Security Market Segment LS
Monday, 16 August 2021 13:10

Ransomware mishaps: adversaries have their off days too

By Tilly Travers, Sophos

GUEST OPINION by Tilly Travers, Sophos: Even the most carefully planned ransomware attacks don’t always go according to plan.

Take, for instance, an advanced, human-led ransomware attack where the intruders are often in the network for days, if not weeks before releasing the ransomware payload. During this time, they are moving through the network, compromising assets, installing new tools, deleting backups, and removing data, among other things. At any stage the attack could be detected and blocked by defenders.

This can put pressure on the hands-on-keyboard operators controlling the attack. They may have to change tactics mid-deployment or relaunch the ransomware for a second attempt, if the first one fails. Pressure can lead to oversights or errors.

“Ransomware adversaries can appear fearsome to defenders who are facing the direct impact of an attack,” said Peter Mackenzie, manager of Sophos Rapid Response. “Ransomware attackers don’t hesitate to exploit this, with threatening and aggressive behavior and ransom demands. But it helps to remember that adversaries are human too, and as capable of making mistakes as everyone else.”

Here are the top five ransomware adversary mishaps Sophos Rapid Response incident responders recently spotted during investigations.

  1. The Avaddon ransomware attackers whose victim asked them to leak their stolen data because they were having trouble restoring some of the files. The attackers carried on making the standard threat to publish the data if the victim didn’t cooperate. The victim didn’t, the attackers leaked the data, and the victim got back the information they wanted as a result.
  2. The Maze ransomware attackers who exfiltrated a stack of victim files only to discover they were unreadable because they’d been encrypted by DoppelPaymer ransomware a week earlier.
  3. The Conti ransomware attackers who encrypted their own newly installed backdoor. The attackers had installed AnyDesk on an infected machine to provide remote access and then launched ransomware that encrypted everything on the machine, including AnyDesk.
  4. The Mount Locker ransomware attackers who couldn’t understand why a victim refused to pay up after they leaked a sample of their information, not realizing they’d published information belonging to another, unknown company.
  5. The attackers who left behind the configuration files for the FTP server they were using for data exfiltration, allowing the victim to log in and delete all the stolen data.

“The adversary mishaps we spotted are evidence of how crowded and commoditized the ransomware landscape has become,” said Mackenzie. “As a result of these trends, you can find several attackers targeting the same potential victim. If you add in defensive pressure from security software and incident responders, it’s understandable that adversaries will make mistakes.

“Everything an attacker needs to put together and deploy a ransomware attack is probably available as a paid service somewhere on the dark web, from Initial Access Brokers selling access to verified targets to Ransomware-as-a-Service (RaaS) offerings that rent out ransomware executables and infrastructure. Even high-profile ransomware families looking to make millions of dollars in ransom payments use access brokers for victim access. And access to the most valuable targets or those organizations that have shown a willingness to pay the ransom, may well be resold several times over, leading to multiple threat actors attempting to breach the same network.

“There is also a tendency for ransomware families to appear and then reportedly disappear. In 2021 alone, we have allegedly lost REvil and Avaddon, among others, with the operators behind them likely joining other groups or relaunching under a new ‘brand,’ possibly taking their collection of compromised creds with them.” 

What defenders can do

Knowing that ransomware adversaries make mistakes doesn’t mean defenders should relax best practices. In some ways cybersecurity is even more critical because in some ways cybersecurity is even more critical because certain errors can increase risk, for example poor encryption coding can lead to decryption keys that don’t work.

Below are proactive steps to take to enhance IT security for the future, including:

  • Monitor network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch
  • Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If users need access to RDP, put it behind a VPN or zero-trust network access connection and enforce the use of Multi-Factor Authentication (MFA)
  • Educate employees on what to look out for in terms of phishing and malicious spam and introduce robust security policies
  • Keep regular backups of the most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline, and test the ability to perform a restore
  • Prevent attackers from getting access to and disabling security: choose a solution with a cloud-hosted management console with multi-factor authentication enabled and Role
  • Based Administration to limit access rights
  • Remember, there is no single silver bullet for protection, and a layered, defense-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data
  • Have an effective incident response plan in place and update it as needed. Turn to external experts to monitor threats or to respond to emergency incidents for additional help, if needed

Further information on attacker behaviors, real-world incident reports and advice for security operations professionals is available on Sophos News SecOps.

Tactics, techniques and procedures (TTPs), and more, for different types of ransomware are available on SophosLab Uncut, the home of Sophos’ latest threat intelligence.

Read 1073 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments