This dastardly ransomware gang keeps changing its tactics to spread its malware

A new ransomware operation uses anomalous techniques to compromise networks and encrypt them with file-locking malware in order to demand ransom from victims.

royal ransomware It first appeared in September of this year and is being distributed by multiple threat groups, one of which is What Microsoft Security Threat Intelligence describes as: Often a “continuous innovation pattern” for distributing and hiding payloads until it is too late and the victim’s network is encrypted.

Attacks delivered in various ways are attributed to the group Microsoft tracks as DEV-0569. This is a temporary name as the origin and identity of the group behind the activity are unknown.

Some campaigns use methods commonly associated with cyberattacks to deliver Royal ransomware. phishing email In this case it is used to deliver malicious attachments containing Batloader backdoor malwareused to download ransomware payloads.

This is not the only phishing technique used by Royal ransomware actors to deliver the initial payload. Microsoft also notes emails with links disguised as legitimate installers and updates for commonly used business applications. Downloading these bogus updates installs a backdoor that is later used to deliver malware.

Also: Ransomware: Why it’s still a big threat and where gangs are headed next

A more unusual technique involves using a contact form to reach out to the target and deliver malware. DEV-0569 is not the first ransomware operation to distribute attacks in this manner, but the attack method remains unusual and may not be considered by defenders.

The attackers send messages to their targets via the target website’s contact form, claiming to be from a national financial institution. Once the victim responds to the message, the attackers will reply again and attempt to trick the victim into clicking on a link to install Batloader.

We recently observed attackers leveraging Google ads to deliver malware through malvertising links, allowing the attackers to track which users and devices clicked on the links. increase. These links are used to identify potential targets to distribute the Batloader payload.

Microsoft says it has reported this exploit to Google and asked for their awareness and action. ZDNET has reached out to Google, but has yet to hear back at the time of publication.

In addition to malvertising and phishing links, DEV-0569 performed human-operated “hands-on” attacks to install ransomware, exploiting vulnerabilities and remote access tools to reach compromised networks. It has also been reported to gain access and manually download the Royal payload.

According to Microsoft researchers, “DEV-0569’s extensive infection base and diverse payloads make this group likely to be an attractive access broker for ransomware operators.” Other malicious cyber threat groups.

Attackers have also been seen using open source tools to disable antivirus software and make it harder to detect malicious activity.

According to Microsoft, the group will likely continue to enter networks in a variety of ways, but there are steps you can take to avoid falling victim to attacks.

This includes building resilience against email threats by educating users on identifying social engineering attacks and preventing malware infections, and providing users with a way to report suspected attacks.

We also recommend that organizations practice the principle of least privilege and maintain credential hygiene. This means giving the account only the access that the person absolutely needs to do their job, and making sure the account is protected with a strong password. and multi-factor authentication. These help prevent attackers from infiltrating and moving into your network.

Microsoft also suggests that organizations enable anti-tampering features to prevent attackers from taking down security services.

Cybersecurity details