Ransomware – Cybercriminal Groups Know The Weak Points

David Balaban

Cybercriminal Groups Grow

Data breaches and leaks represent a quickly growing security problem these days. When plenty of people work from home, the risk of data leaks is much higher. Cybercriminal groups know the weak points and pay increased attention to outdated and inadequately protected remote access protocols. And, interestingly, more and more data leaks today are associated with ransomware.

To begin with, the creation and distribution of ransomware viruses is a very profitable criminal business. For example, the FBI estimates that the Sodinokibi group earned approximately $1 million per month over the past year. And the attackers who created Ryuk received even more. At the beginning of the group’s activities, their income amounted to $3 million per month. So, it is not surprising that many CISOs report ransomware as one of the three main risks to the business.

Getting into the victim’s computer

Protection technologies are constantly developing, and attackers must change their tactics too in order to penetrate a specific system/environment. Targeted ransomware attacks continue to be spread with well-designed phishing emails that employ social engineering. Recently, however, malware developers have started to pay more attention to employees working remotely. To attack them, hackers find poorly protected remote access services, such as RDP or VPN servers with vulnerabilities.

Attackers are looking for any way to penetrate the corporate network and expand the spectrum of attacks. Attempts to infect networks of service providers have become a popular trend. As cloud services are also gaining popularity today, the infection of a popular service allows attackers to penetrate dozens or even hundreds of victims at once.

In the case of breaching web-based security management consoles or backups, attackers can disable protection, delete backups, and ensure that their malware is deployed throughout the organization. By the way, that is why experts recommend carefully protecting all accounts using multi-factor authentication. Reputable cloud services allow you to set double protection because if a password gets compromised, attackers can negate all the benefits of using a comprehensive cyber protection system.

Extending the attack spectrum

When the cherished goal is achieved, and the malware is already inside the corporate network, quite typical tactics are usually used for further distribution. Well-known tools are used for this, such as WMI PsExec, PowerShell, as well as the newer Cobalt Strike emulator and other utilities. And malware such as Ragnar was recently seen on a completely closed VirtualBox machine, hiding the presence of extraneous software on the machine.

Getting into the corporate network, the malware tries to check the user’s access level and apply the stolen passwords. Utilities like Bloodhound & Co. and Mimikatz help crack domain administrator accounts. Only when the attacker considers the distribution possibilities exhausted, the ransomware program is downloaded directly to the client systems.

Ransomware as a cover

Given the severity of the threat of data loss, every year, more and more companies implement the so-called Disaster Recovery Plan. Managers heavily reply on this and do not really care about data getting encrypted. In the event of a ransomware attack, they do not start collecting the ransom but start the recovery process.

Friday Comic

At the same time, attackers do not sleep too. Under the guise of a ransomware virus, massive data theft occurs. The first to massively use such tactics was Maze ransomware back in 2019. Now, more and more cyber-criminal groups are engaged in data theft along with encryption. Here are some of them: Sodinokibi, Nemty, DoppelPaymer, Netwalker, CLOP.

Sometimes, attackers manage to pump out dozens of terabytes of data from the company before anything could be detected by network monitoring tools, of course, if these were installed and configured correctly. Most often, the data transfer goes with the help of FTP, WinSCP, Putty, or PowerShell scripts. To overcome DLP and network monitoring systems, data can be encrypted or sent as an archive with a password. This is a new challenge for security services that need to check outgoing traffic for the presence of such files.

A study of the behavior of info-stealers shows that attackers do not collect just everything. They are mostly interested in financial documents, customer databases, personal data of employees, contracts, legal documents. Malicious software scans disks for any information that could theoretically be used in a blackmail operation.

If such an attack is successful, attackers put online a small teaser, showing several documents confirming that the data has really got leaked from the organization. Some hacker groups publish the entire data set on their website if the time for payment of the ransom has passed. To avoid blocking by ISP, data is published on the TOR network.

Another way to monetize stolen data is selling it. For example, Sodinokibi recently announced open auctions where stolen data goes to the highest bidder. The starting price was $50K and depended on the quality and content of the data. For example, a set of 10,000 records that included detailed cash flows, confidential business data, and scanned driver’s licenses were sold for as low as $100,000.

Sites that publish leaked data are quite different. It can be a simple page on which everything stolen is laid out. There are also more complex structures with different sections and the possibility of pressing the Buy Now button. But the main thing is that they all serve the same goal – to increase the chances of attackers to receive money. If this business model shows good results for attackers, there is no doubt that there will be even more such sites, and the theft of corporate data and its monetization techniques will be expanded further.

What to do with new attacks?

The main challenge for security services under these conditions is that recently, more and more incidents related to ransomware are simply a method of distracting attention from data theft. Attackers no longer rely only on file encryption. On the contrary, the main goal is to steal data while victims are struggling with encryption.

Thus, the use of a backup strategy alone, even with a good recovery plan, is not enough to counter multi-layer threats. It is about the fact that now every attack involving ransomware should be considered as a reason for a comprehensive analysis of traffic and launching an investigation of what is happening. You should also think about additional security measures and tools that can:

  • Quickly detect attacks and analyze abnormal network activity using AI.
  • Instantly recover systems in the event of a zero-day ransomware attack.
  • Block the spread of malware on the corporate network.
  • Analyze software and systems (including remote access) for vulnerabilities and exploits.
  • Prevent the transfer of information beyond the corporate perimeter.


By David Balaban

Episode 1: Why Small and Medium Sized Businesses Need an MSP

Small and Medium Sized Businesses Need an MSP Small and medium-sized businesses don’t enjoy the ...

Episode 3: The Bottomless Cloud – An Interview with David Friend of Wasabi

Why data is not “the new oil” and why “cloud” means more than we think ...

Episode 5: How the Pandemic is Changing Business and the Cloud

An Interview with Ed Dryer of Steadfast With the global pandemic wreaking havoc on business ...
Mor Cohen Tal1

The Top 2 Challenges of Next-Gen Applications

Challenges of Next-Gen Applications When you think of why customers move to the cloud, there are a few key things that they're trying to achieve ...
Nikolas Kairinos

The growing role of AI in Sales and Marketing

AI in Sales and Marketing  Artificial intelligence (AI) as a Sales and Marketing (SaM) tool to help businesses deliver a better customer experience and secure ...

Digital Transformation: Adapting Your Business Online

The Age of Digital Transformation There is little doubt that the transition to cloud computing is driving an insatiable demand for digital transformation. Countless organizations ...
Mark Barrenechea

Information is at the Heart of Your Business

Information Business Even though digital information is evolving at a rapid pace, the world is still document-centric. Documents, whether created by a human or generated ...
Ian Hayes

Pick The Right AWS Course And Ensure A Brighter Future Ahead

Picking The Right AWS Course As the leader of the pack, AWS (Amazon Web Services) is the fastest-growing public cloud service in the industry, and ...

What You Need to Know – IoT and Real-Time Operating Systems

Real-Time Operating Systems A real-time operating system, or real-time OS, appears to execute tasks while using a single processing core simultaneously.  However, what's really happening ...
Chandani Patel

Design Practices: AWS IoT Solutions

AWS IoT Solutions Internet of Things (IoT) presents an unparalleled opportunity for every industry to address their business challenges. With the proliferation of devices, one ...
Kevin Ovalle Anderson Frank

How cloud-based business management can help an SMB go global

Global SMB Business Management Most companies today are familiar with the cloud; using software-as-a-service (SaaS) apps and customer relationship management (CRM) for years. However, many ...
Anita Raj

Will there be a normal to go back to after COVID-19?

The COVID-19 Aftermath Until November last year, not one of us would have expected life to take such a dramatic turn in as short as ...
Chandani Patel Volansys

Pillars of AWS Well-Architected Framework

Well-Architected Framework Cloud computing is proliferating each passing year denoting that there are plenty of opportunities. Creating a cloud solution calls for a strong architecture ...