader, and IcedID. According to the CTIR team, nearly 70% of the ransomware attacks it responded to over the three-month period used these or similar Trojans to deliver ransomware.

“We saw a variety of commodity Trojans used this quarter, as opposed to previous quarters in which Trickbot and Emotet were dominant,” says Brad Garnett, general manager of the Cisco Talos Incident Response team.

For enterprises, the trend could spell even more trouble on the ransomware front.

“Commodity Trojans are easy to obtain and possess numerous capabilities for lateral movement, command-and-control communications, etc., which can increase the efficacy of a ransomware attack,” Garnett notes.

The CTIR team’s data from incident response engagements showed ransomware dominated the threat landscape during the three-month period just like it has for the past the seven straight quarters. The most prolific ransomware families included Ryuk, Vatet, WastedLocker, and variants of Egregor.

As they have in the past, ransomware operators took advantage of several open source and legitimate admin tools and utilities to facilitate attacks, move laterally in compromised networks, hide malicious activity, and take other actions. Some 65% — or nearly two-thirds — of the ransomware incidents the Cisco Talos team…