Email Threat Review August 2021

Email Threat Review August 2021

Executive Summary

  • We observed an increase in HTML attachment-based phishing.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in August 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 83.19
Spam 12.92
Threat 3.02
AdvThreat 0.83
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails around 2021-07-31 can be attributed to the monthly reoccurring sextortion scam email campaign written in the German language that regularly causes spikes in rejected emails.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 33.7
HTML 25.1
PDF 14.9
Excel 8.7
Word 5.1
Other 4.3
Executable 4.0
Disk image files 3.8
Script file 0.3
Powerpoint 0.1
Email 0.0
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

We can detect an increase of HTML file attachments (.htm, .html, etc.) used in attacks. On closer analysis, the increase can be attributed to multiple campaigns using HTML files for phishing by having the phishing website attached directly to the email1 (thus circumventing URL filters). We already report on this technique in our blog.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 4.3
Entertainment industry 3.7
Research industry 3.5
Media industry 3.4
Healthcare industry 3.4
Mining industry 3.3
Transport industry 3.3
Education industry 3.0
Hospitality industry 2.9
Automotive industry 2.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Other 40.2
Phishing 27.8
URL 11.2
Impersonation 5.8
Advance-fee scam 4.8
Executable in archive/disk-image 4.0
Extortion 3.7
Maldoc 2.4
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

The increase in malicious documents at the end of the month can be attributed to backscatter from a Formbook malspam campaign spoofing the email address of one of our customers. Many of the bounce messages contained the malicious documents of the campaign and were detected by our filters.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 18.2
Deutsche Post / DHL 17.9
Other 16.8
Amazon 12.6
PayPal 10.0
Microsoft 2.8
Volks- und Raiffeisenbank 2.6
HSBC 2.0
LinkedIn 1.8
O2 1.4
Santander 1.1
Tesco 1.1

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open the emails.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
LockBit 2.0 87
Conti 46
Hive 27
Pysa 16
Everest 5
Cuba 4
RansomEXX 4
LV 3
Vice Society 3
Lorenz 2
Cl0p 1
RagnarLocker 1
Suncrypt 1
Xing Team 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

On 2021-08-12, the SynAck ransomware operation renamed itself to El_Cometa. Additionally, the decryption keys for the SynAck ransomware were released. 2 Our monitoring registered a total of 15 victims on SynAck’s leak site in June and Juli. The operation under the SynAck name was, therefore, rather short-lived.

According to reports3 the Ragnarok ransomware shut down its operation on 2021-08-27. Our monitoring saw the Ragnarok leak site last online on 2021-05-17. In total, the groups leak site published data of 22 victims. The operators behind the Ragnarok ransomware have also released a universal decryption key.

This practice of releasing decryption keys after shutting a ransomware operation down is widespread. It is likely an attempt by the threat actors behind the ransomware to cut all ties to the operation and allow victims to recover and remove reasons for victims and law enforcement to pursue the threat actors any longer. It also provides plausible deniability in case the threat actors are caught with the once-secret but now public and for everyone accessible decryption keys.

References

Email Threat Review August 2021

Email Threat Review July 2021

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in July 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 84.05
Spam 11.99
Threat 3.02
AdvThreat 0.91
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails on 2021-07-30 can be attributed to the monthly reoccurring sextortion scam email campaign written in German that caused similar spikes in previous months.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 30.0
PDF 20.8
HTML 17.1
Executable 11.7
Excel 7.0
Word 5.4
Other 4.3
Disk image files 3.3
Script file 0.1
Powerpoint 0.1
Email 0.0
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Here we see an increase in malicious Word documents being used in attacks. In the previous month, only 3.6 % of attacks used Word documents. Word documents used to be the dominant document format used in document-based attacks. However, in 2020 many threat actors switched to Excel documents using the old Excel 4.0 macro feature to execute malicious code, causing the number of malicious Word documents used in attacks to decrease. Security vendors significantly less detected Excel 4.0 macro attacks compared to VBA macro-based attacks. However, since Microsoft has added Excel 4.0 macro support to AMSI1 the increase in malicious Word documents could mean that threat actors may be considering switching back to using predominantly Word documents in their document-based attacks again instead of Excel documents.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Research industry 4.3
Manufacturing industry 3.8
Agriculture industry 3.4
Transport industry 3.4
Education industry 3.2
Entertainment industry 3.1
Mining industry 3.1
Media industry 2.9
Hospitality industry 2.9
Healthcare industry 2.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

For comparison last month’s email-based threat index bar chart:

Hornetsecurity Industry Email Threat Index

We observe a decrease in the overall email threat score.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Other 53.2
Phishing 24.2
URL 8.1
Executable in archive/disk-image 4.7
Advance-fee scam 3.7
Extortion 2.8
Impersonation 2.2
Maldoc 1.1
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

There are no significant anomalies.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 20.5
PayPal 13.4
Deutsche Post / DHL 12.4
Amazon 11.7
LinkedIn 4.3
Microsoft 2.5
HSBC 2.2
Santander 2.2
O2 1.7
Volks- und Raiffeisenbank 1.6

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open the emails.

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.

The following time histogram shows the email volume for highlighted threat email campaigns per hour.

Highlighted threat email campaigns

Methodology

Hornetsecurity observes thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only a subset of those threat email campaigns.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
LockBit 2.0 66
Conti 36
Hive 16
Synack 11
Lorenz 8
REvil 7
Everest 5
Promethous 5
Vice Society 4
Grief 3
RansomEXX 3
Cl0p 2
LV 2
RagnarLocker 2
Xing Team 2
Nephilim 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

A new addition to our data set is the leak site of LockBit 2.0. The site has been up already in June, and the actors behind the site were looking for affiliates.

LockBit 2.0 leak site

It offered its potentials partners in crime a performance comparison of the LockBit 2.0 ransomware compared to other RaaS (ransomware-as-a-service) offerings.

LockBit 2.0 leak site

It also offered a comparison of transfer speeds for data exfiltration.

LockBit 2.0 leak site

Then on 2021-07-13, the leak site started posting data of victims.

LockBit 2.0 leak site

With 66 victims, LockBit 2.0 announced almost twice as many victims as Conti, the leak site with the second most victims this month.

 

References

Email Threat Review August 2021

Email Threat Review June 2021

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in June 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails by category.

Email category %
Rejected 84.05
Spam 11.57
Threat 3.41
AdvThreat 0.94
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

Around 2021-06-13, we registered a large spike in rejected emails. Based on a significant text overlap, we can attribute this to a German-language sextortion scam campaign we observed in previous months.

Sextortion campaign June 2021

As of writing, the campaign netted the criminals US$ 4,351 in BTC. Therefore the campaign is most likely profitable and thus will most likely return next month.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 29.0
HTML 16.9
PDF 15.0
Other 13.0
Executable 11.0
Excel 6.9
Disk image files 4.4
Word 3.6
Powerpoint 0.1
Email 0.0
Script file 0.0
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Between 2021-06-07 and 2021-06-10, Hornetsecurity detected a rise in executable email attachments. We can attribute this to a malspam campaign containing a Nanocore RAT executable dropping Agent Tesla in an archive attached to the email.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Transport industry 5.6
Research industry 5.4
Entertainment industry 4.7
Education industry 4.6
Manufacturing industry 4.5
Hospitality industry 3.9
Media industry 3.8
Healthcare industry 3.7
Retail industry 3.6
Unknown 3.4

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

For comparison last month’s email-based threat index bar chart:

Hornetsecurity Industry Email Threat Index

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculated the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values overall organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack technique used in attacks.

Attack technique %
Other 50.8
Phishing 26.0
URL 9.4
Extortion 4.3
Executable in archive/disk-image 4.0
Advance-fee scam 2.4
Impersonation 2.2
Maldoc 1.0
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

Between 2021-06-07 and 2021-06-10, there were elevated levels of executables in archives. This is due to the campaign, as mentioned earlier, delivering Nanocore RAT as executable in an archive file (e.g., “.7z”, “.Zip”).

Impersonated company brands or organizations

The following table shows which company brands our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 19.8
Other 15.9
Deutsche Post / DHL 15.7
Amazon 11.6
PayPal 8.6
LinkedIn 5.9
Microsoft 2.5
O2 2.1
HSBC 2.0
Santander 1.9

The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.

Starting on 2021-06-07, we observed a large-scale phishing campaign impersonating LinkedIn.

LinkedIn phishing June 2021

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

The following time histogram shows the email volume for highlighted threat email campaigns per hour.

Highlighted threat email campaigns

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.

While the Hancitor campaign overshadows all other campaigns w.r.t. to volume per hour, we can see that the QakBot malspam of botnet group tr we saw emerging last month has established itself as a reoccurring campaign. Such endless running campaigns are usually only observed by very low-quality malspam campaigns or by more sophisticated spammers such as the Emotet botnet. To this end, QakBot, as previously reported, uses email conversation thread hijacking.

Methodology

Hornetsecurity observes thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.

Ransomleaks

Sophisticated threat actors exfiltrate confidential data from their victim’s networks. Exfiltrated data is then used as a method to pressure their victims into paying a ransom. If the victim does not pay the ransom, the confidential data is being published by the threat actors on so-called leak sites that are often only reachable through the TOR network. This trend continued in June. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
Conti 66
Pysa 41
REvil 28
Promethous 22
Vice Society 14
Grief 11
Avaddon 10
Lorenz 8
Everest 7
RagnarLocker 6
Xing Team 5
Cl0p 4
Synack 4
LV 3
Hive 3
Cuba 3
RansomEXX 2
Suncrypt 1
MountLocker 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

We added data collection for the following ransomware leak sites:

The leak site of the LV ransomware:

LV ransomware leak site

The LV ransomware re-purposes code of the REvil ransomware. The operators don’t seem to have access to REvil’s source code but have adapted an existing REvil ransomware binary by modifying strings in its binary code.1

The leak site of the Hive ransomware:

Hive ransomware leak site

The Hive ransomware seems to be a new ransomware strain.

The leak site of the Vice Society ransomware:

Vice Society ransomware leak site

Experts in the field of ransomware have concluded that Vice Society ransomware is identical to the HelloKitty ransomware.2

Special events

Because there have been several noteworthy events concerning the broader email threat landscape, we summarized them in this special section.

Avaddon ransomware releases decryption keys

On 2021-06-11, Avaddon released keys for over 2,934 victims.3 The Avaddon leak site listed only 186 victims that refused to pay the ransom. This means that Avaddon had 15-times more victims than published on their leak site. Under the assumption that the other ransomware operations have a similar ratio, the number of ransomware victims could be obtained by multiplying the number of victims on leak sites by 15.

Clop ransomware arrests

On 2021-06-16, the National Police of Ukraine announced they had arrested individuals suspected to have infected companies with the Clop ransomware.4 However, because the Clop ransomware operation continued running without interruption, it is assumed that the individuals arrested were only unimportant figures in the Clop ransomware operation, such as money mules, or sub-contractors.

We previously reported how the Clop ransomware is spread via malicious emails.

Gozi arrested

On 2021-06-29, the Office of the Attorney General of the Nation of Columbia has announced the arrest of one individual5 wanted by the U.S. since 20136 in connection with the Gozi malware. The individual operated a bulletproof host that helped cybercriminals distribute the Gozi malware and commit other cybercrimes, such as distributing malware including the Zeus Trojan and the SpyEye Trojan, initiating and executing distributed denial of service (DDoS) attacks, and transmitting spam.

TrickBot developer arrested

On 2021-06-15, the U.S. Department of Justice announced the arrest of a 55-year-old Latvian woman on multiple charges (19 counts of a 47-count indictment) for participating in the development of the TrickBot malware.7

We previously reported on how TrickBot is spread via malicious emails.

 

References

Email Threat Review August 2021

Email Threat Review May 2021

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in May 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails by category.

Email category %
Rejected 81.56
Spam 13.81
Threat 3.73
AdvThreat 0.87
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails between 2021-05-23 and 2021-05-26 is caused by a wave of sextortion scam emails targeting German language users.

Sextortion email

This campaign and the resulting spike in rejected emails is similar to the one observed in March1 in which the attackers made around 5,000 €. This time there were no incoming transactions to the attacker’s Bitcoin wallets used in the attack.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

Filetypes used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 33.1
Other 19.9
HTML 17.8
Excel 7.6
PDF 7.5
Executable 5.8
Disk image files 4.7
Word 2.8
Powerpoint 0.6
Script file 0.2
Email 0.1
LNK file 0.0

The following time histogram shows the email volume per file type used in attack per 7 days.

Filetypes used in attacks

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Research industry 6.9
Transport industry 5.3
Manufacturing industry 5.0
Education industry 4.1
Healthcare industry 4.0
Media industry 3.9
Automotive industry 3.9
Entertainment industry 3.8
Utilities 3.8
Hospitality industry 3.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index May 2021

For comparison last month’s email threat index bar chart:

Hornetsecurity Industry Email Threat Index April 2021

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculated the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values overall organizations within the same industry to form the industry’s final threat score.

Impersonated company brands or organizations

The following table shows which company brands our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 19.9
Amazon 17.6
Deutsche Post / DHL 16.8
Other 15.4
LinkedIn 4.0
Microsoft 2.8
PayPal 2.7
1&1 2.5
HSBC 2.1
O2 2.0

The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

The following time histogram shows the email volume for highlighted threat email campaigns per hour.

Highlighted threat email campaigns

We can see that the malspam waves of the selected campaigns have well-defined start and endpoints, unlike less sophisticated mass-spam email campaigns, which will send email in a constant stream.

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking.

From the data, we can see that the Hancitor malspam impersonating DocuSign is a consistent reoccurring high volume malspam campaign.

At the end of the month, the increase in URL-based QakBot “tr” (named after the configuration tag/campaign ID tr found in the distributed QakBot malware’s configuration) malspam can be seen. This campaign (as other QakBot malspam campaigns) uses email conversation threat hijacking.2

QakBot TR email

Another interesting aspect of the campaign is that it uses non-clickable plain text URLs missing the http://. Victims must thus copy the URL manually to their browser. This is likely done in hopes that URL filters do not detect the URL in this form. Obviously, the campaign uses various compromised websites to host the malicious ZIP archives, further complicating detection.

Methodology

Hornetsecurity observes hundreds and thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them into paying not only for decrypting the files encrypted by the ransomware but also for not making the data stolen before encryption public. We observed the following number of leaks on ransomware leaksites:

Leaksite Number of victim data leaks
Conti 73
Avaddon 56
Pysa 33
Darkside 25
REvil 21
Lorenz 19
Babuk 15
Xing Team 13
Nephilim 8
Cuba 6
Networm 5
Grief 5
Cl0p 4
RansomEXX 4
MountLocker 3
Everest 3
RagnarLocker 3
Astro Team 2

The following bar chart visualizes the number of victim data leaks per leaksite.

Ransomleaks May 2021

We added data collection for the following ransomware leaksites:

The leaksite of the Cuba ransomware was first seen at the end of 2019. However, the group was not very active. The leaksite currently features six leaks.

Cuba ransomware leaksite

Cuba ransomware has recently been reported to be cooperating with the Hancitor malware, the malspam campaigns of which we reported on in a previous section. We, therefore, added the Cuba ransomware leaksite to our dataset.

The leaksite of the Xing Team was announced via the Astro Team leaksite on 2021-05-06 as a new partner of the Astro Team.

Astro Team leaksite Xing Team announcement

The Xing Team leaksite features an identical layout to the Astro Team leaksite, but contains different data leaks.

Xing Team leaksite

What this partnership entails is currently unknown.

Another leaksite that emerged this month is the leaksite of the Prometheus ransomware. On its site, they claim an affiliation with the REvil ransomware. However, it needs to be seen what that affiliation is and whether the REvil ransomware even knows that this new leaksite claims an affiliation with them.

Prometheus leaksite

The Prometheus leaksite does not remove entries for companies that have paid the ransom or for data it could sell. The respective entries are simply updated to reflect whether the company paid or the data has been soled.

Prometheus leaksite

Another new entry is the Grief leaksite.

Grief leaksite

Currently, it is unknown what ransomware is associated with the Grief leaksite, whether it is an already known ransomware rebranded as Grief or whether they use their own ransomware.

References

Email Threat Review April 2021

Email Threat Review April 2021

Summary

In this second installment of our monthly email threat review, we present an overview of the email-based threats observed in April 2021 and compare it with March 2021.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails by categories.

Email category %
Rejected 78.60
Spam 16.41
Threat 4.05
AdvThreat 0.89
Content 0.04

The following time histogram shows the email volume per category per hour.

Unwanted emails by category

Unlike in March, there were no obvious anomalous spikes in the unwanted email volumes in April.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain dangerous content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as sender’s identity, and the emails are not analyzed further.

Filetypes used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicous emails) %
Archive 35.6
Other 17.6
HTML 17.3
Excel 7.6
Executable 7.0
PDF 4.8
Disk image files 4.6
Word 3.5
Powerpoint 1.3
Script file 0.5
Email 0.1
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

Filetypes used in attacks

Archives (.zip, .rar, .gzip, .ace, .tar.gz, etc.) are more popular. The most prevalent use for archives in attacks is compressing the malware executable and attaching it directly to the attack email. This is done in hopes that the targeted email system is not able to scan compressed attachments. Low-quality criminal threat actors often use this technique as it does not require any technical expertise. Another use for archives is to compress malicious documents. This is also done to reduce detection.

HTML files (.htm, .html, etc.) are used either for phishing, having the phishing website attached directly to the email1 (thus circumventing URL filters), redirecting victims to websites for malware downloads2 (again to not directly include a clickable URL in the email), or social engineering.

Excel files (.xls, .xlsm, .xlsx, .xslb, etc.) with their XLM macros gained popularity last year. Unlike VBA macros malware, XLM macro malware is less detected and thus favored by many threat actors.3,4 In fact, many threat actors use the same malicious document generator called “EtterSilent” to generate their XLM macro documents.

PDFs (.pdf) use embedded links or other social engineering lures.4

Attaching executables (.exe) directly to emails is the laziest approach. It is used mainly by low-quality criminal threat actors.

Disk image files (.iso, .img, etc.) are used similarly to archives.5 Windows can automatically mount disk image files similarly to ZIP files.

Industry Email Threat Index

The following table shows the Top 10 of our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Research industry 5.0
Manufacturing industry 3.9
Media industry 3.6
Hospitality industry 3.6
Education industry 3.5
Healthcare industry 3.5
Automotive industry 3.3
Transport industry 3.2
Retail industry 3.0
Information technology industry 3.0

The following bar chart visualizes the email-based threat posed to each industry.

  • March 2021:

Hornetsecurity Industry Email Threat Index March 2021

  • April 2021:

Hornetsecurity Industry Email Threat Index April 2021

The global median of threat emails in threat and clean emails for organizations fell from 3.7% in March to 3.0% in April. This decrease can be seen for all industries. However, while the manufacturing industry dropped from 5.3% to 3.9% and the other industries similarity the research industry remains at 5% ratio of threat emails in their received threat and clean emails.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, to compare organizations, we calculated the percent share of threat emails from each organization’s threat and clean emails. We then calculate the median of these percent values over all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack technique used in attacks.

Attack technique %
Other 38.4
Phishing 23.4
URL 20.8
Extortion 9.0
Executable in archive/disk-image 3.4
Advance-fee scam 2.8
Impersonation 1.8
Maldoc 0.4
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands or organizations

The following table shows which company brands our systems detected most in impersonation attacks.

Impersonated brand or organization %
Amazon 23.0
DocuSign 21.5
Deutsche Post / DHL 11.9
PayPal 3.4
Microsoft 2.9
LinkedIn 2.8
1&1 2.6
HSBC 2.2
Unicredit 1.6
O2 1.5
Others Rest

The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.

A reoccurring Hancitor malspam campaign dominates the impersonation of the DocuSign brand.

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

The following time histogram shows the email volume per hour for a list of highlighted threat email campaigns.

Highlighted threat email campaigns

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.

We can see that the malspam waves of the selected campaigns have well-defined start and endpoints, unlike less sophisticated mass-spam email campaigns, which will send email in a constant stream.

As outlined earlier in the section on impersonated company brands or organizations the reoccurring Hancitor malspam campaign pretends to be documents send via DocuSign. The campaign spikes correspond to the previously spikes in DocuSign impersonation detections.

One shown campaign stands out not because of its volume but for its low detection rate by other security solutions. The Cutwail-A botnet updated their XLSM maldocs. This time it was distributing Ursnif.

Cutwail-A email

At the time of delivery, the maldocs of the campaign were detected by only 3 of 62 detections on VirusTotal.

XLSM distributing Ursnif via malspam from Cutwail-A botnet low detection

We are aware that VirusTotal detection does not represent the real dynamic detection of the listed security products. However, because the campaign was already caught by Hornetsecurity’s Spam and Malware filter using static detection signatures, it is an apples-to-apples comparison and outlines Hornetsecurity’s detection capabilities when it comes to threat email detection.

Methodology

Hornetsecurity observes hundreds and thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them into paying not only for decrypting the files encrypted by the ransomware but also for not making the data stolen before encryption public. We observed the following number of leaks on ransomware leaksites:

Leaksite Number of victim data leaks
Conti 41
Avaddon 40
REvil 33
Darkside 19
Babuk 17
Ragnarok 12
Astro Team 10
Cl0p 9
Everest 5
RansomEXX 2
Nephilim 1
RagnarLocker 1

The following bar chart visualizes the number of victim data leaks per leaksite.

Ransomleaks

This month the Darkside ransomware group announced that they offer insider trading information for sale. Short sellers could buy information on companies compromised by Darkside ransomware before publication on the Darkside leaksite.

Darkside offering insider trading information for sale

After the announcement, Darkside started tagging their posted victims with their respective stock tickers.

Darkside tagging victims with their stock ticker

Also, this month the Babuk ransomware announced the closing of their ransomware operation.

Babuk ransomware press release announcing closing

However, only a few days later, they clarified that they would only close the ransomware part of their operation. They will continue stealing data from victims and extorting them with the publication of the stolen data.

Conclusion

We hope you found the second installment of our monthly email threat review informative. Get back next month for more and updated email threat landscape insights.

References

Ransomware: Prices, Pressure and Protection

Ransomware: Prices, Pressure and Protection

Summary

Ransomware is the simplest way to monetize computer intrusions. Ransomware is thus the single greatest cyber-risk for corporations today. This blog post discusses ransomware prices, the pressure ransomware threat actors put on victims, and how companies can protect their assets.

Ransom amount

To estimate the currently demanded ransom amount, we analyzed ransomware samples available from OSINT sources. These are samples uploaded to various online services, such as online anti-virus scanning or malware analysis sandbox services, and thus shared with the security research community.

We have observed ransom demands spanning from US $100 up to US $10,000,000.

The highest ransom demand we observed was US $10,000,000. The Clop ransomware demanded it.

Clop US $ 10M ransom demand

While preparing this blog post, public reporting of a US $50,000,000 ransom demand has surpassed our observed maximum demand. It is essential to understand why such an enormous range in demanded ransom exists. Therefore, we will discuss ransom amount volatility in the next section.

Ransom amount volatility

Ransom demand is adjusted based on several factors. One factor is victimology, i.e., threat actors demand a higher ransom from large corporations than a private, individual computer user.

As a case study, we can take a look at the first campaign of the Avaddon ransomware. It was spread via malspam sent by the Phorpiex botnet. Hornetsecurity reported on this campaign.1 The Phorpiex botnet usually sends Sextortion spam and other low-quality threats. The demanded ransom by Avaddon at the time was only US $500. The ransomware deployment was fully automatic, i.e., once a victim executed the ransomware from the email attachment, it started to encrypt the victim’s computer. Higher-quality threat actors will specifically target large companies and use the initial infection for reconnaissance first. After they have mapped the company’s network and identified all assets, they start the ransomware on many of the company’s computer systems simultaneously. This way they can demand more ransom because restoring the entire company computer infrastructure from backups is much harder than to restore a single encrypted computer.

During our research we found a recent Avaddon ransomware sample with a ransom demand of US $3,000,000. This is much higher than Avaddon’s previous demand of only US $500.

Avaddon ransomware US $3M ransom demand

The demand above is addressed to a large company—and this is what is driving the difference in ransom demand. The threat actors will adjust the ransom to how much they think they can get. Thus, there are no clear figures when it comes to ransom demands. Sometimes ransomware threat actors will even analyze the financial documents found on a company’s internal network to discover how much ransom they can demand or how much the company’s cyber-insurance coverage for ransomware will pay.

Negotiation

For higher tier, human-operated ransomware, demanded amounts are often simply asking prices and are the basis for negotiation. The ransomware operators know that getting only a fraction of what they asked for is better than getting nothing. Hence, they are willing to negotiate.

Smaller automated ransomware pricing is mostly fixed, and if the ransomware operation offers ” support” at all, it is only provided to assist victims in obtaining the cryptocurrency needed to pay the ransom. The following are chat logs with the “support” of the Adhubllka (named after the .adhubllka extension it adds to encrypted files) ransomware. The ransomware executable was attached to the email within a ZIP file and distributed via the Phorpiex botnet in an unsophisticated but fully automated ransomware attack—in an identical fashion as the first Avaddon ransomware campaign we reported on.1

Adhubllka ransomware offers no negotiation

So while there is human-operated “support” even in low-tier mass delivered automated ransomware operations, this “support” is not entitled to negotiate. We traced the total earnings of their campaign, which were 0 BTC, so giving in to our fake demands for a discount would have potentially made them US $1,000. But as said, low-tier automated ransomware operations usually do not offer negotiations.

Putting pressure on ransomware victims

Some ransomware operators provide additional “services.” These are actions designed to pressure victims into paying the demanded ransom.

Leaksites

Ransomware leaksites are Tor hidden service websites on which ransomware threat actors threaten to publish data stolen from victim computer networks before encrypting them if the victim refuses to pay the ransom. We have reported on this practice.2

DDoS

Ransomware actors may also, in addition to the already existing issue with encrypted files, DDoS a victim network. One ransomware operation doing so is SunCrypt.

Suncrypt DDOS

Harassing the victim’s customers and/or business partners

Another tactic is to “notify” the victim’s customers and/or business partners of the compromise. This can happen via spam emails—for example, the threat actors behind the Clop ransomware are using this tactic in the following message:

Clop email to victim customers and/or business partners

Spamming journalists and news outlets

Ransomware actors will also “notify” journalists and news outlets of the data breach with instructions on where to download the leaked data. Here is again an example of the Clop ransomware using this tactic.

Clop email to journalists and news outlets

Notifying authorities

Some ransomware operations also threaten to inform the responsible data protection authorities about the breach if the victim does not pay the ransom. They will often cite the EU GDPR and the potential fines that authorities can incur for data leaks.

Prices for ransomware

The cost for a threat actor to acquire ransomware software varies. A threat actor can develop their own ransomware. This will only incur the development time as a cost. However, many criminals are technically unable to develop malware themselves or it is too much additional work. Alternatively, they can buy, rent, subscribe and/or partner with a ransomware developer and/or operator. To this end, the ransomware developer can sell the entire source code of their ransomware software for a one-time payment. However, this is often not attractive given the large ransom payments generated with such ransomware software. But demanding tens or even hundreds of thousands of US $ for the ransomware software may not get the software sold, as a ransom payment is not guaranteed.

To resolve this, ransomware as a service (RaaS) operations established themselves. A threat actor with access or means to access company networks can rent, subscribe and/or partner with a ransomware operation. The threat actor gets the ready-made ransomware software for deployment on victim computer systems. In contrast, the ransomware operator provides the ransomware software and—if available and/or necessary—the backend infrastructure for the ransomware, such as an online ransomware portal to support victims in buying and using the decryption software.

Like the demanded ransom, the price for ransomware varies. The entry price can be as low as hundreds of US $, as can be seen from the following example offers from the Egalyty ransomware.

Egalyty ransomware offering

Profit-sharing affiliate schemes will split the paid ransom between the party supplying the ransomware and the party facilitating the intrusion. Also, here, the split ratio widely varies. While we have seen notices in cybercrime forums offering 90% of the ransom to the intruding party, this is not the norm.

Cheap ransomware affiliate program offering

The usual reported split ratio for well-established ransomware affiliate programs only awards 10% to 30% of the ransom to the intruding party.

Conclusion and Countermeasures

These new developments in ransomware tactics make malware infections more dangerous to businesses than ever before. While good backups, preferably using the 3-2-1 backup strategy,3 helped against classic ransomware attacks, they do not provide any protection against private and/or confidential data being intentionally leaked to the public. The broad announcement of the data leak to business partners and customers will cause further damage and loss of reputation to victims, business partners, and customers. Worse still, competitors will also get unfettered access to internal documents, such as contracts, pricing, research, and development results. The media will start contacting the affected company, causing further stress in the ransomware crisis. Additionally, suppose the network is DDoS’d. It would be tough to recover from that situation, as this will likely affect any remaining network infrastructure a company might have to relay information, such as its public website.

Next, do not upload the ransomware that infected you to the Internet. Even though online services such as VirusTotal or other online sandboxes are convenient, they grant registered users access to the sample. The URL of the ransomware note may point at a “support” website that features an online chat for negotiation. These online chats are accessible to anyone with access to the data in the ransom note, thus everyone with access to the ransomware sample. So if you, in addition to all the other problems, do not want media outlets to leak your negotiation chat logs, keep your ransomware samples private. Or follow good practice and do not negotiate but share the ransomware sample with the security research community.

Paying a ransom is not recommended anyway:
1. The data breach remains. Even if a company pays to have the leaked data deleted, it must adhere to its respective breach notification laws.
2. Paying a ransom to a threat actor located in a country on sanction lists can violate trade and/or export sanction laws and cause the victim even more trouble in the long run.
3. There is no guarantee of decryption nor that leaked data is deleted.
Once leaked data has already been downloaded from the leaksite, there is no way to contain the leak.

Hornetsecurity, with its cloud offerings, can help organizations to prepare and prevent ransomware. Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market and Hornetsecurity’s Advanced Threat Protection can detect and quarantine email-based malware attacks before they can lead to a ransomware infection. Hornetsecurity’s Email Archiving is a legally compliant, fully automated audit-proof email archiving solution for long-term, unchangeable and secure storage of important company information, data, and files. This way, important communication cannot be destroyed by ransomware.

But even if your company is affected by ransomware, offerings such as Hornetsecurity’s Email Continuity Service will keep your email communication available if ransomware has put your local mail server out of service.

References