Malvertising schemes have been used by the Storm-0216 threat operation, also known as UNC2198 and Twisted Spider, to deploy the Danabot malware to achieve initial systems access before proceeding with the distribution of Cactus ransomware since last month, reports The Record, a news site by cybersecurity firm Recorded Future.
"Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via Remote Desktop Protocol (RDP) sign-in attempts, eventually leading to a handoff to Storm-0216," said researchers from Microsoft's Threat Intelligence team.
On the other hand, Cactus ransomware, which only emerged less than a year ago, was noted by ransomware expert Allan Liska to be operated by sophisticated threat actors.
"The ransomware has built-in anti-virus detection techniques and the group appears to be skilled in avoiding detection during the reconnaissance stage. They have posted almost 70 victims to their extortion site, so they appear to have had some early success," said Liska.