{
	"id": "54d66e51-ea0f-40d3-967c-bacce2e181a6",
	"created_at": "2026-04-06T00:07:31.020851Z",
	"updated_at": "2026-04-10T13:12:46.699653Z",
	"deleted_at": null,
	"sha1_hash": "26b82a79ffa9a63bab0526e0dd2cec604d4def2c",
	"title": "What malware to look for if you want to prevent a ransomware attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52633,
	"plain_text": "What malware to look for if you want to prevent a ransomware\r\nattack\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 23:13:43 UTC\r\nOrganizations are never going to stop ransomware attacks by looking for the ransomware.\r\nWhen it comes to ransomware attacks, threat actors often spend time on an organization’s networks for weeks (if\r\nnot months) before the actual ransomware is launched. While these actors go to great lengths to mask their tracks,\r\nthere are clues that can unearth the possibility of a ransomware attack before the actual ransomware shows up on\r\nan organization’s system. In order to do this, however, organizations need to know what to look for before it’s too\r\nlate.\r\nThe following is a breakdown of what malware organizations should be on the lookout for in order to thwart a\r\nransomware attack. While the presence of these particular kinds of malware does not automatically mean a\r\nransomware attack is imminent, awareness of their utility will help security teams proactively protect their\r\nsystems from the crippling, expensive impact of a ransomware incident.\r\nTrojans\r\nOne of the most common malware families on the internet, trojans are often used by malicious actors as an initial\r\nway to gain access to an organization’s network. Often delivered in some form of a phishing attack, trojans present\r\nattackers with the ability to siphon data from networks, leave a gateway for further malware delivery, or both.\r\nOver the past decade, trojans were primarily used to siphon banking credentials, as attackers focused on obtaining\r\naccess to financial accounts. With the rise in ransomware, threat actors have fine-tuned trojans to uncover\r\ncredentials that can give them unfettered access to an organization’s network.\r\nA prime example of how trojans are used to set up ransomware attacks can be seen in the connection between\r\nEmotet and Conti. Intel 471 researchers recently discovered that Conti uses Emotet to gain a foothold in\r\norganizations’ networks, then allows ransomware operators to pick targets from a pool of infected organizations.\r\nConti has made Emotet a key part of their attack chain, specifically since Emotet was re-launched in November\r\n2021.\r\nOther trojans that have been used in recent ransomware attacks include QbotIcedID (aka BokBot), and ZLoader.\r\nIntel 471 researchers have noticed that the Conti group appears to have dropped BazarLoader in favor of a new\r\nmalware called Bumblebee, which follows research from Google stating that Bumblebee has been used by an\r\naccess broker with ties to Conti. Intel 471 researchers have observed Cobalt Strike, Metasploit, Sliver (an open-source backdoor programmed in Go), and IcedID as Bumblebee payloads.\r\nInformation Stealers\r\nhttps://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike\r\nPage 1 of 3\n\nWhile information stealers are close in functionality to trojans, there can be slight differences between the two\r\nkinds of malware. Trojans will often steal information that is being entered into a machine (i.e. a keylogger), while\r\ninformation stealers are programmed to steal credentials and other information that is already stored on a machine.\r\nInfo stealers can collect all sorts of information, including browser cookies, autofill data, cryptocurrency wallets,\r\nFile Transfer Protocol (FTP) clients and desktop applications. Threat actors use this information to search for\r\nhigh-level credentials that can allow them to move freely within an organization’s network, find further high-value\r\ndata they want to steal, and locations where they need to deploy ransomware in order to lock an organization’s\r\nsystem.\r\nSome ransomware crews have re-formulated info stealers that were used for a variety of crimes in the past, while\r\nothers have created new ones specifically for their own use. Malware known as “StealBit” is used as an info\r\nstealer to support affiliates of LockBit ransomware. Rather than a conventional stealer designed for harvesting\r\ndata from browsers, StealBit operates as a file grabber, allegedly cloning folders from corporate networks to the\r\nLockBit victim shaming blog in almost no time.\r\nOther information stealers that have been used in ransomware attacks are KPOT, Mars, Raccoon, Redline and\r\nVidar.\r\nPenetration testing tools\r\nThere is a bevy of tools used by legitimate security professionals that have been co-opted into the attack chain of\r\nransomware operators. While these tools are purchased and licensed by their developers, this software is often\r\ncopied, cracked, or reversed engineered to serve ransomware gangs’ nefarious purposes. These gangs often use\r\nthese programs to further move throughout a network, and siphon administrative credentials that pave the way for\r\nransomware attacks.\r\nCobalt Strike is one of these popular tools that has been embraced by ransomware gangs. These gangs and their\r\naffiliates use Cobalt Strike as a second-stage payload for many malware campaigns across many malware\r\nfamilies. Intel 471 researchers have observed Cobalt Strike being delivered via Hanictor, SystemBC and Trickbot\r\nto further facilitate credential harvesting, lateral movement, and ransomware deployment. Additionally, the Conti\r\nransomware group tried to buy a legitimate license for Cobalt Strike through a shell company made to look like a\r\nlegitimate security enterprise.\r\nMimikatz, initially created by a security researcher to learn how Microsoft's authentication protocols were\r\nvulnerable to attacks, is a very popular tool amongst cybercriminals. Intel 471 researchers have observed several\r\nransomware-as-a-service operations, including ALPHV, AvosLocker, and SunCrypt, use Mimikatz to harvest\r\ncredentials from privileged network administrators.\r\nMetasploit is similar to Mimikatz in that it’s open source, but provides a wide array of add-ons that allow users to\r\nperform an extensive amount of tasks. Modules can be placed into Metasploit that allow for similar tasks like\r\nthose in the malware listed above including keylogging, information stealing and the ability to drop further\r\nmalware. Intel 471 researchers observed Conti and LockBit 2.0 recruiting developers that had experience\r\ndeploying or working with Metasploit.\r\nNot a panacea\r\nhttps://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike\r\nPage 2 of 3\n\nTo be clear: setting up a security strategy that only looks for these types of malware is not sustainable.\r\nVulnerabilities still need to be patched, phishing emails will still be sent, and employees could still be targets of\r\nsocial engineering scams. However, being proactive about this specific malware may force attackers to move on\r\nfrom your organization and find a different target. Ignoring malware prior to a ransomware attack is a recipe for\r\ndisaster.\r\nMay 12, 2022: This blog has been edited to include that Google has made a connection between the Bumblebee\r\nloader and the Conti cybercriminal group.\r\nSource: https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike\r\nhttps://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike"
	],
	"report_names": [
		"malware-before-ransomware-trojan-information-stealer-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26b82a79ffa9a63bab0526e0dd2cec604d4def2c.pdf",
		"text": "https://archive.orkl.eu/26b82a79ffa9a63bab0526e0dd2cec604d4def2c.txt",
		"img": "https://archive.orkl.eu/26b82a79ffa9a63bab0526e0dd2cec604d4def2c.jpg"
	}
}