Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to diversify its effectiveness, according to cybersecurity firm NCC Group. In an analysis of ransomware attacks that occurred in November 2023, NCC Group highlighted Carbanak’s return through new distribution chains, with compromised websites being used to distribute the malware disguised as various business-related software.

Carbanak, which has been detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Initially a banking malware, it has been utilized by the FIN7 cybercrime syndicate. The recent attack chain documented by NCC Group involves compromised websites hosting malicious installer files that masquerade as legitimate utilities, triggering the deployment of Carbanak.

The resurgence of Carbanak comes amidst a significant increase in ransomware attacks. In November alone, 442 ransomware attacks were reported, up from 341 incidents in October 2023. So far this year, a total of 4,276 cases have been reported, which is less than 1000 incidents fewer than the combined total for 2021 and 2022.

NCC Group’s data reveals that the top targeted sectors for ransomware attacks are industrials (33%), consumer cyclicals (18%), and healthcare (11%). Geographically, North America (50%), Europe (30%), and Asia (10%) account for the majority of the attacks.

Among the most commonly observed ransomware families, LockBit, BlackCat, and Play contributed to 47% of the attacks. However, with BlackCat recently dismantled by authorities, the impact on the threat landscape remains to be seen.

Matt Hull, the global head of threat intelligence at NCC Group, expressed concern about the increasing number of ransomware attacks, stating that the total number of attacks has already surpassed 4,000 for the year. He emphasized the need to monitor whether ransomware levels will continue to climb in the coming year.

Corroborating the spike in ransomware attacks in November, cyber insurance firm Corvus reported identifying 484 new ransomware victims posted to leak sites. The firm noted that ransomware groups have successfully shifted away from QBot, attributing the change to a law enforcement takedown of QBot’s infrastructure. However, Microsoft recently disclosed details of a low-volume phishing campaign distributing the malware, highlighting the challenges in fully dismantling these groups.

In addition to Carbanak’s resurgence, Kaspersky revealed the security measures of Akira ransomware, which prevent its communication site from being analyzed. The Russian cybersecurity company also highlighted ransomware operators’ exploitation of security flaws in the Windows Common Log File System (CLFS) driver for privilege escalation.

As the threat landscape continues to evolve, organizations and individuals must remain vigilant against ransomware attacks. The increasing sophistication and adaptability of malware like Carbanak underscore the need for robust cybersecurity measures and proactive defense strategies.

Disclaimer: The content of this article has been syndicated from a feed and may feature elements that are auto-generated, with minor edits to the body and headline.