Hackers Increasingly Rely on Trojans to Deploy Ransomware Attacks

Kroll’s Cyber Risk team has detected a growing trend in the use of banking trojans to launch ransomware attacks.

A study by risk solutions provider Kroll has identified a growing trend in the use of the Qakbot trojan, or Qbot, to launch email thread hijacking campaigns and to deploy ransomware attacks.

According to the findings in conjunction with analysts from the National Cyber-Forensics and Training Alliance, cybercriminals seek to steal financial data from multiple industries such as media, education and academia. However, the COVID-19 pandemic has helped the attacks target the health care sector as well.

The trojan is reportedly being used as a “point of entry” by the operators behind the ProLock ransomware gang. The report suggests that victims are easy targets due to the sophisticated phishing structures established by the criminals.

Methods of attacks used by the Qakbot trojan

Qakbot is a banking trojan that has been active for over a decade, says Kroll, and relies on the use of keyloggers, authentication cookie grabbers, brute force attacks and windows account credential theft, among other techniques.

One of the authors of the research, Laurie Iacono — the vice president of Kroll’s cyber risk team —explained the following reasons to Cointelegraph why cybercriminals are relying on trojans such as Qakbot to launch ransomware attacks:

“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system, find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data), and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials—plus the stolen data helps force infected companies to pay the ransom.”

The research’s co-author and the vice president of Kroll’s cyber risk department, Cole Manaster, clarified to Cointelegraph that the rise of thread hijacking attacks such as the ones deployed by Qakbot shows an evolution. He added the following:

“Criminals are aware of the increasing cybersecurity training across email users and are producing more sophisticated, and authentic-looking phishing lures.”

COVID-19 crisis boosting the level of threat in cybercrimes

On the other hand, Iacono said that the use of trojans by ransomware gangs is not uncommon and gives an example of the Ryuk attacks that are preceded by the installation of the Emotet trojan, and DoppelPaymer attacks preceded by Trickbot injections.

She cautioned that, with more workers at home due to the COVID-19 crisis, they see “an uptick in attacks exploiting vulnerabilities in remote work applications such as the Citrix exploit.”

Cointelegraph reported on May 17 that the gang ProLock is relying on the Qakbot banking trojan to launch the attack and asks the targets for six-figure United States dollar ransoms paid out in Bitcoin (BTC) to decrypt the files.