Ransomware and phishing attacks have been on the rise since 2020. In part, the pandemic has played a role in this increased threat to many organization throughout the U.S. because of remote workers. Although Email is still the preferred delivery method, IT network management and security companies are seeing a spike social engineering schemes. RAVENii technicians and IT security personnel are having to get creative when it comes to stopping threats on social media platforms, voicemail (“vishing”), SMS phishing (“smishing”), and malicious USB drops.
A few years back ransom demands where our biggest concern. Organizations were turning to IT network management and security companies after hearing of the countless organizations who paid the ransom and failed to receive decryption key; however, ransomware attacks have spiked higher than ever.
Why Is Ransomware Surging Again?
The short answer is “distractionware”. Think of it like, you get an email or text from your bank. Once you have clicked the link you are redirected to a hijacked site and unbeknownst to you, the real attack is piggy backing off of a more innocent looking phishing ploy. Ransomware has become the distraction. While security measures ramp up to protect against the obvious incoming threat, malicious “loaders”, small packages designed to stay undetected on a compromised machine, are coming in through less common or suspicious methods. They function with only one agenda – execute additional malware.
Now we are finding that these loaders are being adapted to spread ransomware. One such loader is the HUI Loader. It is a custom DLL loader that can be deployed by hijacking legitimate software programs, which are susceptible to DLL search order hijacking. Once executed, the loader will then deploy and decrypt a file containing the main malware payload.
Ransomware Targeted Organizations
The targeted organization of any ransomware attack depends on the information the cyber criminals are trying to obtain. The common victims include pharmaceutical companies, US media outlet, manufacturers, financial institutions, and organizations in and around the aerospace and defense division industry. Now that these industries have gone to a remote work environment, IT network security has become even more difficult to execute.
In March of 2022, a team of cybersecurity researchers found a new version of the HUI Loader that uses RC4 ciphers to decrypt the payload. Utilizing enhanced obfuscation code, this loader attacks Windows. The goal is to disable Windows Event Tracing for Windows (ETW), Antimalware Scan Interface (AMSI) checks, and tamper with Windows API calls.
The Real Goal of Distractionware Ransomware
The consensus amongst cybersecurity experts is that using ransomware as a distraction is a means to an end. If organizations did store data, ransomware would have no purpose. Since mid-2021, we have been aware of Bronze Starlight using HUI Loader to install ransomware (LockFile, AtomSilo, Rook, Night Sky and Pandora). The results of the underlying malware have led to the belief that cyber espionage was the goal. While incident responders are distracted by the ransomware – they are also not identifying the true intent and threat to the data being stored.
**Ransomware Best Practices **
The first thing RAVENii does is a threat assessment. We look for both machine and human risks. Our enterprise assessment covers everything from where your data is stored and is it searchable online, to email attachments or how your staff choose and store their passwords. We then create an action plan and prioritize which potential breaches resent the greatest vulnerability.
RAVENii offers full IT network Managed Security Services, Incident Response, Protocol and Policy development, and staff training. For more information about RAVENii and our professional expertise, contact (844)317-0944 today!