Microsoft hunting over 100 threat actors who use malvertising

Microsoft’s security team said it was tracking more than 50 different ransomware variants and more than 100 threat actors using them to perform intrusions. Moreover, some groups have switched from phishing to using malicious ads as the entry vector.

"Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said in a lengthy Twitter thread.

The company added that the threat actors continue to use phishing for initial access. However, according to Microsoft Security Intelligence, the firm’s global network of security experts, attackers increasingly rely on other techniques, such as malicious advertisements.

Malvertising is blooming

“One of the most common is the use of malvertising to surface links leading to various first-stage malware that eventually deliver ransomware or other payloads,” the experts said.

Thus, defense strategies should focus less on payloads and more on the chain of activities that lead to their deployment – since ransomware gangs are still targeting servers and devices not patched against common or recently addressed vulnerabilities.

For example, a threat actor tracked as DEV-0569, believed to be an initial access broker for ransomware gangs, has been abusing Google Ads in large advertising campaigns to distribute malware, infect devices, steal passwords, and finally gain entry into networks.

Researchers have long said Google search results have become a hotbed of malicious advertisements pushing malware. When you click on a shady ad, you enter a replica of a legitimate site – only to download a tool that installs various malware onto your device.

Malicious ads among Google search results. Image by Cybernews.

For instance, “FakeUpdates is a malware family that poses as software updates, typically browser updates, and arrives via malicious ads or drive-by downloads, stressing the importance of getting updates directly from vendors or official app stores, in addition to strong network protection,” Microsoft said.

A good year for hunting

Nevertheless, ransomware payments dropped from $766 million in 2021 to $457 million in 2022, according to new research from blockchain research firm Chainalysis. For this reason, the company called 2022 “an impactful year in the fight against ransomware.”

Of course, the decline is mostly related to the victims’ refusal to pay the demanded ransoms. However, 2023 has also started off well – Hive, an international ransomware syndicate, has been infiltrated and taken down by the US Federal Bureau of Investigation (FBI).

The agency has also released over one thousand decryption keys to previous Hive victims as a result of the takedown, according to the statement by the US Department of Justice. Three hundred keys were released by the FBI in July 2022.

Other major criminal syndicates such as Conti, DarkSide, and REvil were hit by authorities or disbanded themselves in recent years.

However, taking over the gang’s IT infrastructure rarely impacts the people behind it. Ransomware gangs rebrand and operate under different names. For example, Conti members formed BlackBasta, while DarkSide first became BlackMatter and was renamed to BlackCat/ALPHV later.