Threat Research

Phishing as a Ransomware Precursor | Ransomware Delivery

admin

Phishing is increasingly a preliminary step in multi-stage ransomware campaigns: attackers use phishing to gain initial access, then deploy loaders/RATs to perform reconnaissance, lateral movement, persistence and finally deliver ransomware. Detecting and blocking the phishing stage and associated malware (not just the final ransomware binary) is critical to stop high-value targeted ransom operations. #BazarBackdoor #IcedID

Keypoints

  • Phishing remains a top initial access vector, but direct delivery of ransomware via email has declined in favor of multi-step operations.
  • Threat actors prefer focused, manual campaigns against entire organizations because they yield far higher ransom payouts than broad, automated individual-target campaigns.
  • Initial phishing infections often install loaders/RATs (e.g., TrickBot, IcedID, BazarBackdoor) that sell access or enable later human-driven deployment of ransomware.
  • Attackers perform reconnaissance, lateral movement, privilege escalation, and persistence after initial compromise to maximize impact and tailor ransom demands.
  • Because ransomware is often delivered after these preparatory steps, relying on ransomware signatures is insufficient; defenders must detect earlier stages like phishing and loader activity.
  • Defensive measures should include threat intelligence (Yara rules, indicators), user training, and phishing detection/response to catch campaigns before ransomware deployment.

MITRE Techniques

  • [T1566] Phishing – Initial access vector used to deliver loaders or malware (‘Phishing is one of the most common entry vectors for ransomware operations.’).
  • [T1204] User Execution – Malicious email content or attachments trigger execution of initial payloads (‘…threat actors delivering ransomware directly via a phishing email or via an attached intermediary downloader has diminished.’).
  • [T1078] Valid Accounts – Account compromise is an infection vector and may follow credential theft from phishing (‘Account compromise is the other ransomware infection vector mentioned in recent headlines.’).
  • [T1021] Lateral Movement – Attackers move across connected systems to expand access before deploying ransomware (‘Employ lateral movement to establish persistence in multiple connected systems, and then, Deploy ransomware’).
  • [T1068] Exploitation for Privilege Escalation – Attackers escalate privileges after initial compromise to facilitate broader access (‘…escalate privileges…’).
  • [T1547] Boot or Logon Autostart Execution (Persistence) – Threat actors establish persistence on multiple systems during the campaign (‘establish persistence in multiple connected systems’).
  • [T1041] Exfiltration Over C2 Channel – Actors perform reconnaissance and exfiltrate high-value data to increase ransom leverage (‘This can allow the threat actor to charge ransom for both the encrypted data and the stolen data.’).
  • [T1562] Impair Defenses (Defense Evasion) – Actors and tooling bypass or evade security controls to remain undetected (‘Using large-scale generic campaigns with attached ransomware… is generally not an effective way to bypass enterprise security controls’ and ‘bypass security controls to deliver harder-to-detect payloads’).

Indicators of Compromise

  • [Malware families] used to infect and sell access – TrickBot, BazarBackdoor, and other families (IcedID, Ursnif, Chanitor, LokiBot).
  • [Ransomware families] cited as final payloads or examples – Ryuk, OnePercent, and Avaddon.
  • [Loaders / RATs / tools] used for post-phishing activity – Cobalt Strike, NanoCore RAT (also Remcos RAT).

Read more: https://cofense.com/blog/phishing-ransomware-precursor/