Ransomware – Cybercriminal Groups Know The Weak Points

Cybercriminal Groups Grow

Data breaches and leaks represent a quickly growing security problem these days. When plenty of people work from home, the risk of data leaks is much higher. Cybercriminal groups know the weak points and pay increased attention to outdated and inadequately protected remote access protocols. And, interestingly, more and more data leaks today are associated with ransomware.

To begin with, the creation and distribution of ransomware viruses is a very profitable criminal business. For example, the FBI estimates that the Sodinokibi group earned approximately $1 million per month over the past year. And the attackers who created Ryuk received even more. At the beginning of the group’s activities, their income amounted to $3 million per month. So, it is not surprising that many CISOs report ransomware as one of the three main risks to the business.

Getting into the victim’s computer

Protection technologies are constantly developing, and attackers must change their tactics too in order to penetrate a specific system/environment. Targeted ransomware attacks continue to be spread with well-designed phishing emails that employ social engineering. Recently, however, malware developers have started to pay more attention to employees working remotely. To attack them, hackers find poorly protected remote access services, such as RDP or VPN servers with vulnerabilities.

Attackers are looking for any way to penetrate the corporate network and expand the spectrum of attacks. Attempts to infect networks of service providers have become a popular trend. As cloud services are also gaining popularity today, the infection of a popular service allows attackers to penetrate dozens or even hundreds of victims at once.

In the case of breaching web-based security management consoles or backups, attackers can disable protection, delete backups, and ensure that their malware is deployed throughout the organization. By the way, that is why experts recommend carefully protecting all accounts using multi-factor authentication. Reputable cloud services allow you to set double protection because if a password gets compromised, attackers can negate all the benefits of using a comprehensive cyber protection system.

Extending the attack spectrum

When the cherished goal is achieved, and the malware is already inside the corporate network, quite typical tactics are usually used for further distribution. Well-known tools are used for this, such as WMI PsExec, PowerShell, as well as the newer Cobalt Strike emulator and other utilities. And malware such as Ragnar was recently seen on a completely closed VirtualBox machine, hiding the presence of extraneous software on the machine.

Getting into the corporate network, the malware tries to check the user’s access level and apply the stolen passwords. Utilities like Bloodhound & Co. and Mimikatz help crack domain administrator accounts. Only when the attacker considers the distribution possibilities exhausted, the ransomware program is downloaded directly to the client systems.

Ransomware as a cover

Given the severity of the threat of data loss, every year, more and more companies implement the so-called Disaster Recovery Plan. Managers heavily reply on this and do not really care about data getting encrypted. In the event of a ransomware attack, they do not start collecting the ransom but start the recovery process.

Friday Comic

At the same time, attackers do not sleep too. Under the guise of a ransomware virus, massive data theft occurs. The first to massively use such tactics was Maze ransomware back in 2019. Now, more and more cyber-criminal groups are engaged in data theft along with encryption. Here are some of them: Sodinokibi, Nemty, DoppelPaymer, Netwalker, CLOP.

Sometimes, attackers manage to pump out dozens of terabytes of data from the company before anything could be detected by network monitoring tools, of course, if these were installed and configured correctly. Most often, the data transfer goes with the help of FTP, WinSCP, Putty, or PowerShell scripts. To overcome DLP and network monitoring systems, data can be encrypted or sent as an archive with a password. This is a new challenge for security services that need to check outgoing traffic for the presence of such files.

A study of the behavior of info-stealers shows that attackers do not collect just everything. They are mostly interested in financial documents, customer databases, personal data of employees, contracts, legal documents. Malicious software scans disks for any information that could theoretically be used in a blackmail operation.

If such an attack is successful, attackers put online a small teaser, showing several documents confirming that the data has really got leaked from the organization. Some hacker groups publish the entire data set on their website if the time for payment of the ransom has passed. To avoid blocking by ISP, data is published on the TOR network.

Another way to monetize stolen data is selling it. For example, Sodinokibi recently announced open auctions where stolen data goes to the highest bidder. The starting price was $50K and depended on the quality and content of the data. For example, a set of 10,000 records that included detailed cash flows, confidential business data, and scanned driver’s licenses were sold for as low as $100,000.

Sites that publish leaked data are quite different. It can be a simple page on which everything stolen is laid out. There are also more complex structures with different sections and the possibility of pressing the Buy Now button. But the main thing is that they all serve the same goal – to increase the chances of attackers to receive money. If this business model shows good results for attackers, there is no doubt that there will be even more such sites, and the theft of corporate data and its monetization techniques will be expanded further.

What to do with new attacks?

The main challenge for security services under these conditions is that recently, more and more incidents related to ransomware are simply a method of distracting attention from data theft. Attackers no longer rely only on file encryption. On the contrary, the main goal is to steal data while victims are struggling with encryption.

Thus, the use of a backup strategy alone, even with a good recovery plan, is not enough to counter multi-layer threats. It is about the fact that now every attack involving ransomware should be considered as a reason for a comprehensive analysis of traffic and launching an investigation of what is happening. You should also think about additional security measures and tools that can:

  • Quickly detect attacks and analyze abnormal network activity using AI.
  • Instantly recover systems in the event of a zero-day ransomware attack.
  • Block the spread of malware on the corporate network.
  • Analyze software and systems (including remote access) for vulnerabilities and exploits.
  • Prevent the transfer of information beyond the corporate perimeter.

==========================

By David Balaban

Ronald van Loon

How Continued Learning Can Help Data Scientists Solve Industry-Specific Challenges

Data scientists are, first and foremost, problem solvers. But new problems can’t always be solved with old tricks.Currently organizations in every industry are experiencing overwhelming challenges, many of them emerging from shifts to digital, the ...
New York

From Y2K To NYC Parking Meters: Have We Learned Anything About Complacency In Cybersecurity?

Cybersecurity Complacency This past January – in what seems like a different world now – a story briefly hit the headlines and was seen as more of a quirk than a threat. It was soon ...
Move bot migration

MoveBot – New Data Transfer Platform

Data Transfer Platform Branded post by Movebot As cloud computing and storage continue to provide enhanced ROI to organizations, businesses are storing their data on the cloud– instead of on-premise servers. Storage migration is an ...
Meta Data

Data-Driven PPC and The Benefits Of Drilling Down On The Data

Drilling Down On Big Data Running a pay per click campaign for your business, which isn’t driven by detailed metrics, offers no more than the hit-and-hope approach which a billboard in the 80’s may have ...
Ajoy Krishnamoorthy

The Business Benefits of Mobile Expense Reporting

Mobile Expense Reporting Benefits Digital business management applications have been a game changer: transforming the ways businesses oversee day-to-day operations, add value to the bottom line, and compete in competitive markets. Cloud technology coupled with ...
Chris Collins

Why Cloud Technology is a Smart Business Move for Higher Education

Higher Education Technology Cloud technology is not just for the world of big business. A growing number of higher education institutions are also embracing the cloud’s many advantages, especially for its data gathering and analytics ...