A recently developed form of malware has quickly become a key component in powering ransomware attacks.
The malware, called Bumblebee, has been analysed by cybersecurity researchers at Symantec, who’ve linked it to ransomware operations including Conti, Mountlocker and Quantum.
“Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team.
A recent attack involving Quantum sheds some light on how Bumblebee is being used by cyber criminals to deliver ransomware. The attack begins with a phishing email containing an ISO file, which hides the Bumblebee loader and runs it on the victim’s machine if the attachment is opened.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Bumblebee provides the attackers with a backdoor onto the PC, enabling them to take control of operations and run commands. From here, the attackers run Cobalt Strike on the system for further control and the ability to gather more information from the machine that can help to conduct the attack.
After this, Bumblebee drops the Quantum ransomware payload, encrypting files on the victim’s machine. Similar techniques were used in campaigns by Conti and Mountlocker ransomware groups – and researchers believe that Bumblebee has taken the place of previously used backdoors.
“Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader, since there is some overlap between recent activity involving Bumblebee and older attacks linked to these loaders,” said Kamble.
Phishing is a common theme running throughout ransomware campaigns. In the case detailed by researchers, the malware was delivered by a phishing email, but ransomware gangs also use phishing attacks to steal usernames and passwords, particularly of cloud-based applications and services.
Not only does this allow them to get hands-on within networks, but using a legitimate (if hacked) account means that malicious activity might not be as easily detected – often until it’s too late and a ransomware attack has been triggered.
While ransomware is still a significant cybersecurity issue, there are steps that can be taken to help prevent attacks. These include using multi-factor authentication across accounts to help prevent attackers gaining access to networks, as well as swiftly applying security patches to stop cyber criminals exploiting known vulnerabilities.
It’s also important for businesses to monitor their networks for potentially unusual activity, as this can provide an indication that something is amiss – and information security teams can take action to prevent a full-on ransomware attack.
“Any organisation that discovers a Bumblebee infection on its network should treat this incident with high priority since it could be the pathway to several dangerous ransomware threats,” said Kamble.