Cybercriminal Groups Grow
Data breaches and leaks represent a quickly growing security problem these days. When plenty of people work from home, the risk of data leaks is much higher. Cybercriminal groups know the weak points and pay increased attention to outdated and inadequately protected remote access protocols. And, interestingly, more and more data leaks today are associated with ransomware.
To begin with, the creation and distribution of ransomware viruses is a very profitable criminal business. For example, the FBI estimates that the Sodinokibi group earned approximately $1 million per month over the past year. And the attackers who created Ryuk received even more. At the beginning of the group’s activities, their income amounted to $3 million per month. So, it is not surprising that many CISOs report ransomware as one of the three main risks to the business.
Getting into the victim’s computer
Protection technologies are constantly developing, and attackers must change their tactics too in order to penetrate a specific system/environment. Targeted ransomware attacks continue to be spread with well-designed phishing emails that employ social engineering. Recently, however, malware developers have started to pay more attention to employees working remotely. To attack them, hackers find poorly protected remote access services, such as RDP or VPN servers with vulnerabilities.
Attackers are looking for any way to penetrate the corporate network and expand the spectrum of attacks. Attempts to infect networks of service providers have become a popular trend. As cloud services are also gaining popularity today, the infection of a popular service allows attackers to penetrate dozens or even hundreds of victims at once.
In the case of breaching web-based security management consoles or backups, attackers can disable protection, delete backups, and ensure that their malware is deployed throughout the organization. By the way, that is why experts recommend carefully protecting all accounts using multi-factor authentication. Reputable cloud services allow you to set double protection because if a password gets compromised, attackers can negate all the benefits of using a comprehensive cyber protection system.
Extending the attack spectrum
When the cherished goal is achieved, and the malware is already inside the corporate network, quite typical tactics are usually used for further distribution. Well-known tools are used for this, such as WMI PsExec, PowerShell, as well as the newer Cobalt Strike emulator and other utilities. And malware such as Ragnar was recently seen on a completely closed VirtualBox machine, hiding the presence of extraneous software on the machine.
Getting into the corporate network, the malware tries to check the user’s access level and apply the stolen passwords. Utilities like Bloodhound & Co. and Mimikatz help crack domain administrator accounts. Only when the attacker considers the distribution possibilities exhausted, the ransomware program is downloaded directly to the client systems.
Ransomware as a cover
Given the severity of the threat of data loss, every year, more and more companies implement the so-called Disaster Recovery Plan. Managers heavily reply on this and do not really care about data getting encrypted. In the event of a ransomware attack, they do not start collecting the ransom but start the recovery process.
At the same time, attackers do not sleep too. Under the guise of a ransomware virus, massive data theft occurs. The first to massively use such tactics was Maze ransomware back in 2019. Now, more and more cyber-criminal groups are engaged in data theft along with encryption. Here are some of them: Sodinokibi, Nemty, DoppelPaymer, Netwalker, CLOP.
Sometimes, attackers manage to pump out dozens of terabytes of data from the company before anything could be detected by network monitoring tools, of course, if these were installed and configured correctly. Most often, the data transfer goes with the help of FTP, WinSCP, Putty, or PowerShell scripts. To overcome DLP and network monitoring systems, data can be encrypted or sent as an archive with a password. This is a new challenge for security services that need to check outgoing traffic for the presence of such files.
A study of the behavior of info-stealers shows that attackers do not collect just everything. They are mostly interested in financial documents, customer databases, personal data of employees, contracts, legal documents. Malicious software scans disks for any information that could theoretically be used in a blackmail operation.
If such an attack is successful, attackers put online a small teaser, showing several documents confirming that the data has really got leaked from the organization. Some hacker groups publish the entire data set on their website if the time for payment of the ransom has passed. To avoid blocking by ISP, data is published on the TOR network.
Another way to monetize stolen data is selling it. For example, Sodinokibi recently announced open auctions where stolen data goes to the highest bidder. The starting price was $50K and depended on the quality and content of the data. For example, a set of 10,000 records that included detailed cash flows, confidential business data, and scanned driver’s licenses were sold for as low as $100,000.
Sites that publish leaked data are quite different. It can be a simple page on which everything stolen is laid out. There are also more complex structures with different sections and the possibility of pressing the Buy Now button. But the main thing is that they all serve the same goal – to increase the chances of attackers to receive money. If this business model shows good results for attackers, there is no doubt that there will be even more such sites, and the theft of corporate data and its monetization techniques will be expanded further.
What to do with new attacks?
The main challenge for security services under these conditions is that recently, more and more incidents related to ransomware are simply a method of distracting attention from data theft. Attackers no longer rely only on file encryption. On the contrary, the main goal is to steal data while victims are struggling with encryption.
Thus, the use of a backup strategy alone, even with a good recovery plan, is not enough to counter multi-layer threats. It is about the fact that now every attack involving ransomware should be considered as a reason for a comprehensive analysis of traffic and launching an investigation of what is happening. You should also think about additional security measures and tools that can:
- Quickly detect attacks and analyze abnormal network activity using AI.
- Instantly recover systems in the event of a zero-day ransomware attack.
- Block the spread of malware on the corporate network.
- Analyze software and systems (including remote access) for vulnerabilities and exploits.
- Prevent the transfer of information beyond the corporate perimeter.
By David Balaban
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the macsecurity.net project that presents expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.