In 2021, Kroll investigators have had multiple opportunities to respond to a series of interconnected network intrusions, ransomware events and cyber incidents which, upon investigation and review, possessed overlapping tactics, techniques and procedures (TTPs) and similar indicators of compromise (IOC) among them. The incidents affected organizations of various sizes across diverse industry sectors through what Kroll’s investigations confirmed was a range of separate intrusion vectors.

For most internet users, there’s not much of a perceivable difference between the domain name they want to visit and the server that the domain queries. That’s because the Domain Name System (DNS) protocol does a good job of seamlessly routing users to different IP addresses that are all associated with a single domain name.

Clop Ransomware has been active since 2019 and has been mostly associated with financially-driven criminal groups. However, lately this ransomware payload has been observed in campaigns against universities and other institutions in the education vertical.

Cybercriminals are increasingly abusing popular cloud apps to deliver malware to their victims. In 2020, more than half of all the malware downloads detected and blocked by the Netskope Security Cloud platform originated from cloud apps. Cloud apps are commonly abused to deliver Trojans, with attackers attempting to exploit the trust placed in the app used for delivery. Increasingly, cloud apps are also abused for next-stage downloads, with attackers attempting to blend in with benign traffic.

Recently, Europeans were hit by an influx of SMS texts claiming to be package delivery notifications. It turns out these messages were orchestrated by threat actors seeking to distribute malicious apps laced with the banking trojan FluBot, also known as Cabassous. Once the victims download the malware, the app can intercept SMS messages, steal contact information and display screen overlays to trick users into handing over their credentials.

REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019, following the demise of another ransomware gang GandCrab. The REvil group is also known sometimes by other names such as Sodin and Sodinokibi. REvil has gained a reputation for attempting to extort far larger payments from its corporate victims than that typically seen in other attacks.

BazarLoader is a malicious dropper used in multiple campaigns, including the massive wave of attacks targeting US Hospitals with the Ryuk ransomware during October 2020. The primary purpose of BazarLoader is to download and execute additional malware payloads, and one of the key characteristics is its delivery mechanism, which exploits legitimate cloud services like Google Docs to host the malicious payload.