Kroll’s Cyber Risk team detected a growing trend in the use of banking trojans to launch ransomware attacks.
A study by risk solutions provider, Kroll, identified a growing trend in the use of Qakbot trojan, or Qbot, to launch email thread hijacking campaigns and to deploy ransomware attacks.
According to the findings in conjunction with analysts from the National Cyber-Forensics and Training Alliance, or NCFTA, cybercriminals seek to steal financial data from multiple industries like media, education, and academia. However, the COVID-19 pandemic has helped the attacks target the healthcare sector as well.
The trojan is reportedly being used as a “point of entry” by the operators behind the ProLock ransomware gang. The report suggests that victims are easy targets due to the sophisticated phishing structures established by the criminals.
Methods of attacks used by the Qakbot trojan
Qakbot is a banking trojan that has been active for over a decade, says Kroll, and relies on the use of keyloggers, authentication cookie grabbers, brute force attacks, and windows account credential theft, among others.
One of the authors of the research, Laurie Iacono, vice president of Kroll’s cyber risk team, explained the following reasons to Cointelegraph why cybercriminals are relying on trojans like Qakbot to launch ransomware attacks:
“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system, find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data), and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials—plus the stolen data helps force infected companies to pay the ransom.”
Research co-author and vice president of Kroll’s cyber risk department, Cole Manaster, clarified to Cointelegraph that the rise of thread hijacking attacks like the ones deployed by Qakbot shows an evolution. He adds the following:
“Criminals are aware of the increasing cybersecurity training across email users and are producing more sophisticated, and authentic-looking phishing lures.”
COVID-19 crisis boosting the level of threat in cybercrimes
On the other hand, Iacono said that the use of trojans by ransomware is not uncommon and gives an example of the Ryuk attacks that are preceded by the installation of the Emotet trojan, and DoppelPaymer attacks preceded by Trickbot injections.
She cautions that, with more workers at home due to the COVID-19 crisis, they see “an uptick in attacks exploiting vulnerabilities in remote work applications such as the Citrix exploit.”
Cointelegraph reported on May 17 that the gang ProLock is relying on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in Bitcoin (BTC) to decrypt the files.