Ransomware – Cybercriminal Groups Know The Weak Points

Cybercriminal Groups Grow

Data breaches and leaks represent a quickly growing security problem these days. When plenty of people work from home, the risk of data leaks is much higher. Cybercriminal groups know the weak points and pay increased attention to outdated and inadequately protected remote access protocols. And, interestingly, more and more data leaks today are associated with ransomware.

To begin with, the creation and distribution of ransomware viruses is a very profitable criminal business. For example, the FBI estimates that the Sodinokibi group earned approximately $1 million per month over the past year. And the attackers who created Ryuk received even more. At the beginning of the group’s activities, their income amounted to $3 million per month. So, it is not surprising that many CISOs report ransomware as one of the three main risks to the business.

Getting into the victim’s computer

Protection technologies are constantly developing, and attackers must change their tactics too in order to penetrate a specific system/environment. Targeted ransomware attacks continue to be spread with well-designed phishing emails that employ social engineering. Recently, however, malware developers have started to pay more attention to employees working remotely. To attack them, hackers find poorly protected remote access services, such as RDP or VPN servers with vulnerabilities.

Attackers are looking for any way to penetrate the corporate network and expand the spectrum of attacks. Attempts to infect networks of service providers have become a popular trend. As cloud services are also gaining popularity today, the infection of a popular service allows attackers to penetrate dozens or even hundreds of victims at once.

In the case of breaching web-based security management consoles or backups, attackers can disable protection, delete backups, and ensure that their malware is deployed throughout the organization. By the way, that is why experts recommend carefully protecting all accounts using multi-factor authentication. Reputable cloud services allow you to set double protection because if a password gets compromised, attackers can negate all the benefits of using a comprehensive cyber protection system.

Extending the attack spectrum

When the cherished goal is achieved, and the malware is already inside the corporate network, quite typical tactics are usually used for further distribution. Well-known tools are used for this, such as WMI PsExec, PowerShell, as well as the newer Cobalt Strike emulator and other utilities. And malware such as Ragnar was recently seen on a completely closed VirtualBox machine, hiding the presence of extraneous software on the machine.

Getting into the corporate network, the malware tries to check the user’s access level and apply the stolen passwords. Utilities like Bloodhound & Co. and Mimikatz help crack domain administrator accounts. Only when the attacker considers the distribution possibilities exhausted, the ransomware program is downloaded directly to the client systems.

Ransomware as a cover

Given the severity of the threat of data loss, every year, more and more companies implement the so-called Disaster Recovery Plan. Managers heavily reply on this and do not really care about data getting encrypted. In the event of a ransomware attack, they do not start collecting the ransom but start the recovery process.

Friday Comic

At the same time, attackers do not sleep too. Under the guise of a ransomware virus, massive data theft occurs. The first to massively use such tactics was Maze ransomware back in 2019. Now, more and more cyber-criminal groups are engaged in data theft along with encryption. Here are some of them: Sodinokibi, Nemty, DoppelPaymer, Netwalker, CLOP.

Sometimes, attackers manage to pump out dozens of terabytes of data from the company before anything could be detected by network monitoring tools, of course, if these were installed and configured correctly. Most often, the data transfer goes with the help of FTP, WinSCP, Putty, or PowerShell scripts. To overcome DLP and network monitoring systems, data can be encrypted or sent as an archive with a password. This is a new challenge for security services that need to check outgoing traffic for the presence of such files.

A study of the behavior of info-stealers shows that attackers do not collect just everything. They are mostly interested in financial documents, customer databases, personal data of employees, contracts, legal documents. Malicious software scans disks for any information that could theoretically be used in a blackmail operation.

If such an attack is successful, attackers put online a small teaser, showing several documents confirming that the data has really got leaked from the organization. Some hacker groups publish the entire data set on their website if the time for payment of the ransom has passed. To avoid blocking by ISP, data is published on the TOR network.

Another way to monetize stolen data is selling it. For example, Sodinokibi recently announced open auctions where stolen data goes to the highest bidder. The starting price was $50K and depended on the quality and content of the data. For example, a set of 10,000 records that included detailed cash flows, confidential business data, and scanned driver’s licenses were sold for as low as $100,000.

Sites that publish leaked data are quite different. It can be a simple page on which everything stolen is laid out. There are also more complex structures with different sections and the possibility of pressing the Buy Now button. But the main thing is that they all serve the same goal – to increase the chances of attackers to receive money. If this business model shows good results for attackers, there is no doubt that there will be even more such sites, and the theft of corporate data and its monetization techniques will be expanded further.

What to do with new attacks?

The main challenge for security services under these conditions is that recently, more and more incidents related to ransomware are simply a method of distracting attention from data theft. Attackers no longer rely only on file encryption. On the contrary, the main goal is to steal data while victims are struggling with encryption.

Thus, the use of a backup strategy alone, even with a good recovery plan, is not enough to counter multi-layer threats. It is about the fact that now every attack involving ransomware should be considered as a reason for a comprehensive analysis of traffic and launching an investigation of what is happening. You should also think about additional security measures and tools that can:

  • Quickly detect attacks and analyze abnormal network activity using AI.
  • Instantly recover systems in the event of a zero-day ransomware attack.
  • Block the spread of malware on the corporate network.
  • Analyze software and systems (including remote access) for vulnerabilities and exploits.
  • Prevent the transfer of information beyond the corporate perimeter.

==========================

By David Balaban

Anita Raj

Can the cloud handle the streaming explosion caused by the pandemic?

The Streaming Digital Explosion From the time the coronavirus forced the global community to stay at home, a whopping 16 million people have newly subscribed to Netflix, which is more than double the number the ...
Kaylamatthews

How AI Can Keep Documents Secure During the Age of Remote Work

Keeping Documents Secure While remote In response to the COVID-19 pandemic, global businesses have restructured operations to accommodate remote work and telecommuting. Humanity has collectively separated and isolated to prevent the virus's spread. In under ...
Chris Collins

Why Cloud Technology is a Smart Business Move for Higher Education

Higher Education Technology Cloud technology is not just for the world of big business. A growing number of higher education institutions are also embracing the cloud’s many advantages, especially for its data gathering and analytics ...
Building a Robust Virtual Agent (VA) Rollout Strategy for DSPs

Building a Robust Virtual Agent (VA) Rollout Strategy for DSPs

Building a Robust Virtual Agent (VA) Rollout Strategy for DSPs Proven methods to increase VA containment & customer satisfaction The virtual agent’s market is at an all-time high and is garnering more and more interest ...
Kevin Julian

Patients Increasingly are embracing technology, and so must the pharmaceutical industry

Patients Increasingly Embracing Technology COVID-19 has driven home the need to use digital solutions more broadly, which means C-Suites may be turning to their CTOs for advice As lockdown restrictions went into effect due to ...
Gary Taylor

5 Reasons Why Virtual Desktop Infrastructure Will Go Mainstream Post 2020

Virtual Desktop Infrastructure Growth Virtual Desktop Infrastructure (VDI) technology enables remote users to access their desktop from anywhere using an internet connection. This technology has been around for a couple of decades but never received ...