The number of cyberattacks targeting companies is increasing day by day. Just this May, the United States’ largest private pipeline company was attacked by ransomware, resulting in the shutdown of the entire pipeline facility. A well-known domestic delivery platform company also suffered from a ransomware attack, affecting hundreds and thousands of stores and delivery riders.
According to a press release  reported by the Ministry of Science and ICT, the number of ‘Reports on Domestic Ransomware Cases for Recent Three Years’ has been growing each year. These ransomware strains take hostage of companies’ service operations and their confidential information to demand cryptocurrency. As the price of cryptocurrency has recently skyrocketed, more and more attackers are targeting companies who are in the position of having to resume service operations quickly.
The features of malware also prove that the attackers are increasingly targeting companies. They differentiate between a personal user and a company to perform different features for each case. As there are many users within a company, its system typically belongs to a domain consisting of the AD (Active Directory) environment. These malware programs consider their target as a company when it has a domain. For a system registered in a domain, they install a hacking tool to steal accounts and spread internally or download additional malware. They steal corporate information and ultimately run ransomware.
Among malware types analyzed and reported by AhnLab, the following malware are those that targeted companies. Note that a backdoor or downloader malware does not directly create and run ransomware, but instead, additionally installs a backdoor controlled by a hacking tool to dominate a company system. Afterward, the attacker uses the hacking tool to run ransomware in the system. The attacks confirmed so far have all used the Cobalt Strike hacking tool.
- BazarLoader, BazarBackdoor
- Ryuk Ransomware
- Hancitor Downloader
- BlueCrab Downloader
- Snake Ransomware
- FlawedAmmyy Downloader
BazarBackdoor downloaded by BazarLoader collects user PC information and company environment information. The data sent to the attacker through the C&C communication include connected domain names, a list of connected domain resources (computer names), a list of domain trust, a list of members belonging to the Administrators group, and a domain administrator account result. If the attack target is confirmed as a company, the malware performs the feature of downloading other malware. Analysis of foreign infection cases shows that the malware uses Cobalt Strike to run Ryuk or Conti ransomware in a corporate system. You can find more detailed information in the AhnLab TIP report.
Ryuk ransomware was the malware that attacked a domestic company. It was distributed after stealing the company’s domain controller. The ransomware itself has a feature of scanning the internal network to approach the SMB shared folder and spread. You can find more detailed information in the AhnLab TIP report.
Hancitor is a downloader that is distributed as a spam mail attachment. It downloads additional malware. It used to download info-stealer malware, but now, it downloads FickerStealer info-stealer malware. If a company system belongs to a domain, the domain information is sent as shown below and Cobalt Strike is installed instead of FickerStealer. You can find more detailed information in the AhnLab TIP report and ASEC blog.
BlueCrab ransomware has a feature of checking whether the attack target is a company or not through a domain environment variable when it is being distributed. If the target is not a company, BlueCrab ransomware is installed. If it is, the Cobalt Strike hacking tool is installed instead. It checks the target by confirming whether the %USERDNSDOMAIN% environment variable exists in the user system before connecting to the C&C server. You can find more detailed information in the AhnLab TIP report and ASEC blog.
While not currently discovered, Snake ransomware that appeared in June 2020 checked whether its target was a company or not through network queries such as IP. The case is noticeable for targeting only a small number of specific companies. Honda was among those that were attacked. You can find more detailed information in the ASEC blog.
The malware that downloads FlawedAmmyy backdoor is a typical case of malware having different features depending on whether the target is individuals or companies. It determines its attack target according to the result confirmed by the ‘cmd.exe /c net user /domain’ command. If the target is a personal user, the basic settings name WORKGROUP appears, but if the target is a company, a domain name appears. The next features are activated only if the target is a company. You can find more detailed information in the AhnLab TIP report and ASEC blog.
Attacks targeting companies shown above usually start from e-mail attachment or phishing websites using social engineering techniques. In fact, cases of attacks on domestic companies began with an e-mail that was massively distributed. A single employee running a malicious file is enough to cause a serious issue for many companies. Therefore, each employee must remain vigilant, and companies must thoroughly manage their infrastructure. In addition, they must make efforts to prevent breach cases or lessen threats by managing accounts, strengthening server security, and forming access control policies.
 BazarLoader (BazarBackdoor) Malware Analysis Report https://atip.ahnlab.com/Contents/IssueReport/MalwareAnalysisReport
 Hancitor Word Document Installing CobaltStrike Hacking Tool in AD Environment, https://asec.ahnlab.com/en/22966/
 BlueCrab Ransomware Installing Hacking Tool CobaltStrike in Corporate Environments, https://asec.ahnlab.com/en/20130/
 Snake Ransomware Designed to Operate Only in Specific Business Environments, https://asec.ahnlab.com/en/17740/
 Hacking Tool Ammyy Targeting Corporate Users and Installs on Their PC (Ransomware CLOP), https://asec.ahnlab.com/en/16022/