Threat Response – Increase in ransomware-related spam activity

01-10-2021

Northwave has observed an ongoing increase in activity within a large number of botnets, which we consider a red flag indicating a potential increase in ransomware incidents. This increase has coincided with a significant email campaign utilizing malicious attachments, which combined poses a significant enough threat for us to reach out to you today. Examples of increases in volume of ransomware-related malware can be found in e.g. Qakbot [1] and Dridex [2].  

 

Impact 

If the malicious attachments are opened the affected workstation can become part of a botnet, which put it under the control of malicious 3rd parties. It will give them access to your data and serve as an attack vector for a possible ransomware attack. 

 

Description for end users 

As this issue can directly affect your end users we have prepared a notification for you that can be shared within your organization: 

 

At this moment our security partner Northwave is detecting an increase in botnet activity, which they consider a red flag indicating a potential increase in ransomware incidents. Attacks like this have the potential to cripple our organization, meaning we need to be extra vigilant for potential breaching attempts.  

 

Such attempts have been detected by Northwave in the form of emails containing malicious attachments, which can appear to be sent by contacts you are familiar with to disguise their intent and increase the odds that you will click them. These emails can make their way into your mailbox in number of ways, including as replies to earlier emails or copies of emails sent previously with the only difference being the newly added attachment.  

 

Below is an example of such an email, though the exact language and wording can differ: 

Have you received an email that you do not expect or trust? Does it include an attachment and/or is there a sense of urgency in the message to open said attachment? Do not open this attachment. Instead check with your contact by phone if they have indeed sent this email and included attachment. If they have not, then the sender will know that their system is infected and that action is required. Inform your IT/Security department of the received email as soon as possible. If you have opened a malicious attachment, close your connection with the network by turning off your wifi and/or removing the network cable from your computer, and contact your IT/Security department immediately. 

 

What will Northwave do? 

Northwave will monitor developments surrounding this increase in suspicious activity. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email. 

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1] https://bazaar.abuse.ch/browse/tag/Qakbot/ 

[2] https://bazaar.abuse.ch/browse/signature/Dridex/ 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.