Carbanak Banking Malware Resurfaces with New Ransomware Tactics



The banking malware Carbanak has recently exhibited updated tactics by incorporating itself into ransomware attacks, according to an analysis by cybersecurity firm NCC Group. In November 2023, Carbanak resurfaced through new distribution channels, utilizing compromised websites to disseminate malicious installer files disguised as legitimate business-related software, including tools like HubSpot, Veeam, and Xero.

Originally identified in 2014, Carbanak, initially a banking malware, has been adopted by the FIN7 cybercrime syndicate for its data exfiltration and remote control capabilities. NCC Group’s report reveals a surge in ransomware attacks, with 442 incidents reported last month, compared to 341 in October 2023. Year-to-date, a total of 4,276 cases have been reported, approaching the combined total of 2021 and 2022 (5,198 incidents).

The industrial sector (33%), consumer cyclicals (18%), and healthcare (11%) were the primary targets, with North America (50%), Europe (30%), and Asia (10%) experiencing the highest attack rates. Among the prevalent ransomware families, LockBit, BlackCat, and Play accounted for 47% of the attacks. Notably, the dismantling of BlackCat by authorities raises questions about its impact on the threat landscape.

Matt Hull, Global Head of Threat Intelligence at NCC Group, expressed concern about the significant increase in ransomware attacks, surpassing the totals of the previous two years. Additionally, Corvus, a cyber insurance firm, confirmed the November spike, identifying 484 new ransomware victims on leak sites. The firm noted a shift in the ransomware ecosystem away from QBot, emphasizing the success of incorporating software exploits and alternative malware families into the strategies of ransomware groups. The evolving landscape raises anticipation about the trajectory of ransomware levels in the coming year.

Other news

DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023

The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic.

Read More

Mandiant’s Twitter Account Restored After Six-Hour Crypto Scam Hack – 05.01.2024

American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam.

Read More