Cyberthreat update from Acronis CPOCs: Week of July 26, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as alarming phishing tactics and new cyberthreats being served up through web advertisements. Here’s a look at some of the most recent breaking news and analyses:

Keeping with the common tactic of incorporating current events into phishing lures, a new cybercrime campaign uses the promise of breaking Olympics news to trick victims into running a piece of file-deleting malware.

The wiper, which is delivered through malicious emails, targets Microsoft Office files; files created with the Ichitaro Japanese word processor; and TXT, CSV, and LOG files, which often contain passwords, databases, and logs.

Though designed to look like a PDF, this cyberthreat is actually an EXE file — typically titled “[Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe.” When opened, the file also reaches out to adult video site XVideos, in what is presumed to be an attempt to convince investigators that this website was the infection vector.

Acronis Cyber Protect detects this wiper and other forms of malware with its multi-layered behavioral detection engines, stopping cyberthreats before your data is lost. The included local and cloud backup solutions also allow for fast recovery of deleted data on unprotected systems.

New research indicates that, despite the disruption of the Emotet botnet earlier this year, the use of Office documents as malware delivery mechanisms is growing.

At the beginning of 2020, around 20% percent of all malware was being delivered via malicious Office documents. That figure has now risen to 43%, according to the Netskope’s recently released Cloud and Threat Report — July 2021.

While Emotet was a leading force in the spread of malware through delivery of infected documents, other groups have taken note of its success and continued the trend. Overall, email continues to be a leading vector for malware distribution, including the type this new research highlights.

Acronis Cyber Protect's Advanced Email Security capabilities keep users safe from phishing scams by recognizing malicious attachments on inbound messages and preventing them from ever reaching your inbox.

The latest release of LockBit ransomware includes some new capabilities — including the ability to automate encryption of a Windows domain using Active Directory group policies.

The infamous malware can now easily and automatically disable Microsoft Defender before then execute ransomware across an entire network. The LockBit group is also borrowing Egregor's "print bomb" trick to continually dispense physical ransom notes from all networked printers.

LockBit affiliates demand an average of $85,000 from ransomed victims, and the group made headlines in April when they hit Merseyrail, the urban rail network serving Liverpool and the surrounding region. LockBit’s operators share 70-80% of ransom payments with their recruited affiliates.

While ransomware gangs often add new tools to their arsenal, these always rely on malicious behaviors that can be detected and stopped. Acronis Cyber Protect's Active Protection uses behavioral detection powered by machine intelligence to prevent LockBit and other cyberthreats from impacting your systems.

Users searching for pirated software are being served paid advertisements that lead to the MosaicLoader malware, a downloader that can be used to deliver further payloads to infected systems.

MosaicLoader is a new cyberthreat, but one that’s already known to install nefarious Trojans, including cryptojackers and infostealers. The cybercriminals responsible for these ads are making considerable effort to mimic legitimate software. Infections have been detected across the globe, and Acronis Cyber Protect has already protected more than 50 customers in the first few days.

Acronis Cyber Protect uses URL Filtering to prevent systems from accessing malicious websites in the first place. Any malware-laden payloads served up by MosaicLoader or similar cyberthreats are identified and blocked, thanks to the included behavioral detection engine powered by machine intelligence.

There’s been a lot of pressure on malware operators over the past year. Emotet and DarkSide were taken down by joint task forces, Avaddon seemingly crumbled under pressure when they released 2,934 decryption keys, and both DoppelPaymer and REvil mysteriously went dark.

In the past couple of weeks, three "new" ransomware gangs have taken the spotlight — but they share some striking similarities to the gangs of the past. Haron, BlackMatter, and Grief have stepped onto the scene, with Grief already demonstrating attacks against Germany’s Anhalt Bitterfeld district as well as St. Clair County in the U.S. state of Illinois.

Recent reports by cybersecurity experts indicate that each of these new groups may have ties to one that has recently shut down. It is suspected that DoppelPaymer may have rebranded as Grief, while Haron shares some similarities with Avaddon and BlackMatter bears a striking resemblance to DarkSide — with a touch of REvil.

Whether old, new, or just rebranded, ransomware is no match for the Active Protection delivered by Acronis Cyber Protect. Threat-agnostic behavioral detection identifies and blocks the malicious processes that cyberthreats rely on, keeping your systems and data safe from harm.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.