We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
While joint efforts by Microsoft and a number of security vendors have disrupted a global campaign that leveraged the ZLoader botnet to distribute ransomware, the opportunistic attacks serve as a reminder that ransomware is a society-wide threat.
Microsoft’s Digital Crimes Unit said Wednesday that it recently obtained a court order in Georgia allowing it to take down 65 domains used the ZLoader group. Other participants in the effort — which also used technical means to disrupt ZLoader — included ESET; Lumen’s threat intelligence unit, Black Lotus Labs; and Palo Alto Networks’ Unit 42 division.
Researchers at Microsoft said that the ZLoader attacks largely targeted the U.S., Western Europe, China and Japan.
While ZLoader had originally been deployed as a banking trojan, the malware is “notable for its ability to evolve,” the Microsoft researchers said in a blog post. And with this latest campaign, the botnet has evolved to distribute ransomware payloads, the researchers said.
The attacks also appear to have been more opportunistic than many of the high-profile ransomware attacks known to date, which have often targeted specific organizations.
“Zloader affiliates used different techniques to expand their botnets, such as sending spam emails containing malicious documents or misusing Google Ads to direct visitors to malicious websites serving the malware,” said Alexis Dorais-Joncas, security intelligence team lead at ESET, in an email.
Along with misused Google ads, emails about COVID-19 (with malicious Microsoft Word attachments) and fake invoice emails containing malicious XLS macros were also utilized in the ZLoader campaign, according to ESET researchers.
“The affiliates could then decide to deploy additional malware to the infected systems under their control, such as ransomware,” Dorais-Joncas said.
The fact that ZLoader has evolved to be used with deploying ransomware represents “a wakeup call on how ransomware will continue to evolve,” said Joseph Carson, chief security scientist and advisory CISO at Delinea, a privileged access management vendor.
“This means that rather than ransomware victims being targeted, it makes ransomware more opportunistic — putting more individuals and small businesses at higher risk of becoming ransomware victims,” Carson said in an email.
Switching the use of ZLoader from stealing credentials and sensitive data to distribution of ransomware would “likely result in more individuals and small businesses becoming victims of ransomware by visiting the wrong domain or clicking on the wrong link,” he said.
The evolution is a reminder that “everyone is now a target of ransomware criminals,” Carson said. “We must prioritize ransomware no longer as the biggest threat to organizations, but one of the biggest threats to society.”
A lucrative business
Davis McCarthy, principal security researcher at Valtix, noted that Emotet also evolved from a banking trojan — “becoming a powerful polymorphic botnet that has evaded takedown for years.”
Underpinning this evolution of ZLoader is the fact that “ransomware is lucrative. And as more ransomware groups come to market, access brokering will grow in demand,” McCarthy said. “As access brokering grows, the need for reliable and innovative delivery methods will grow as well.”
In the past, ZLoader has been tied to ransomware families including Ryuk, which is infamous for targeting health care organizations, Microsoft researchers said.
A particularly notable element of the ZLoader campaign is the presence of customizable options, “which would make one attacker’s use of ZLoader differ from another attacker’s instance,” said Ben Pick, principal consultant at nVisium. “This makes detection difficult as a signature-based approach would be ineffective.”
Ultimately, “maintained trojans typically increase their capabilities to cast a wider net of potential victims or avoid detection,” Pick said. “To me, this means that the threat remains and that the trojan will continue to evolve, so long as it is profitable to malicious actors.”
John Bambenek, principal threat hunter at Netenrich, noted that early on in the history of ransomware, many ransomware authors tried to distribute their own malware. However, they quickly discovered it was best to focus on making solid ransomware — and allow those who were skilled at compromising systems in bulk to focus on that, Bambenek said.
“The result is an efficient and relentless ecosystem in going after victims in a way that maximizes profits for both groups,” he said.
Modern ransomware, Bambenek said, is a complicated business that requires different sets of expertise. And at this point, he said, “the criminals have figured that out to streamline their time and efficiency to get paid.”