Carbanak Banking Malware Resurfaces with New Ransomware Tactics



The banking malware Carbanak has recently exhibited updated tactics by incorporating itself into ransomware attacks, according to an analysis by cybersecurity firm NCC Group. In November 2023, Carbanak resurfaced through new distribution channels, utilizing compromised websites to disseminate malicious installer files disguised as legitimate business-related software, including tools like HubSpot, Veeam, and Xero.

Originally identified in 2014, Carbanak, initially a banking malware, has been adopted by the FIN7 cybercrime syndicate for its data exfiltration and remote control capabilities. NCC Group’s report reveals a surge in ransomware attacks, with 442 incidents reported last month, compared to 341 in October 2023. Year-to-date, a total of 4,276 cases have been reported, approaching the combined total of 2021 and 2022 (5,198 incidents).

The industrial sector (33%), consumer cyclicals (18%), and healthcare (11%) were the primary targets, with North America (50%), Europe (30%), and Asia (10%) experiencing the highest attack rates. Among the prevalent ransomware families, LockBit, BlackCat, and Play accounted for 47% of the attacks. Notably, the dismantling of BlackCat by authorities raises questions about its impact on the threat landscape.

Matt Hull, Global Head of Threat Intelligence at NCC Group, expressed concern about the significant increase in ransomware attacks, surpassing the totals of the previous two years. Additionally, Corvus, a cyber insurance firm, confirmed the November spike, identifying 484 new ransomware victims on leak sites. The firm noted a shift in the ransomware ecosystem away from QBot, emphasizing the success of incorporating software exploits and alternative malware families into the strategies of ransomware groups. The evolving landscape raises anticipation about the trajectory of ransomware levels in the coming year.

Other news

Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyber Attacks

Nation-state actors associated with Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.

Read More

UnitedHealth paid ransom to bad actors, says patient data was compromised in Change Healthcare cyberattack

UnitedHealth Group announced on Monday that it made a ransom payment to cyberthreat actors in an attempt to safeguard patient data, following the February cyberattack on its subsidiary Change Healthcare. The company also confirmed that personal information files were compromised during the breach

Read More