This year on 24×7 IT Connection, I’ve had a heavy focus on ransomware analysis of all the latest activity. Recently, we also took a closer look at how Bots Are Deploying LockBit Ransomware, and this is not an isolated incident. Recently, Cisco Talos has found Truebot malware deploying Clop ransomware. There are a number of things which make this particular malware and ransomware combination very interesting.
All About Truebot or Silence.Downloader
This particular malware is practically ancient, it has been around since 2017. For some time, malicious emails were the preferred method of delivery, however there have been attacks that used other methods of propagation such as remote code execution vulnerabilities. This malware began to spread even more thanks to Rasperry Robin malware, which Microsoft has great coverage of. The interesting thing is that for some time, Raspberry Robin didn’t really seem to much of anything, and is now also being used as a ransomware deployment mechanism.
But right now, we’re focusing on Truebot, which as been deployed by Raspberry Robin. With the recent round of infections, Windows systems on the internet with other exposed services have been mostly infected – another case for making sure you’re following security basics in your environment. Truebot collects information about these systems, which it then sends back the threat actors. At t his point, Truebot does something else – the alternative name – Silence.Downloader really sums it up nicely, its purpose is to get in there and download something else.
The something else as of late has been Clop ransomware.
Clop Ransomware Deployed by Truebot
Clop is a pretty standard pice of ransomware. It focuses on double extortion, exfiltration and encryption, just like most other popular and current ransomware variants do. Once Clop is deployed, the ransomware actors figure out what they need to do next, and head for the interesting targets so they can exfiltrate sensitive data. Once they’ve gotten what they need then they go ahead and start encrypting things. To do this, they begin encryption on many systems at the same time, by the time you realize encryption has started, you’re already looking at massive recovery event.
Ransomware and Malware Combined Heighten the Threat
We all know about the current threat of ransomware. The threat is high, and it is more of a when you are attacked, not if. Combining ransomware and malware just provides another way into your systems. For quite some time, we’ve been focused on phishing attacks and the users as the weak link. Then we started talking more about vulnerable systems. Now, let’s combine both of those issues together, and focus on other forms of malware getting in and deploying ransomware.
The threats are there and they aren’t going anywhere. If anything, threat actors are finding new and creative ways to get into your systems, to ultimately get you to pay the ransom. It is important to do what we can to mitigate the risk of them getting in, and plan for the worst case scenario of them deploying ransomware in our environment. This means that we need to be ready to respond to an incident, and eventually recover any encrypted systems.
Ransomware isn’t going anywhere any time soon, and response and recovery should be a part of every organizations cybersecurity strategy – if it is not already. Looking to learn more about some of the current ransomware threats? Take a look at some of our “favorite” ransomware strains of 2022:
Is there a ransomware strain you find interesting that we haven’t talked about? We’re always happy to take a look and give you our take. Be sure to follow @24x7IT Connection on Twitter and let us know what you would like to see!
