Ransomware operators use Cobalt Strike in 66% of cases

ransomware operators Cobalt Strike
Written by Emma Davis

Hackers, and not only by government APT groups, for a long time loved legitimate commercial framework Cobalt Strike, created for pentester and the red team and focused on exploitation and post-exploitation. For example, ransomware operators also use Cobalt Strike in about 66% of cases.

And although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (for example, relying on old, pirated, hacked and unregistered versions).

Cisco Talos experts say that in the second quarter of this year, the framework was used in 66% of ransomware attacks.

Cobalt Strike is a modularized attack framework: Each module fulfills a specific function and stands alone. It’s hard to detect because its components might be customized derivatives from another module, new, or completely absent.say Cisco Talos experts.

Malicious actors find Cobalt Strike’s obfuscation techniques and robust tools for C2, stealth, and data exfiltration particularly attractive.

Analysts write that the tool is valued by information security specialists and criminals primarily for the ability to deploy listeners on victims’ networks. They are used to monitor how infected hosts interact with C&C servers to receive payloads and further commands from attackers.

The strength of Cobalt Strike is that it offers many answers to tricky questions an attacker might have. Expand listeners and beacons? No problem. Need a shellcode? Easy. Need to create staged / non-staged executables? Done. Given the versatility of Cobalt Strike, its popularity comes as no surprise. Attackers are increasingly relying on Cobalt Strike to operate rather than mainstream malware”said Cisco Talos researchers.

In their report, experts write that they analyzed the structure of attacks using the Cobalt Strike framework and developed about 50 signatures for Snort and the ClamAV open source antivirus engine.

I would also like to remind you that the damage from ransomware lies not only in the financial plane – the actions of cybercriminals are deadly. For example, First death due to ransomware attack: German hospital patient dies.

I think you might also be interested in reading about another study: Cisco Talos has published a study on Astaroth malware, which describes how Astaroth hides management servers.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply