{
	"id": "d5288910-88d5-45b9-8b1c-827ccbbc3b67",
	"created_at": "2026-04-06T00:15:36.294203Z",
	"updated_at": "2026-04-10T03:21:47.725595Z",
	"deleted_at": null,
	"sha1_hash": "efe77708bf35a911b07e019db06745486a29b89e",
	"title": "The malware that usually installs ransomware and you need to remove right away",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 310509,
	"plain_text": "The malware that usually installs ransomware and you need to\r\nremove right away\r\nBy Written by Catalin Cimpanu, ContributorContributor Nov. 19, 2020 at 9:45 p.m. PT\r\nArchived: 2026-04-05 14:42:18 UTC\r\nImage: Lina White\r\nGone are the days when ransomware groups operated by launching mass email spam campaigns in the hopes of\r\ninfecting random users across the internet.\r\nToday, ransomware operators have evolved from a niche of clumsy malware gangs into a series of complex\r\ncybercrime cartels with the skills, tools, and budgets of government-sponsored hacking groups.\r\nNowadays, ransomware gangs rely on multi-level partnerships with other cybercrime operations. Called \"initial\r\naccess brokers,\" these groups operate as the supply chain of the criminal underground, providing ransomware\r\ngangs (and others) with access to large collections of compromised systems.\r\nConsisting of hacked RDP endpoints, backdoored networking devices, and malware-infected computers, these\r\nsystems allow ransomware gangs to easily gain access to corporate networks, escalate their access, and encrypt\r\nfiles to demand huge ransoms.\r\nThese initial access brokers are a crucial part of the cybercrime scene. Today, three types of brokers stand out as\r\nthe sources of most ransomware attacks:\r\nSellers of compromised RDP endpoints: Cybercrime gangs are currently carrying out brute-force attacks\r\nagainst workstations or servers configured for remote RDP access that have also been left exposed on the\r\ninternet with weak credentials. These systems are later sold on so-called \"RDP shops\" from where\r\nhttps://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/\r\nPage 1 of 5\n\nransomware gangs often select systems they believe might be located inside the network of a high-value\r\ntarget.\r\nSellers of hacked networking devices: Cybercrime gangs are also using exploits for publicly known\r\nvulnerabilities to take control of a company's networking equipment, such as VPN servers, firewalls, or\r\nother edge devices. Access to these devices and the internal networks they protect/connect is sold on\r\nhacking forums or to ransomware gangs directly.\r\nSellers of computers already infected with malware: Many of today's malware botnets will often comb\r\nthrough the computers they infect for systems on corporate networks and then sell access to these high-value systems to other cybercrime operations, including ransomware gangs.\r\nProtecting against these three types of initial access vectors is often the easiest way of avoiding ransomware.\r\nHowever, while safeguarding against the first two typically involves practicing good password policies and\r\nkeeping equipment updated, the third vector is harder to protect against.\r\nThis is because malware botnet operators often rely on social engineering to trick users into installing malware on\r\ntheir systems themselves, even if computers are running up-to-date software.\r\nThis article focuses on the known malware strains that have been used over the past two years to install\r\nransomware.\r\nCompiled with the help of security researchers from Advanced Intelligence, Binary Defense, and Sophos, the list\r\nbelow should serve as a \"code red\" moment for any organization.\r\nOnce any of these malware strains are detected, system administrators should drop everything, take\r\nsystems offline, and audit and remove the malware as a top priority.\r\nZDNet will keep the list up to date going forward.\r\nr-emotet.png\r\nEmotet is considered today's biggest malware botnet.\r\nThere are few cases where Emotet has dealt with ransomware gangs directly, but many ransomware infections\r\nhave been traced back to initial Emotet infections.\r\nUsually, Emotet sold access to its infected systems to other malware gangs, which later sold their own access to\r\nransomware gangs.\r\nToday, the most common ransomware infection chain linked back to Emotet is: Emotet—Trickbot—Ryuk\r\nr-trickbot.png\r\nTrickbot is a malware botnet and cybercrime similar to Emotet. Trickbot infects its own victims but is also known\r\nto buy access to Emotet-infected systems in order to boost its numbers.\r\nOver the past two years, security researchers have seen Trickbot sell access to its systems to cybercrime gangs that\r\nlater deployed Ryuk, and later the Conti ransomware.\r\nhttps://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/\r\nPage 2 of 5\n\nTrickbot—Conti\r\nTrickbot—Ryuk\r\nr-bazar.png\r\nBazarLoader is currently considered to be a modular backdoor developed by a group with links or that spun off\r\nfrom the main Trickbot gang. Either way, regardless of how they came to be, the group is following Trickbt's\r\nmodel and has already partnered with ransomware gangs to provide access to the systems they infect.\r\nCurrently, BazarLoader has been seen as the origin point for infections with the Ryuk ransomware [1, 2, 3].\r\nBazarLoader—Ryuk\r\nr-qbot.png\r\nQakBot, Pinkslipbot, Qbot, or Quakbot is sometimes referred inside the infosec community as the \"slower\"\r\nEmotet because it usually does what Emotet does, but a few months later.\r\nWith the Emotet gang allowing its systems to be used to deploy ransomware, QakBot has also recently partnered\r\nwith different ransomware gangs. First with MegaCortex, then with ProLock, and currently with the Egregor\r\nransomware gang.\r\nQakBot—MegaCortex\r\nQakBot—ProLock\r\nQakBot—Egregor\r\nr-sdbbot.png\r\nSDBBot is a malware strain operated by a cybercrime group referred to as TA505.\r\nIt's not a common malware strain but has been seen as the origin point of incidents where the Clop ransomware\r\nwas deployed.\r\nSDBBot—Clop\r\nr-dridex.png\r\nDridex is yet another banking trojan gang that has reorganized as a \"malware downloader,\" following the\r\nexamples set by Emotet and Trickbot in 2017.\r\nWhile in the past Dridex botnet has used spam campaigns to distribute the Locky ransomware to random users\r\nacross the internet, for the past few years, they are also using computers they have infected to drop either\r\nBitPaymer or the DoppelPaymer ransomware strains for more targeted attacks against high-value targets.\r\nDridex—BitPaymer\r\nDridex—DoppelPaymer\r\nr-zloader.png\r\nhttps://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/\r\nPage 3 of 5\n\nA late arrival to the \"install ransomware\" game, Zloader is catching up fast and has already established\r\npartnerships with the operators of Egregor and Ryuk ransomware strains.\r\nIf there's one malware operation that has the ability and connections to expand, this is it.\r\nZloader—Egregor\r\nZloader—Ryuk\r\nr-buer.png\r\nBuer, or Buer Loader, is a malware operation that launched late last year, but has already established a reputation\r\nand connections in the cybercrime underground to partner with ransomware groups.\r\nPer Sophos, some incidents where the Ryuk ransomware has been discovered have been linked back to Buer\r\ninfections days before.\r\nBuer—Ryuk\r\nr-phorpiex.png\r\nPhorpiex, or Trik, is one of the smaller malware botnets, but not less dangerous.\r\nInfections with the Avaddon ransomware seen earlier this year have been linked to Phorpiex. Although neither\r\nAvaddon nor Phorpiex are common names, they should be treated with the same level of attention as Emotet,\r\nTrickbot, and the others.\r\nPhorpiex—Avaddon\r\nr-cobalt.png\r\nCobaltStrike is not a malware botnet. It's actually a penetration testing tool developed for cyber-security\r\nresearchers that is also often abused by malware gangs.\r\nCompanies don't get \"infected\" with CobaltStrike. However, many ransomware gangs deploy CobaltStrike\r\ncomponents as part of their intrusions.\r\nThe tool is often used as a way to control multiple systems inside an internal network and as a precursor to the\r\nactual ransomware attack.\r\nMany of the infection chains listed above are actually [MalwareBotnet]—CobaltStrike—[Ransomware], with\r\nCobaltStrike usually serving as the most common intermediary bridging the two.\r\nWe included CobaltStrike on our list at the request of our sources, who consider it as dangerous as a de-facto\r\nmalware strain. If you see it on your network and you're not running a penetration test, then stop everything you're\r\ndoing, take systems offline, and audit everything for an attack's entry point.\r\nThe FBI's most wanted cybercriminals\r\nSecurity\r\nhttps://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/\r\nPage 4 of 5\n\nSource: https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/\r\nhttps://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/"
	],
	"report_names": [
		"the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away"
	],
	"threat_actors": [],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efe77708bf35a911b07e019db06745486a29b89e.pdf",
		"text": "https://archive.orkl.eu/efe77708bf35a911b07e019db06745486a29b89e.txt",
		"img": "https://archive.orkl.eu/efe77708bf35a911b07e019db06745486a29b89e.jpg"
	}
}