A list of the most common (and therefore most dangerous) families of malware that lead to ransomware has been released by ZDNet. In this list are some of the most prolific threats and the ransomware threats that they lead to. This list provides enterprise defenders with a priority list of threats to study and keep defenses up to date for. Some of the attack chains are listed below, and more can be found in the article:
- Emotet -> Trickbot -> Ryuk
- Bazarloader -> Ryuk
- Qakbot -> Egregor
- Zloader -> Egregor
- Buerloader -> Ryuk
- Phorpiex -> Avaddon
Cobalt Strike is included in this article not as a malware family but as another threat to watch out for prior to ransomware. Many threat actors will deploy Cobalt Strike somewhere in the chain before they deploy ransomware, due to the ease Cobalt Strike gives to the attack process. While not a malware family, if Cobalt Strike is detected by defenders and a known red team engagement is not currently authorized, it should be treated as a serious threat.
It should be noted threat actors are speeding up their processes and reducing the time between initial infection and deploying ransomware, as they are becoming more and more efficient at gaining total control over a network. Because of this, Binary Defense strongly recommends the use of some form of 24/7 SOC monitoring, such as Binary Defense’s own Security Operation Task Force. Monitoring alerts 24/7 is a good way to identify threats before they can mature into enterprise-wide problems.