Microsoft warns of new ransomware campaign by Twisted Spider group

Uses malvertising to spread Danbot Trojan, then Cactus ransomware

According to a series of posts on X by Microsoft Threat Intelligence, Russia-based ransomware actor Storm-0216 (aka Twisted Spider, UNC2198) is using Danabot, an advanced banking Trojan, to deploy Cactus ransomware.

First identified earlier this year, Cactus uses tools and custom scripts to disable security software to ease the distribution of the ransomware binary.

In the current campaign, Microsoft Threat Intelligence said that Twisted Spider is distributing Danabot via malvertising, fake ads that conceal malicious software.

"The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," the researchers said.

"Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216."

Malvertising has recently turned up in Google search results, with users clicking on apparently valid links only to be infected with malware.

According to The Media Trust, more than three billion malicious ads were blocked in the past year.

Commenting on the current spate of malvertising, Keegan Keplinger, senior threat researcher at managed security services firm eSentire, said that continuous security training is a must, with regular updates to raise employee awareness. "Rather than only focusing on phishing emails, getting staff to recognise malvertising and hijacked websites can help prevent cyberattacks from taking place."

Relevant examples of malvertising can be incorporated into security awareness training programmes, so that staff are made aware of potential risks when browsing or searching, and learn to recognise the danger signs. These include bogus URLs and unusual file extensions on download links.

On the security solutions side, Endpoint Detection and Response (EDR) tools can prevent infections spreading when someone inadvertently downloads a malicious file or visits a fake site set up by threat actors.

"Alongside this, using Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content can also help prevent attacks from succeeding," Keplinger said.

Prevention being better than cure, organisations should also consider offering apps via a secure internal portal, to prevent employees having to seek out software for themselves.