14 minute read
CYBEREASON: Five of the most dangerous randsomops attacks
CYBEREASON
FIVE OF THE MOST DANGEROUS RANSOMOPS ATTACKS
Advertisement
BRANDON ROCHAT
Ransomware gangs have really upped their game in the last few years, generating billions in paid ransoms from public and private sector organisations. The gangs have increased attacks on critical infrastructure operators, hospitals, manufacturing companies and pharma companies. Ransom demand amounts have gone up as well, with victims such as CNA Financial paying out a record $40 million.
So, is this still just the same old ransomware we are talking about? Well, sort of. Once the niche of sprayand-pay spam and drive-by campaigns, you’re now more likely to find ransomware tacked on to the tail-end of an highly crafted attack sequence we define as RansomOps–ransomware in its most pernicious, pervasive and professional form.
RansomOps are less like the old “spray and pay” methods and a lot more like stealthy nation-state APTs. What sets them apart is their technical sophistication, data exfiltration for double extortion, specialised players and attraction to big-name targets.
RansomOps purveyors often leverage the stolen data by threatening to leak it publicly in order to further pressure victims into paying–and when they’re asked to pay, it’s usually an astronomical demand. “Ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting largely nuisance attacks to a highly complex business model ...with an increasing level of innovation and technical sophistication,” according to a recent report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy.
Gartner noted that the threat of new ransomware models was a top concern among executives last year, and when you look at the stakes, the evolving landscape, and the publicised RansomOps attacks this far, you can see why. The Five Most Advanced RansomOps Attackers Black Basta Ransomware Gang The Black Basta gang emerged in April 2022 and has victimised nearly 50 companies in the United States, United Kingdom, Australia, New Zealand and Canada. Organisations in English speaking countries appear to be targets. Cybereason assesses the threat level of Black Basta attacks against global organisations as HIGHLY SEVERE.
AI-DRIVEN XDR
OPERATIONCENTRIC DETECTION:
instantly understand the entire attack progression
Since Black Basta is relatively new, not a lot is known about the group. And due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil, the two most profitable ransomware gangs since 2021.
BlackCat Ransomware Gang Cybereason researchers have been tracking BlackCat since its emergence in 2021.
Having attacked the “telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries” among at least six countries, it was called 2021’s most sophisticated ransomware. Interestingly, it is built in Rust (an unusual language for ransomware) and is not above triple-extortion techniques. Believed to be a descendent of BlackMatter and targeting no less than 60 organisations in March alone, BlackCat caused enough trouble to warrant its own FBI flash alert.
Conti Ransomware Gang The Conti ransomware group has caused a great deal of damage in a relatively short period of time—making headlines around the world.
It didn’t come from nowhere, though. Ransomware gangs constantly shift and evolve and rebrand over time, and Conti is identified as a successor to Ryuk ransomware. The FBI released an alert around Conti in February of this year, warning that “attacks against U.S. and international organisations have risen to more than 1,000.” This prodigious gang is known for not only infecting machines, but spreading through the network via SMB and encrypting remote files as well.
NetWalker Ransomware Gang Raking in over $25 million since 2020, NetWalker earned a global remediation attempt by the US Department of Justice. Per court papers, the group operates a “so-called ransomware-as-a-service model,” or RaaS, in which developers write the malicious code, affiliates find and attack victims, and the two parties split the proceeds. According to the Cybereason threat research team Nocturnus, “NetWalker encrypts shared network drives of adjacent machines on the network” and presents a HIGH threat, already having been “employed in attacks across a variety of industries around the world.”
Darkside Ransomware Gang The Darkside Gang was responsible for the infamous 2021 Colonial Pipeline attack that boldly targeted America’s critical national infrastructure and disrupted the East Coast oil supply for several days. Believed to be “likely former affiliates of the REvil RaaS
CYBERSECURITY SOLUTIONS THAT ARE BUILT FOR SPEED AND EFFICACY
CYBEREASON
PERFECT SCORES:
Cybereason achieved 100% Prevention of attack sequences evaluated for both Windows and Linux.
[ransomware-as-a-service] group,” so much pressure was put on Darkside after the attack by the U.S. government, the group disbanded with members forming new gangs or catching on with other gangs such as Black Basta, LockBit, BlackCat and others.
DarkSide targeted organisations in English-speaking countries while avoiding those in countries associated with former Soviet Bloc nations. This gang appeared to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organisations and government agencies. Defending Against Ransomware It’s possible for organisations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious emails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices.
When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.
Prevention always costs less than the cure, and that is particularly applicable when it comes to ransomware.
“RESPOND FASTER TO EMERGING THREATS.
“ CYBEREASON”
CYBEREASON
a privately held international company headquartered in Boston with customers in more than 40 countries. An effective ransomware prevention plan includes actions like: • Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying bestin-class security solutions on the network. • Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware. • Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a
RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
Assuring Key Players Can Be Reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial. • Conducting Periodic TableTop Exercises: These crossfunctional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response. • Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc.
Evaluating Managed Security Services Provider Options: If your security organisation has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan. • Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack. For more information on Weekend and Holiday ransomware threats, refer to another study, Organisations at Risk: Ransomware Attackers Don’t Take Holidays.
Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months’ worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organisation.
GET READY
The FBI released an alert around Conti in February of this year, warning that “attacks against U.S. and international organisations have risen to more than 1,000.” This prodigious gang is known for not only infecting machines, but spreading through the network via SMB and encrypting remote files as well.
BY BRANDON ROCHAT, CYBEREASON SALES DIRECTOR OF AFRICA
P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 223 P O Box 40155 Cleveland 2022 Tel : 011 822 2233 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3
Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Home for the intellectually and Charity physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 years physically challenged for the past 52 yearsDonation
We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your support We will appreciate your supportDrive
Banking Details: Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Banking Details: Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Avril Elizabeth Home First National Bank Account number : 59630281944 Branch : Bedford Gardens Branch code : 252155 Reference please use : Company name/Fred Home for the intellectually and physically challenged for the past 52 years.
GIVE A LITTLE, HELP A LOT
WE WILL APPRECIATE YOUR SUPPORT
BANKING DETAILS
