In a recent report, Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks. More than one hundred different cyber-criminal gangs are actively conducting ransomware attacks, deploying over 50 different ransomware families in campaigns which see them encrypt networks and demand a ransom payment for the decryption key. The analysis from Microsoft Security Intelligence notes that some of the most prominent ransomware attacks of recent times include Lockbit, BlackCat, Vice Society, and Royal.[1] And it only takes One (1) attack vector to cause a mess.
See: https://redskyalliance.org/xindustry/lockbit-ransomware-gang-promises-bounty-payments
The attacks are also being aided by ransomware groups offering Ransomware-as-a-Service (RaaS) schemes, enabling cyber criminals who don't develop their own ransomware to get in on the action. Access to RaaS schemes are sold on underground forums, providing aspiring ransomware attackers with all the tools they need to conduct and manage attacks and extort ransom payments. In many cases, the author of the ransomware takes a cut of any ransom payments the attackers receive. Some of these groups have become sophisticated and offer a wide variety of services to help their client infect and collect from their victims.
See: https://redskyalliance.org/xindustry/ransomware-as-a-service-went-to-business-school
Some of the most disruptive ransomware attacks have been carried by attackers using affiliate schemes, with high-profile attacks involving the likes of Conti and LockBit ransomware being conducted by affiliates. Phishing schemes are the most common means of attackers gaining initial access to networks. Targeting usernames and passwords with phishing emails or brute force attacks provides cyber criminals with access to networks using legitimate credentials which are less likely to arouse suspicion and it is becoming easier for cyber criminals to access networks in this way since the rise of hybrid and remote working.
The attackers can move around the network, potentially even using the compromised account to conduct phishing attacks against other users, gaining the permissions and control required to compromise as much of the network with ransomware as possible, before eventually triggering the encryption process, locking files and servers and demanding a ransom payment.
Cyber threat investigators warn about the rise of Malvertising as the initial stage of attacks, where cyber criminals buy online advertising, commonly to promote false software downloads which if downloaded and installed, will infect the user with Trojan malware which the attackers then use to distribute ransomware. Cyber criminal affiliates using Royal ransomware have been seen using this technique to deliver the payload.
Fake software updates have also become a common means of delivering ransomware. These false warnings which claim your software needs to be updated typically come from Malvertising links or drive-by-downloads downloads which happen in the background without the user knowing. The goal of the false update alerts is to scare victims into downloading the malware all while they believe they are doing the right thing to protect their system.
Cyber criminals are also using the common method of abusing unpatched cybersecurity vulnerabilities to access networks. Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed. Cyber researchers recommend that computers and networks should be updated with the latest security patches as a matter of urgency, in order to prevent cyber criminals from exploiting known vulnerabilities to access networks. It is also important that security updates are only downloaded from official sources, to avoid the possibility of a fake software update infecting you with ransomware.
Beware of “Great Deals” on the Internet of popular and expensive software and updates that are offered at ridiculous low prices. This can result in not getting the real software, having your credit card information stolen/resold and receiving malware/ransomware as a bonus.
All organizations can try to prevent phishing attacks by ensuring that accounts are secured with strong, preferably unique, passwords and that accounts are secured with Multi-Factor Authentication (MFA). This additional layer of protection can help to stop attackers from accessing accounts, even if they have gained access to the correct username and password.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ransomware-gangs-using-50-types-of-malware/
Comments