Ransomware attacks have become a trend in the malware world, and they are a goldmine for their operators. The usual modus operandi was to gain initial access, steal credentials to be able to perform internal recon and lateral movement and then deploying ransomware to encrypt valuable company data. If the victim had ineffective backup and disaster recovery policies, there was a high probability of paying the ransom in order to obtain the decryption key.
Common sense would suggest that the attackers will be gone from the network right after deploying the ransomware in order to not get caught. But recent cases involving operators of Maze Ransomware have proven otherwise. It is nothing new that, after the initial infection, ransomware operators begin to steal data from their victims as a backup plan in case the victim is hesitant to pay the ransom. If they do not pay, the gang will threaten to publish sensitive or personally identifiable information online, thereby exposing the victim to possible large fines from the regulators or sell the data on black market.
According to The Infogram by the EMR-ISAC on June 25, 2020, Maze operators brought this to the next level, exposing victim’s internal reports of their own ongoing ransomware attack. This information proves that the operators had presence in the victim’s network while being investigated and contained. They were able to spy on their communications and monitor their incident response efforts.
LIFARS is offering new and innovative service for the victims of ransomware attacks. Find out if your infrastructure is still controlled by adversaries after you contained the imminent ransomware threat.
Experience shows that even after successful containment and eradication of ransomware, operators of Ryuk, Maze and other ransomware strains remain hidden in the network preparing for re-infection, re-deployment or data theft. Therefore, there is a growing need to detect this threat after the imminent ransomware incident is handled.
The presence of the adversary can be detected in several ways. The victim should perform in-depth log analysis by detecting Indicators of Compromise (IoCs) and behavioral patterns in the infrastructure, mainly on domain controllers, firewalls, and security devices. In addition, endpoint and network threat hunting are required to search for evidence of attackers’ Tactics, Techniques, and Procedures (TTPs) and IoCs. To detect the presence of compromise the victim should also employ threat intelligence and dark web threat hunting by performing targeted clear and dark web searches to uncover possible data leaks.
Ransomware is here to stay, and its operators are getting better and bolder. If it is not in your risk register, the time has come to probably revise it. There are some preventive measures that can be implemented.
One such control is a security feature called “Controlled folder access” and comes as part of Windows Defender Exploit Guard. In addition, strong incident response capabilities coupled with business continuity and disaster recovery plans, including backups, can save you a lot of stress. Performing exercises can bring confidence and peace of mind knowing that everyone is aware of what their role during such crisis.