Emerging Bazarcall ransomware attacks reinforce cyber risk to SMEs

A new form of cyber attack has been targetting SMEs with methods that may not set alarm bells ringing for those not in the know. 

In mid-July, specialist cyber MGA CFC Underwriting warned the industry that this emerging ransomware attack – dubbed BazarCall –  was targeting small businesses.

BazarCall uses call centres to distribute malicious Excel files that install BazarLoader malware on the user’s advice – which is where the attack gets its name.

A phishing email with a subject line stating “thank you for using your free trial” prompts the user to call a phone number to cancel a subscription before the free trial ends and they are subsequently charged an automatic renewal fee.

However, once the user calls the phone number, they are then asked for their unique customer ID number – so that the business can be identified by the threat actor – and are then directed to a cancellation form on a separate webpage.

The customer is then prompted to enter their customer ID on this website, which triggers an Excel document to be installed on the user’s device that contains the BazarCall malware.

The extortion is twofold – data on the customer’s network is encrypted so that the their operations are disabled while a threat is made that the data will be leaked if the victim doesn’t pay up.

Speaking exclusively to Insurance Times, Thomas Bennett, CFC’s team leader of the MGA’s cyber threat analysis team, said: “The goal for BazarCall is almost universally ransomware, but it isn’t itself a ransomware attack – it is just one of the precursors stages of how the intrusion happens.”

CFC first started seeing this type of attack in October last year and, by mid-August this year, the MGA was seeing 20 cases a day, on average.

Cyber cover complications

The SMEs most at risk of cyber attacks like BazarCall often do not have cyber insurance policies, however – either due to not wanting to purchase cover or not being able to afford it.

Premium Credit’s Insurance Index published in May 2022 revealed that 16% of SMEs had used credit to help pay for cyber cover.

Cost issues have been further compunded by the cost of living crisis, Covid-19 and the war between Russia and Ukraine, with GlobalData warning that cyber insurance could become unaffordable for SMEs in the face of these economic shocks.

In June 2022, Marsh reported that year-on-year cyber insurance price increases had reached triple digits in Q4 2021, rising from 28% in Q1 2021 to 104% in the final quarter. 

The data and analytics firm noted in its 2021 UK SME Insurance Survey that 17.3% of SMEs said they did not have cyber cover as it was too pricey, while 29% of SMEs said they had cancelled policies to cut costs.

More robust approach needed

Martin Lilley, director of corporate clients at Broadway Insurance Brokers, said that BazarCall underlined why cyber insurance was now a priority for companies of all sizes.

He explained: “Cyber cover is a feature of almost every conversation which we have with clients. In a world where cyber threats are ever more prominent, it is vital to ensure that businesses are fully protected.

“The vast majority of those businesses either have or are actively looking to buy cyber policies because they do not want to carry the considerable commercial risks associated with falling victim either to this or to one of a variety of other different types of attack.

“In many cases, premiums are far more expensive while, on the other hand, the amount of cover on offer is less than in previous years. It is becoming an ever-greater issue for businesses, some of whom are required to have cyber policies as a condition of contracts of engagement with other, larger enterprises. If they can’t secure cover, then they lose out on work.”

On the other hand, Lilley noted that there are issues in terms of the provision of cyber cover.

“We have seen insurers limiting its availability, arguably because they want to reduce their own exposure as the frequency and size of attacks grows,” he continued.

Bennett added that, as cyber threat groups are constantly innovating, they are able to trick users into falling for these scams – CFC is seeing many other groups copying the BazarCall attack method.

“Now, more than ever, it is critical that UK businesses implement a joined up and robust approach to IT security and cyber insurance,” Lilley added.

Social engineering

Bennett explained that traditional malware attacks relied on the user being misled into opening an email attachment that has malicious malware attached. Modern cyber security and anti-virus software, however, makes that increasingly difficult to carry out.

For example, Microsoft Office 365 recently released updates that makes email attachment reliant attacks much more difficult to execute.

Cyber attackers have increasingly innovated attack methods that cut out their reliance on email attachments, as in the BazarCall attack.

Bennett explained: “The method doesn’t require an email attachment. Instead, the social engineering is to get the user to call a phone number. It says something along the lines of ‘your subscription to this service has been renewed and there will be a higher price, call this number to dispute’.”

Tricking targets into phoning a number is a common theme in this type of attack, with the phoneline usually a toll-free number.

“They [threat actors] are doing it in targeted campaigns – all the UK victims will get an 0800 number which helps it seem convincing. A lot of the phone numbers route to the same call centres – very often in northeast India – and often the same call centres associated with other scam types that consumers in the UK and worldwide are going to be familiar with.”

Impersonation

However, Bennett noted that some of the more sophisticated threat actors inform users that their machines have been infected by malware.

“I’ve seen CrowdStrike – the massive internet response firm – being impersonated [in an email] saying that the user has been retained by their employer to clean up their computer and to ring [the] help desk to get that actioned,” he added.

Likewise, in the case where the email says the user has been charged, the telephone threat actor walks the user through the process of downloading a ‘receipt’ for a refund, which is in fact an Excel document with malware attached, Bennett said.

In the instance of security vendor impersonations, the threat actor tricks the user into downloading a programme that looks like an antivirus product, but is in fact malware.

Bennett added: “Ransomware groups have realised this way into networks, if the user falls for the social engineering lure, they will be adding a back door to your network. We haven’t had any claims from this, despite being aware the goal is ransomware attacks.”

One of the reasons that CFC can mitigate these kinds of attacks is because they have visibility at all stages of the cyber attack, as well as having access to email recipient lists.

Bennett added: “We can contact customers saying, ‘you’ve had this phishing email, go to these specific employees, make sure they know this is a scam’. We also know which customers have rung the phone number.

“For the minority of customers that call the phone number and are tricked into installing a ‘back door,’ we’re able to see that activity and get in touch with them.

“We can stop all three stages and, as a result, we have been successful at stopping them ever developing into something more profound [where our customers are concerned].”