Extortionate software is one of the most serious threats to the security of enterprises, but it does not come from nowhere. According to the specialists of the information security startup Lumu Technologies, the infection of corporate networks with a ransomware program is preceded by the appearance of a so-called precursor malware in them. This is usually malicious code used for preliminary collection of all necessary information. It has been in the networks for some time and paves the way for their further infection with malware.
Theoretically, by detecting and neutralizing this malicious code, companies can protect themselves from a subsequent ransomware attack. If a company discovers that its networks are communicating with something similar to the C&C servers of Emotet, Phorpiex, SmokeLoader, Dridex or TrickBot malware, it should immediately disconnect this connection, otherwise it may become a victim of a cyber-rich attack.
In more than 2 thousand companies whose networks are monitored by Lumu specialists, each ransomware attack is preceded by infection with another malware. The precursor malware uses lateral movement to move further across the network and devices, opening access for future ransomware.
Security teams may notice some activity and decide that their firewall or EDR solution has blocked the malware, and now everything is fine, but in fact it may be just a precursor malware.