A newly created malware called Bumblebee has swiftly emerged as a crucial component of ransomware attacks. Cybersecurity experts at Symantec have analyzed it and connected it to ransomware operations, including Conti, Quantum, and Mountlocker.
“Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” stated Vishal Kamble, principal threat analyst for the Threat Hunter team at Symantec.
A recent incident targeting Quantum makes it clearer that cybercriminals are now using Bumblebee to distribute ransomware. The attack starts with a phishing email that contains an ISO file that, when opened, launches the Bumblebee loader on the victim device.
Bumblebee gives the attackers access to the PC through a backdoor, allowing them to take over operations and issue orders. The attackers then use Cobalt Strike to control the system further and provide them the opportunity to learn more about it, the knowledge that will assist them in carrying out the attack.
Following that, Bumblebee releases the Quantum ransomware payload, encrypting the victim’s computer’s data. Similar tactics were employed by the ransomware gangs Conti and Mountlocker in their attacks, and experts think Bumblebee has replaced any previously used backdoors.
“Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader, since there is some overlap between recent activity involving Bumblebee and older attacks linked to these loaders,” stated Kamble.
Phishing is a recurring motif in ransomware operations. However, ransomware gangs also employ phishing attacks to obtain usernames and passwords, especially of cloud-based apps and services. In the scenario described by researchers, the infection was sent through a phishing email. In addition to giving them access to networks, having a valid (if compromised) account makes it more difficult to spot malicious activity, which frequently goes undetected until a ransomware assault has been launched.
Even though ransomware remains a serious cybersecurity problem, cyberattacks can be prevented by taking certain precautions. These include deploying security updates quickly to discourage hackers from taking advantage of known vulnerabilities and employing multi-factor authentication across accounts to prevent attackers from obtaining access to networks.
Businesses should also keep an eye out for any potentially strange behavior on their networks, as this might signify that anything is wrong. Then, information security professionals can take appropriate measures to stop a full-blown ransomware attack.
