Key Takeaways
- The process begins with a phishing email which kicks off a multi-stage attack chain in which the attacker delivers either malware or ransomware, then deletes evidence of malicious files.
- The email attachment has a BAT file that helps download and execute the ransomware when opened.
Since Dember 2022, 2 malicious computer programs MortalKombat ransomware and Laplas Clipper malware, have been targeting crypto investors to drain funds, as per a report from threat intelligence firm Cisco Talos.
Detailing the attack method, the team at Talos states that the hacking process begins with a phishing email which kicks off a multi-stage attack chain in which the attacker delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis.
The phishing email usually impersonates CoinPayments, a legitimate global cryptocurrency payment gateway. The email attachment runs a BAT file that helps download and execute the ransomware when opened.
The email will have a malicious ZIP file attached with a filename resembling a transaction ID mentioned in the email body. This evokes curiosity in the recipient, forcing them to unzip the malicious attachment and view the contents, which is a malicious BAT loader.
As per the blog post, the hacker relies on the user’s inattentiveness to the sender’s wallet address, which would later send the crypto to the unidentified attacker. The phishing campaign reportedly targets people residing in the United States, with a smaller percentage of victims in Turkey, the United Kingdom, and the Philippines.
The latest report also comes amid increasing efforts by law enforcement groups to tackle the growing problem of crypto-ransomware attacks. Last month, the United States Federal Bureau of Investigation announced that international law enforcement groups had dismantled the infamous Hive cryptocurrency ransomware gang.
Hive was responsible for a series of notorious ransomware incidents, including the April-to-May 2022 Costa Rica public health service and social security fund cyberattack.
Despite ransomware attacks surging, blockchain analytics firm Chainalysis’s latest report revealed that ransomware revenues for attackers fell 40% to $456.8 million in 2022. The report highlighted that companies had been forced to tighten cybersecurity measures, while ransom victims have been increasingly unwilling to pay attackers their demands.
In 2022, revenue from ransomware was $602 million at the time of the 2022 report, which was later spiked to $766 million when additional cryptocurrency wallet addresses were identified.
