The ZLoader botnet campaign is a 'wakeup call' on how ransomware can be developed

The ZLoader botnet campaign is a 'wakeup call' on how ransomware can be developed ...

Transform 2022 will be available in-person July 19 and nearly July 20 - 28. Join AI and data leaders for insightful discussions and networking opportunities.

While Microsoft and a number of security providers have disrupted a global campaign that used the ZLoader botnet to distribute, the opportunistic attacks serve as a reminder that ransomware is a society-wide threat.

Microsoft's Digital Crimes Unit reported on Wednesday that it recently obtained a court order in Georgia allowing it to remove 65 domains using the ZLoader group. Other participants which included security equipment to dissipate ZLoader included ESET, Lumen's threat intelligence unit, Black Lotus Labs, and the Palo Alto Networks division.

According to Microsoft research, the ZLoader attacks aimed mainly at the United States, Western Europe, China, and Japan, according to researchers.

While ZLoader had initially been used as a banking trojan, the malware is "notable for its ability to evolve," according to Microsoft researchers in a blog. With this latest campaign, the botnet has evolved to distribute ransomware payloads.

These approaches appear to be more opportunistic than those of the most well-known ransomware attacks that have now happened, often aimed at specific individuals.

In a letter, Zloader affiliates used different techniques to expand their botnets, such as sending spam messages with malicious documents or using Google Ads to direct visitors to malicious websites serving the malware.

According to ESET, emails about COVID-19 (with malicious Microsoft Word attachments) and fake invoice emails containing malicious XLS macros were also used in the ZLoader campaign.

"The affiliates may then decide to deploy additional malware to the infected systems under their control, such as ransomware," Dorais-Joncas said.

A recurring threat

The fact that ZLoader has evolved to be used with deploying ransomware represents a "wakeup call" on how ransomware will continue to expand, according to Joseph Carson, a senior security scientist and consultant at Delinea, a privileged access management company.

"This means that rather than runningsomware victims being targeted, ransomware becomes more opportunistic, putting more individuals and small businesses at greater risk of becoming ransomware victims," Carson said in a letter.

By going to the wrong domain or clicking on the wrong link, ZLoader's use would "potently result in more individuals and small businesses becoming victims of ransomware."

The advancement of technology is a reminder that "everyone is now a target of ransomware criminals," according to Carson. "We must prioritize ransomware no longer as the biggest threat to organizations, c. one of the biggest threats to society."

A lucrative business

According to Davis McCarthy, the principal security researcher at Valtix, Emotet evolved from a banking trojan, becoming a powerful polymorphic botnet that has evaded takedown for years.

The fact that "ransomware is lucrative," according to McCarthy. "As access brokering grows, the need for reliable and innovative delivery methods will expand."

According to Microsoft research, ZLoader has been linked to ransomware businesses. Ryuk is notorious for slandering health care organizations.

An especially important feature of the ZLoader campaign is the presence of customizable options, according to Ben Pick, the principal consultant at nVisium. "This makes detection difficult as a signature-based approach would be ineffective."

A wider net is being set up.

"Maintained trojans typically increase their capacity to cast a larger net of potential victims or avoid detection," Pick said. "This means that the threat remains, and that the trojan will continue to evolve so long as it is profitable to malicious actors."

John Bambenek, the principal threat hunter for Netenrich, noted that early in the history of ransomware, many ransomware authors tried to distribute their own malware. However, they quickly discovered it was best to focus on making solid ransomware, and on those who were more proficient at managing systems in large numbers, according to Bambenek.

"The outcome is a stable, effective and sustainable system in resolving claims of victims in a manner that maximizes profit for both parties," he said.

Modern ransomware, according to Bambenek, is a complicated business that requires different levels of knowledge. At this point, the criminals have figured out that to streamline their time and efficiency to get paid.

VentureBeat's aim is to be a digital town square for technical decision-makers to gain experience in transformative enterprise technology and transact.

You may also like: