The First Step: Initial Access Leads to Ransomware

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Key Findings

  • Preventing ransomware today largely has shifted from a direct email threat to an indirect threat where email is only part of the attack chain.
  • Ransomware threat actors leverage cybercriminal enterprises – largely banking trojan distributors – for malware deployment. These access facilitators distribute their backdoors via malicious links and attachments sent via email.
  • Banking trojans were the most popular malware distributed via email, representing almost 20% of malware seen in Proofpoint data the first half of 2021.
  • Proofpoint currently tracks at least 10 threat actors acting as initial access facilitators or likely ransomware affiliates.
  • Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021.
  • There is not a 1:1 relationship between malware loaders and ransomware attacks. Multiple threat actors use the same malware payloads for ransomware distribution.


Ransomware attacks still use email — but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for all-except, of course, the victims.

Preventing ransomware via email is straightforward: block the loader, and you block the ransomware.

Typically, initial access brokers are understood to be opportunistic threat actors supplying affiliates and other cybercrime threat actors after the fact, for example by advertising access for sale on forums. But for the purposes of this report, we consider initial access brokers to be the groups who…


Samsung Galaxy Tab A7 gets access to May 2021 security update

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

The Galaxy Tab A7 is among the most popular tablets from Samsung right now, thanks to its impressive build, large display, and stereo speakers. After Galaxy Tab A7’s success during the COVID-19 pandemic due to remote learning growth, Samsung released the Galaxy Tab A7 Lite a few days ago. Now, the company has released a new security update to the Galaxy Tab A7.

The LTE version of the Galaxy Tab A7 (SM-T505) is getting a new software update in various European markets mentioned in the list below. The latest software, which bears firmware version T505XXU3BUF2, brings the May 2021 security patch to the tablet. The update includes dozens of fixes from Google and 23 fixes from Samsung.

  • Austria
  • Baltic Countries
  • Bulgaria
  • Czech Republic
  • France
  • Germany
  • Greece
  • Hungary
  • Italy
  • Luxembourg
  • Nordic Countries
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Southeast Europe
  • Spain
  • Switzerland
  • The Netherlands
  • The UK

If you are a Galaxy Tab A7 LTE user in any of the countries or regions mentioned above, you can check for the update by navigating to Settings » Software update and tapping on Download and install on your tablet. You can also download the latest firmware file meant for your device from our firmware database and flash it manually.

More countries worldwide could get the new software update for the Galaxy Tab A7 over the next few days. The device was launched with Android 10 on board, but it received the Android 11 update two months ago.

  • Model: SM-T505
  • Dimensions: Tablet: 157.4 x 247.6 x 7 mm
  • Display: 10.4 inch / 264.16 mm TFT
  • CPU: Snapdragon 662
  • Camera: 8MP


ASSA ABLOY Helps Organizations To Adopt Mobile Access Control

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

The smartphone is changing access control and security management at every scale and level, from global corporations to small companies. Making the switch to mobile access control, however, can seem daunting. Questions may arise around cost, practicality and the potential need for new door hardware. Yet going mobile is actually a lot simpler and quicker than many think, as one new guide explains.

Data from the recent Wireless Access Control Report 2021 suggests almost two-thirds of organizations have already adopted mobile access control, or plan to do so within two years. Industry analysts Omdia estimate that downloads of mobile credentials grew by 220% between 2018 and 2019 alone.

Mobile access control

The main benefits of mobile access control, the report suggests, are convenience, cost and security. All three of these advantages apply for any scale of organization. The user convenience of replacing plastic key-cards with secure ‘mobile keys’ on a smartphone is obvious. Identical benefits have already brought a mobile-first ethos to banking, travel booking, food delivery and many more sectors.

The ability to get the job done efficiently from anywhere is becoming essential

From a business perspective, too, the option for facilities managers to use their own smart device to issue, amend or revoke an employee’s mobile key brings added flexibility. It frees security staff from the desk and its dedicated admin PC. As the work patterns become fluid — IBM estimates 1.87 billion people will be mobile workers by 2022 — the ability to get the job done efficiently from anywhere is becoming essential. Access management via smartphone offers this.

Reissuing mobile credential

Secondly, mobile credentials are simpler and quicker to administer than key-cards, which brings significant cost savings. Deploying mobile keys on employee smartphones removes any need to purchase plastic cards or pay for their printing. Any missing plastic credential needs replacing; canceling and reissuing a mobile credential is essentially costless. Mobile access control also enables a business to reduce its use of non-recyclable plastics.

Third, the…


Siloscape: this new malware targets Windows containers to access Kubernetes clusters

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers. 

The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments. 

According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo.

In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands. 

The malware, labeled as CloudMalware.exe, targets Windows containers — using Server rather than Hyper-V isolation —  and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases. 

Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges.

“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”

If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected. 

The malware’s developers have ensured that heavy obfuscation is in place — to the point where functions and module names are only deobfuscated at runtime — in order to…