Carbanak Banking Malware Resurfaces with New Ransomware Tactics

26.12.2023

The banking malware Carbanak has recently exhibited updated tactics by incorporating itself into ransomware attacks, according to an analysis by cybersecurity firm NCC Group. In November 2023, Carbanak resurfaced through new distribution channels, utilizing compromised websites to disseminate malicious installer files disguised as legitimate business-related software, including tools like HubSpot, Veeam, and Xero.

Originally identified in 2014, Carbanak, initially a banking malware, has been adopted by the FIN7 cybercrime syndicate for its data exfiltration and remote control capabilities. NCC Group’s report reveals a surge in ransomware attacks, with 442 incidents reported last month, compared to 341 in October 2023. Year-to-date, a total of 4,276 cases have been reported, approaching the combined total of 2021 and 2022 (5,198 incidents).

The industrial sector (33%), consumer cyclicals (18%), and healthcare (11%) were the primary targets, with North America (50%), Europe (30%), and Asia (10%) experiencing the highest attack rates. Among the prevalent ransomware families, LockBit, BlackCat, and Play accounted for 47% of the attacks. Notably, the dismantling of BlackCat by authorities raises questions about its impact on the threat landscape.

Matt Hull, Global Head of Threat Intelligence at NCC Group, expressed concern about the significant increase in ransomware attacks, surpassing the totals of the previous two years. Additionally, Corvus, a cyber insurance firm, confirmed the November spike, identifying 484 new ransomware victims on leak sites. The firm noted a shift in the ransomware ecosystem away from QBot, emphasizing the success of incorporating software exploits and alternative malware families into the strategies of ransomware groups. The evolving landscape raises anticipation about the trajectory of ransomware levels in the coming year.