Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes.
Attackers are using the noise of ransomware to their advantage as it provides the perfect cover to distract attention so they can take aim at their real target: exfiltrating IP, research, and other valuable data from the corporate network.
Two bites of the cherry
Although attacks involving million-dollar ransom demands attract headlines, the payout is no longer the sole financial incentive for attackers. The exfiltration of critical data is a key motivator that can be used to extort victims into paying even larger fees to recover assets.
Data, including intellectual property such as research and patents, is often targeted by organized groups or as part of corporate espionage. Stealing this information and then coercing a business into paying to get access to their network provides attackers with further rewards for planning and executing advanced, targeted attacks.
Ransomware is the perfect cover for a targeted data exfiltration attack. Security teams are well aware of the devastation an unchecked ransomware outbreak can cause. They will naturally focus all their efforts on containment and remediation to minimize disruption and get the business up and running.
However, once the infection has been taken care of and forensics are performed to investigate how the attack started, there can be signs that the infiltrators have been on the network for some time. The worst of the damage could well have been carried out in the weeks prior to the detonation of the ransomware itself.
For example, having triaged a ransomware attack for one organization, you investigated how the attack started and what other actions the threat actors might have carried out on the network. You discovered suspicious activity originating from a service account.
Attackers used the account to access and move large quantities of data into a temporary directory for exfiltration. By following the investigation to the source, it was clear this was more than a typical ransomware attack. This approach is fast becoming the norm rather than the exception.
Establishing persistence for leverage
By taking the time to really study their targets, find the weak spots in defenses, and conduct highly targeted campaigns, threat actors can inflict far greater damage on their victims. In a business model reminiscent of large software companies, threat actors can buy the exact tools that they need and tailor these to their target by purchasing modular add-ons.
Once they’ve established a foothold, the real value for threat actors lies in establishing and maintaining persistence on the network. The longer they’re able to remain in the system, the greater their potential for escalating privileges and gathering high-value data or IP. This, in turn, makes the conversion rate from any ransom demands much higher.
Their leverage is becomes greater the longer they can trawl the network for data, and organizations are more likely to pay this demand if they are threatened with an ultimatum that troves of highly sensitive corporate data are about to be made public.
While exploits continue to multiply, one of the most dangerous is still Emotet, which acts as a malware loader or dropper. Regarded by the CISA as “one of the most prevalent ongoing threats,” its indicators of compromise frequently change and it is very difficult for traditional security solutions to detect. The malspam campaigns that spread it often take advantage of a technique called “thread-jacking,” where a threat actor can intercept an email chain via an infected host and deliver the payload to a trusting victim.
Once a system is infected, Emotet enables threat actors to escalate privileges, move laterally, establish persistence and exfiltrate data, and upload other malicious programs such as Trickbot. Once they have captured and encrypted files, cybercriminals can then demand a ransom.
Defending against ransomware deceptions
Attackers are constantly creating new variants that evade detection by traditional signature-based approaches. To counteract these attacks, firms need to have defence in depth. This starts with preventing threat actors from infiltrating the network by defending against tactics such as phishing and malware campaigns through staff training, the use of strong passwords, 2FA, and patch management.
If a threat actor makes it onto the system, their potential for lateral movement is limited when organizations have deployed a least-privilege approach, where access to files and folders is limited based on job role or seniority.
Behavioral anomalies are a prime indicator that a threat actor could be on the network. This includes encrypting or downloading large amounts of data or user accounts trying to access restricted data. Successfully spotting such behaviour requires correlating data from many sources, including endpoint and network detection and response solutions.
Finally, to ensure they can recover quickly in the event of a ransomware attack, organizations must also have robust backups that they can rely on if their network does go down. With targeted ransomware attacks showing no signs of slowing next year, businesses need a connected system of detection capabilities to identify when a ransomware outbreak may just be an attempt to distract and disable companies while attackers escape with their most valuable data assets.