A recently developed form of malware has quickly become an important part of driving ransomware attacks.
“Bumblebee’s ties to a number of high-profile ransomware operations suggest it is now at the epicenter of the cybercrime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team.
A recent attack with Quantum sheds some light on how Bumblebee is being used by cybercriminals to proliferate ransomware. The attack starts with a phishing email with an ISO file that hides the Bumblebee loader and runs on the victim’s computer when the attachment is opened.
TO SEE: A winning cybersecurity strategy (ZDNet special report)
Bumblebee provides the attackers with a back door to the PC, allowing them to take control of operations and execute commands. From here the attackers run Cobalt Strike on the system for further control and the ability to gather more information from the machine that can help carry out the attack.
After this, Bumblebee drops the Quantum ransomware payload and encrypts the files on the victim’s computer. Similar techniques have been used in campaigns by Conti and Mountlocker ransomware groups – and researchers believe Bumblebee has taken the place of previously used backdoors.
“Bumblebee may have been introduced as a replacement charger for” trick bot and BazarLoaderbecause there is some overlap between recent activity with Bumblebee and older attacks related to these chargers,” Kamble said.
Phishing is a common theme in ransomware campaigns. In the case described by researchers, the malware was delivered via a phishing email, but ransomware gangs also use phishing attacks to steal usernames and passwords. especially of cloud-based applications and services†
This not only enables them to get started hands-on within networks, but using a legitimate (if hacked) account means that malicious activity may not be detected as easily – often until it is too late and a ransomware attack is triggered.
While ransomware is still a major cybersecurity problem, there are measures that can be taken to help prevent attacks. These include the use of multi-factor authentication between accounts to prevent attackers from accessing networks, as well as: quickly apply security patches to prevent cyber criminals from exploiting known vulnerabilities.
It’s also important for businesses to monitor their networks for potentially unusual activity, as this can: give an indication that something is wrong – and information security teams can take action to prevent a full-scale ransomware attack.
“Any organization that discovers a Bumblebee infection on its network should address this incident as a high priority as it could lead to several dangerous ransomware threats,” Kamble said.