Ransomware as a Decoy

8467395687?profile=RESIZE_400xAttacks involving million-dollar ransom demands attract headlines, but the payout is no longer the sole financial incentive for attackers. The exfiltration of critical data is a key motivator that can be used to extort victims into paying even larger fees to recover assets.  Data, including intellectual property such as research and patents, is often targeted by organized groups or as part of corporate espionage. Stealing this information and then coercing a business into paying to get access to their network provides attackers with further rewards for planning and executing advanced, targeted attacks.

Ransomware is the perfect cover for a targeted data exfiltration attack.  Security teams are well aware of the devastation an unchecked ransomware outbreak can cause. They will naturally focus all their efforts on containment and remediation to minimize disruption and get the business up and running.  However, once the infection has been taken care of and forensics are performed to investigate how the attack started, there can be signs that the infiltrators have been on the network for much longer than first suspected. The worst of the damage could well have been carried out in the weeks prior to the detonation of the ransomware itself.

As an example of a thorough cyber attack, analysts will have triaged a ransomware attack for one organization, you investigated how the attack started and what other actions the threat actors might have carried out on the network. You discovered suspicious activity originating from a service account.  Attackers used the account to access and move large quantities of data into a temporary directory for exfiltration. By following the investigation to the source, it was clear this was more than a typical ransomware attack. This approach is fast becoming the norm rather than the exception.

By taking the time to really study their targets, find the weak spots in defenses, and conduct highly targeted campaigns, threat actors can inflict far greater damage on their victims. In a business model reminiscent of large software companies, threat actors can buy the exact tools that they need and tailor these to their target by purchasing modular add-ons.  Once they have established a foothold, the real value for threat actors lies in establishing and maintaining persistence on the network. The longer they are able to remain in the system, the greater their potential for escalating privileges and gathering high-value data or IP. This, in turn, makes the conversion rate from any ransom demands much higher.

Their leverage becomes greater the longer they can trawl the network for data, and organizations are more likely to pay this demand if they are threatened with an ultimatum that troves of highly sensitive corporate data are about to be made public.

While exploits continue to multiply, one of the most dangerous is still Emotet, which acts as a malware loader or dropper. Regarded by the CISA as “One of the most prevalent ongoing threats,” its indicators of compromise frequently change and it is very difficult for traditional security solutions to detect. The malspam campaigns that spread it often take advantage of a technique called “thread-jacking,” where a threat actor can intercept an email chain via an infected host and deliver the payload to a trusting victim.

Once a system is infected, Emotet enables threat actors to escalate privileges, move laterally, establish persistence and exfiltrate data, and upload other malicious programs such as Trickbot. Once they have captured and encrypted files, cybercriminals can then demand a ransom.  A new money making enterprise appeared in 2020, when ransomware actors opened auction sites to sell data to the highest bidder.

Attackers are constantly creating new variants that evade detection by traditional signature-based approaches. To counteract these attacks, firms need to have defense in depth. This starts with preventing threat actors from infiltrating the network by defending against tactics such as phishing and malware campaigns through staff training, the use of strong passwords, two-factor-authentication, and patch management.

If a threat actor makes it onto the system, their potential for lateral movement is limited when organizations have deployed a least-privilege approach, where access to files and folders is limited based on job role or seniority.  Behavioral anomalies are a prime indicator that a threat actor could be on the network. This includes encrypting or downloading large amounts of data or user accounts trying to access restricted data. Successfully spotting such behavior requires correlating data from many sources, including endpoint and network detection and response solutions.

Finally, to ensure they can recover quickly in the event of a ransomware attack, organizations must also have robust backups that they can rely on if their network does go down. With targeted ransomware attacks showing no signs of slowing next year, businesses need a connected system of detection capabilities to identify when a ransomware outbreak may just be an attempt to distract and disable companies while attackers escape with their most valuable data assets.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.

To help organizations protect their Work from Home (WFH) employees, Red Sky Alliance has introduced their RedXray cyber threat notification service that can notify cyber security teams for potential cyber threats on a daily basis, https://www.wapacklabs.com/redxray.  At home workers can add their IP addresses to the RedXray enrollment page and they are automatically added to the notifications. This is one more way Red Sky Alliance is helping organizations through the COVID-19 lockdown.  RedXray can be used by customers at any location in the world.

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

 

Reporting:  https://www.redskyalliance.org/

Website:     https://www.wapacklabs.com/

LinkedIn:   https://www.linkedin.com/company/wapacklabs/

Twitter:      https://twitter.com/wapacklabs?lang=en

Weekly Cyber Intelligence Briefings: 

https://attendee.gotowebinar.com/register/8782169210544615949

 

TR-21-022-002Ransomware_as_a_Decoy.pdf 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!