A study by risk solutions provider Kroll has identified a growing trend in the use of the Qakbot Trojan, or Qbot, to launch email thread hijacking campaigns to deploy ransomware attacks.
According to the findings, in conjunction with analysts from the National Cyber-Forensics and Training Alliance, cybercriminals are seeking to steal financial data from multiple industries, including the media, education and academia. However, the COVID-19 pandemic has also helped the attacks attack the health sector.
Ransomware attacks are increasing in the education sector
The Trojan would be used as an „entry point“ by the operators behind the ransomware ProLock gang. The report suggests that victims are easy targets due to the sophisticated phishing structures set up by the criminals.
Attack methods used by the Qakbot Trojan
Qakbot is a banking Trojan that has been active for more than a decade, says Kroll, and relies on the use of keyloggers, authentication cookie sniffers, brute-force attacks and Windows account credential theft, among other techniques.
New ransomware uses banking trojan to attack governments and businesses
One of the authors of the research, Laurie Iacono, vice president of Kroll’s cyber risk team, explained to Cointelegraph the following reasons why cyber criminals rely on Bitcoin Revolution like Qakbot to launch ransomware attacks:
„The main reason is to maximize their profits. Over the past 18 months, Kroll has observed multiple instances where a Trojan infection is the first step in a multi-stage attack: Hackers infect a system, find a way to escalate privileges, perform reconnaissance, steal credentials (and sometimes confidential data), and then launch a ransomware attack from an access level where it can cause the most damage. They can make money by paying ransom and potentially selling stolen data and credentials, and the stolen data helps force infected companies to pay the ransom.
City of Alabama plans to pay ransomware group despite warnings
Co-author of the research and vice president of Kroll’s cyber risk department, Cole Manaster, made it clear to Cointelegraph that the increase in thread hijacking attacks such as those deployed by Qakbot shows an evolution. He added the following:
„Criminals are aware of the increasing cyber security training among email users and are producing more sophisticated and authentic-looking phishing lures.
COVID-19 crisis raises cybercrime threat level
On the other hand, Iacono said that the use of Trojans by ransomware gangs is not uncommon and gives an example of the Ryuk attacks that are preceded by the installation of the Emotet Trojan, and the DoppelPaymer attacks preceded by Trickbot injections.
Ransomware gangs come together to form cartel-style structures
He warned that, with more workers at home due to the COVID-19 crisis, they see „an increase in attacks that exploit vulnerabilities in remote work applications such as the Citrix exploit.
Cointelegraph reported May 17 that the ProLock gang is relying on the Qakbot banking Trojan to launch the attack and is asking targets for six-figure dollar ransoms paid at Bitcoin (BTC) to decrypt the files.