The group behind the Gatak Trojan (Trojan.Gatak) continues to pose a threat to organizations, with the healthcare sector in particular heavily affected by attacks. Gatak is known for infecting its victims through websites promising product licensing keys for pirated software. While the group focused on US targets, it has diversified over the past two years and attacks are now taking place against organizations in a broad range of countries.
The majority of Gatak infections (62 percent) occur on enterprise computers. Analysis of recent enterprise attacks indicates that the healthcare sector is by far the most affected by Gatak. Of the top 20 most affected organizations (organizations with the most infected computers), 40 percent were in the healthcare sector. In the past, the insurance sector was also heavily targeted by the group.
Gatak victims are infected using websites offering product key generators or “keygens” for pirated software. The malware is bundled with the product key and, if the victim is tricked into downloading and opening one of these files, the malware is surreptitiously installed on their computer.
The attackers appear to focus on offering product keys for software that is more likely to be used in professional environments. The websites used in the attacks are controlled by the attackers and have no connection with the developers of the software. At no point are legitimate versions of software compromised.