author photo
By Clare O’Gara
Wed | Jul 1, 2020 | 8:01 AM PDT

Phishing emails are increasingly being used to launch ransomware attacks against organizations.

This includes a newly discovered family, or strain, of ransomware called Avaddon.

Proofpoint research: rise in email-based ransomware

Throughout June, security researchers noticed an increase in email-based ransomware attacks. Proofpoint's Security Brief on the uptick notes how broad this shift has been:

"Daily volumes ranged from one to as many as 350,000 messages in each campaign, and over one million messages between June 4–10, 2020 featured Avaddon. We've seen a variety of themes in these ransomware messages, including some that exploit COVID-19, and numerous industries were targeted. These verticals include education and manufacturing followed by transportation, entertainment, technology, healthcare, and telecommunications."

A large number of ransomware families comprise this rise, but Proofpoint has a list of six major players:

  1. Avaddon (a new family)
  2. Buran (named for the Russian Space Shuttle)
  3. Darkgate
  4. Philadelphia (something previously seen by Proofpoint in 2017)
  5. Mr. Robot
  6. Ranion

The brief also includes specific details about three strains: Avaddon, Mr. Robot, and Philadelphia.

Avaddon: "A newer ransomware that has targeted U.S. organizations, notable because it has its own branding and is often part of large-scale campaigns. Avaddon is an example of 'ransomware-as-a-service' (RaaS), where threat actors pay others for the use of the ransomware rather than building the ransomware and infrastructure themselves."

Mr. Robot: "This ransomware attack used a COVID-19 lure to persuade targeted users to click. Recipients of these campaigns are sent messages claiming to be from 'Departament (sic) of health', 'Departament (sic) of health & human services', 'Health Service', and 'Health Care.' If clicked, Mr. Robot ransomware installs, and a $100 payment demand appears."

Philadelphia: "After a nearly three-year hiatus, Philadelphia ransomware has returned with a campaign primarily targeting manufacturing and food and beverage companies in Germany with German-language lures. These messages claim to come from 'Federal Germany Government' and use the flag and insignia of the Federal Republic of Germany. The recipient is encouraged to click the link which installs Philadelphia as a first-stage payload and shows a ransom message demanding payment of 200 Euros."

According to Proofpoint, this trend echoes a similar increase in ransomware strains that it noted in 2018.

"The change in tactics could be an indicator that threat actors are returning to ransomware and using it with new lures. The full significance of this shift isn't yet clear, what is clear is that the threat landscape is changing rapidly, and defenders should continue to expect the unexpected."

Related podcast on ransomware and more

We discussed ransomware with cybersecurity thought leader Joseph Steinberg, the author of the new "Cybersecurity for Dummies" book. In our recent podcast episode, Steinberg said:

"I believe ransomware is going to continue to get worse with time. There may be blips along the way where you see, you know, a law as you say, where people think they have it, but this problem is not going away. And the reasons it's getting worse are actually pretty simple. Reason number one is it makes a lot of money for criminals, and they're gonna go and run the kinds of attacks that make money."