Ransomware Operators: Having at It and Having It
Lately, ransomware actors have gone berserk with their attacks on businesses and pressurizing them in paying up a ransom quickly by leaking sample data. In a recent incident, the leaked dataset by a threat actor group revealed more than the cybercriminals intended to convey.
A few weeks back, Maze actors disclosed an attack on VT San Antonio Aerospace by dumping a part of data on their leaking site.
- McAfee researchers, while digging the leaked data, found a document that contained the victim's IT department report on the ransomware attack.
- It implies that the actors never left the hacked systems and continued spying as the attack investigation continued.
Ransomware gaining persistence before an attack
A ransomware attack has normally been a come and go business. However, some of the ransomware families were recently observed attaining persistence in a victim’s network before launching an attack.
- Lately, SentinelOne laid bare new infection technique used by Ryuk actors in which the group first attempted to infiltrate a victim system — using TrickBot — for an average of two weeks and meanwhile determined if the victim is worth encrypting.
- Last month, Microsoft warned against a new strain of human-operated ransomware called PonyFinal that tends to stay dormant for weeks and waits for the best time to make a move against the target. PonyFinal uses brute-force to take the first guard down followed by dumping malicious scripts.
Rising ransomware attacks and the cost they entail
In a survey conducted by Sophos, researchers discovered that 51% of organizations were hit by ransomware in 2019 and the success rate for encryption stood at 73%. Now, with more obscure techniques to achieve persistence, chances are ransomware threat actors can breach your network with a larger attack and eventually up the ante for ransom negotiations.
Additionally, it has been established that paying the ransom almost doubles the cost of dealing with a ransomware attack, including business downtime, lost orders, operational costs, and more.
In the current threat landscape, ransomware actors are gaining persistence, elevating privilege, and disrupting critical data to affect the continuity of operations within an organization.
Shutting down infected systems and bringing the network offline should be the foremost concern when hit by a ransomware attack. In addition to that, an organization should consider:
- Choosing a safe communication channel to discuss the ongoing incident response (IR) effort.
- Enabling multi-factor authentication wherever possible since attackers are mostly after credentials.
- Thoroughly reviewing Active Directory (AD) to flush out any remaining backdoor accounts responsible for malware persistence.
- Reinstalling the machines and servers and change domain passwords.
Contrary to popular belief, attackers do not always leave the victim’s system after deploying the ransomware. Ransomware operators lurk in the network and stay a step ahead of defenders by watching every activity. Therefore, organizations should take the right steps to parry off such threats.