Beware — These Ransomware Hackers Are Watching You Work
Ransomware attackers can now watch what you are doing.
The ransomware threat is evolving, and attackers are continually seeking new angles and technologies to exploit, to aid with leveraging payments in these modern-day extortion schemes. Some are hard to fathom, like the DOGE-trolling hackers demanding $1 trillion, exploiting zero-day vulnerabilities in Windows, and the increasingly common use of 2FA bypass attacks and access to 19 billion compromised passwords on the dark web. But what if ransomware hackers were using employee monitoring software to see what you are up to during the attack and to steal your credentials as well? Welcome to the sinister world of Qilin and Hunters International ransomware.
How Ransomware Attackers Can Spy On You
While the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have recently issued a security alert about the dangers that unsophisticated threat actors pose to U.S. critical infrastructure services, that doesn’t mean all ransomware hackers are using the kind of basic and elementary intrusion techniques described in the CISA advisory. Take the Qilin and Hunters International ransomware threat, whose affiliates have been observed using a legitimate employee monitoring tool during their attacks.
The ransomware attacks in question started with malicious Google Ads deployed by the threat actors. These were designed to display “when people searched for RVTools, a free Windows utility for managing VMware vSphere deployments,” Sergiu Gatlan at Bleeping Computer, said. If the would-be victim clicked through that advert then it started a waterfall of nefarious events leading to the download and installation of something called Kickidler.
Here’s the thing: Kickidler is not malware. In fact, it’s a perfectly legitimate employee monitoring tool that’s deployed by more than 5,000 organizations across the world. The key point of interest is that it provides a visual monitoring capability. Once installed, the ransomware hackers can literally see what you are doing.
Varonis threat research investigators have suggested that the ransomware attackers have used the software in order to have undetected access to target systems for weeks at a time, enabling the collection of the credentials required to gain access to critical off-site cloud data backups. It is recommended, therefore, that network defenders ensure the effective and regular auditing of any installed remote monitoring and management software.