Data leaks are a sore point for the security service. And now, when most people work from home, the danger of leaks is much higher. That is why well-known cybercriminal groups pay increased attention to outdated and insufficiently secure remote access protocols. And, interestingly, more and more data leaks today are associated with ransomware. How, why and how - read under the cut.
To begin with, the development and distribution of ransomware is a very profitable criminal business in itself. For example, according to the US FBI, earned about $1 million a month over the past year. And the attackers who used Ryuk received even more - at the beginning of the group's activities, their income was up to $ 3 million per month. So it's no surprise that many CISOs list ransomware as one of the top five business risks.
The Acronis Cyber ββProtection Operation Center (CPOC), located in Singapore, confirms the rise of cybercrime in the area of ββRansomware. In the second half of May, 20% more ransomware was blocked worldwide than usual. After a slight decline now, in June, we are again seeing an increase in activity. And there are several reasons for this.
Get on the victim's computer
Protection technologies are evolving, and attackers have to change their tactics somewhat in order to get into a specific system. Targeted Ransomware attacks are still spread through well-designed phishing emails (not without social engineering). Lately, however, malware developers have paid a lot of attention to remote workers. To attack them, you can find poorly protected remote access services, such as RDP, or VPN servers with vulnerabilities.
This is what they are doing. Even ransomware-as-a-services have appeared on the dark web, which provide everything you need to attack a selected organization or person.
Malefactors look for any ways to get into a corporate network and to expand an attack spectrum. Thus, attempts to infect service provider networks have become a popular trend. Since cloud services are only gaining popularity today, infecting a popular service allows you to attack dozens or even hundreds of victims at once at once.
In the event that web-based security management or backup consoles are compromised, attackers can disable protection, delete backups, and deploy their malware throughout the organization. By the way, this is why experts recommend carefully protecting all service accounts using multi-factor authorization. For example, all Acronis cloud services allow you to set up double protection, because in the event of a password compromise, attackers can negate all the benefits of using a comprehensive cyber protection system.
Expanding the spectrum of attack
When the cherished goal is achieved, and the malware is already inside the corporate network, as a rule, quite typical tactics are used for further distribution. Attackers study the situation and seek to overcome the barriers that are created within the company to counter threats. This part of the attack can take place in manual mode (after all, if they are already in the net, then the bait is on the hook!). For this, well-known tools are used, such as PowerShell, WMI PsExec, as well as the newer Cobalt Strike emulator and other utilities. Some criminal groups purposefully attack password managers in order to penetrate deeper into the corporate network. And malware like Ragnar has recently been seen in a completely private image of the VirtualBox virtual machine, which helps hide the presence of rogue software on the machine.
Thus, getting into the corporate network, malware tries to check the user's access level and apply stolen passwords. Utilities such as Mimikatz and Bloodhound & Co. help hack domain administrator accounts. And only when the attacker considers the distribution possibilities exhausted, the ransomware is downloaded directly to the client systems.
Ransomware as a front
Given the seriousness of the threat of data loss, every year more and more companies implement the so-called "Disaster recovery plan". Thanks to this, they donβt worry too much about encrypted data, and in the event of a Ransomware attack, they donβt start collecting a ransom, but start the recovery process. But the attackers do not sleep. Massive data theft is taking place under the guise of Ransomware. Maze were the first to use such tactics en masse back in 2019, although other groups periodically combined attacks. Now, at least Sodinokibi, Netfilm, Nemty, Netwalker, Ragnar, Psya, DoppelPaymer, CLOP, AKO and Sekhmet are engaged in data theft in parallel with encryption.
Sometimes attackers manage to download dozens of terabytes of data from a company that could be detected by network monitoring tools (if they were installed and configured). Indeed, most often data transfer occurs simply using FTP, Putty, WinSCP or PowerShell scripts. To overcome DLP and network monitoring systems, data can be encrypted or sent as an archive with a password, and this is a new challenge for security services that need to check outgoing traffic for such files.
A study of the behavior of infostealers shows that attackers do not collect everything in a row - they are interested in financial reports, customer bases, personal data of employees and customers, contracts, records, legal documents. Malware scans drives looking for any information that could theoretically be used for blackmail.
If such an attack is successful, the attackers usually publish a small teaser showing several documents confirming that the data has been leaked from the organization. And some groups publish the entire data set on their site if the ransom payment deadline has already passed. To avoid blocking and ensure wide coverage, data is published, including on the TOR network.
Another way to monetize is to sell data. For example, Sodinokibi recently announced open auctions where data goes to the highest bidder. The starting price of such trades is $50-100K depending on the quality and content of the data. For example, a set of 10 cash flow records, sensitive business data, and scanned driver's licenses sold for as low as $000. And $100 could buy more than 000 financial documents plus three databases of accounting files and customer data.
Sites that publish leaks are very different. It can be a simple page where everything stolen is simply posted, but there are also more complex structures with sections and the ability to buy. But the main thing is that they all serve the same purpose - to increase the chances of attackers to get real money. If this business model shows good results for attackers, there will be no doubt that there will be even more such sites, and the techniques for stealing and monetizing corporate data will be expanded further.
This is what actual sites that publish data leaks look like:
What to do with new attacks
The main challenge for the security services in these conditions is that recently more and more ransomware-related incidents turn out to be just a distraction from data theft. Attackers no longer rely solely on server encryption. On the contrary, the main goal is to organize a leak while you are fighting with ransomware.
Thus, using a backup system alone, even with a good recovery plan, is not enough to counter multi-layered threats. No, of course, you canβt do without backups either, because attackers will definitely try to encrypt something and ask for a ransom. Rather, it is about the fact that now every attack using Ransomware should be considered as an occasion for a comprehensive analysis of traffic and the launch of an investigation into a possible attack. You should also think about additional security measures that could:
- Quickly detect attacks and analyze atypical network activity using AI
- Instantly restore systems in case of zero-day ransomware attacks so you can monitor network activity
- Block the spread of classic malware and new types of attacks in the corporate network
- Analyze software and systems (including remote access) for current vulnerabilities and exploits
- Prevent the transfer of unidentified information outside the corporate perimeter
Only registered users can participate in the survey. , you are welcome.
Have you ever analyzed background activity during a ransomware attack?
-
20,0%Yes1
-
80,0%No4
5 users voted. 2 users abstained.
Source: habr.com