On December 26th, 2023, the cybersecurity firm NCC Group reported that the banking malware known as Carbanak is being used in ransomware attacks with updated tactics. The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness. It has been distributed through compromised websites to impersonate various business-related software, with some of the impersonated tools including popular business-related software like HubSpot, Veeam, and Xero.
Carbanak, which has been detected in the wild since at least 2014, is known for its data exfiltration and remote control features and has been put to use by the FIN7 cybercrime syndicate. The compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.
The latest attack chain documented by NCC Group comes as ransomware attacks have increased, with a total of 442 attacks reported last month, up from 341 incidents in October 2023. Industrials, consumer cyclicals, and healthcare emerged as the top targeted sectors, with North America, Europe, and Asia accounting for most of the attacks.
LockBit, BlackCat, and Play contributed to 47% of the attacks, and with BlackCat dismantled by authorities, it remains to be seen what impact this move will have on the threat landscape for the near future. The spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which identified 484 new ransomware victims posted to leak sites.
While the shift is the result of a law enforcement takedown of QBot’s infrastructure, Microsoft, as well as Kaspersky, have disclosed details of low-volume phishing campaigns and security measures implemented by ransomware operators, respectively.