TA505 hackers thwarted at the door of a big financial org

“[T]he malware was signed mere hours prior to the attack – an indication of the operation’s deliberate timeline and nature," a Cybereason researcher said.

A failed attempt to breach a big financial institution is providing new data on a global criminal hacking group associated with the widely used Locky ransomware.

The group, dubbed TA505, has stalked financial organizations on multiple continents. Boston-based security company Cybereason says earlier this month it blocked a hack from the group against an unnamed financial institution.

“This malware is part of a larger campaign” against organizations that was precise in its targeting, Eli Salem, a Cybereason security analyst, told CyberScoop.

The fresh threat intelligence from the breach attempt includes a revamped backdoor and an example of how the hackers are signing their malicious code using a legitimate certificate – a hallmark of advanced groups looking to avoid detection.


TA505 has been linked with the distribution of Windows-based Locky ransomware that emerged in February 2016. At its height, Locky was one of the most common ransomware strains, employed in mass email campaigns for maximum return. It is estimated that over $200 million was paid out from Locky-fueled attacks in 2016 and 2017, said Allan Liska, a ransomware expert at threat-intelligence company Recorded Future.

The new activity from TA505 is much narrower.

“[T]he malware was signed mere hours prior to the attack – an indication of the operation’s deliberate timeline and nature,” Salem wrote in research Cybereason will publish Thursday.

Other data reinforces the notion that the attack was carefully planned. The hackers chose computers with privileged access within the organization, scoped out their corresponding email accounts, and deployed a variant on the ServHelper backdoor they started using late last year, according to Salem.

Asked if anyone at the target organization clicked on the lures, Salem said that social engineering is “one of the strongest and easy to use tools malware authors have in their arsenal,” but that the malware was blocked “before any damage was done.”


The attackers were “living off the land” according to Cybereason, using binary tools in a stealthy effort to deploy their malware. That technique is increasingly popular with hackers because the programs they’re abusing have plenty of legitimate uses, making them seem benign in the hands of adversaries, Salem told CyberScoop.

The attempted compromise of the financial organization is the latest move from a group that tries to keep network defenders guessing.

TA505 is thought to comprise as many as four different hacking teams collaborating to deliver various malware, according to Recorded Future’s Allan Liska. The group has successfully navigated the transient ransomware market, he said.

“In an arena where groups seldom last for more than a year or two, TA505 has managed to adapt and change and continue to find success,” Liska added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts