Modern Security Solutions For Evolving Ransomware Attacks

Based on a recent survey conducted by the folks at Titaniam, a solid majority of organizations have robust security tools in place. Yet nearly 40 percent of them have fallen victim to a ransomware attack in the past year.

How can this be?  With conventional tools in place, how can this still be happening?

The answer to that question is complex. Ransomware attacks ultimately have three different phases.  Each phase must be protected against and in each case, the type of protection needed varies.  Let’s start by taking a closer look at the anatomy of a typical ransomware attack. They always begin the same way: Infiltration.

To do anything to your company’s network, the hackers first must gain access to your network.  Thus, your first line of defense is to keep that from happening.

The good news is that most companies have robust tools that are specifically designed to block unauthorized intruders.  The bad news is that hackers can get around those tools entirely by stealing an employee’s login credentials. That is how many of these types of attacks occur. Once inside, the hackers proceed with data exfiltration.  Wholesale copying sensitive data and uploading it to a command-and-control server operated by the hackers.

From the perspective of the hackers, this is where the payday is.  They know all too well that companies will pay handsomely to keep proprietary data from being leaked to the broader public, and hackers are only too happy to take full advantage of that fact.

This is where many companies are weak.  To protect against data exfiltration, companies need to invest in three different types of encryptions.  Encryption at rest, encryption in transit, and encryption in use. Most companies invest in one.  A solid minority invest in two, but very few invest in all three. That creates a window of opportunity for the attacker.

Finally, the third stage is wholesale file locking. This is exactly like what you think it is.  All the files that the malicious code can get to will be locked and encrypted.  If you want them back, you must pay.  Assuming you don’t have a recent backup, of course. Even if you do have a backup, you’ll pay in the form of downtime while you’re restoring those files.

Understanding exactly how a ransomware attack is put together and how it functions is key to designing a security routine that will defeat it, preventing the attackers from ever gaining a foothold on your network.

Microsoft Believes AI Can Help Prevent Ransomware In The Future

Recently, Microsoft published a fascinating blog post. In the blog post, they said they were experimenting with “novel approaches” when it comes to harnessing the power of AI to spot threats on the threat landscape before they become a problem.

In particular, the company is focused on stopping ransomware attacks while they’re still in their earliest stages.

To get even more fine-grained than that, they are specifically targeting human-operated ransomware campaigns. They note that there are certain indicators in common where human-operated ransomware campaigns are concerned, and these commonalities can be used to stop future attacks.

The example that Microsoft gives in their blog post is that of a hacker who has stolen the network credentials of a company.  They will first log in to test those credentials, and once inside, will almost certainly move about inside the network in ways that the proper owner of those credentials would not.

This creates specific data points that the AI can be on the alert for.

Broadly speaking, these fall into three categories:  Time based, Graph based, and device-based.

An example of a time-based data point would be if the hacker logged in to test the credentials at 3:00 in the morning and the owner of those credentials historically logs in at 8am.

Graph-based patterns are the graphical representation of physical moves across a network space, plotted against expected moves.

And device-based data points are exactly what they sound like.  The AI would expect that the owner of the stolen credentials would log in from his or her workstation and not a laptop hidden behind layers of proxies, which is suspicious in and of itself.

It’s a great idea, though Microsoft is quick to point out that it is still very much in its infancy.  Even so, it’s easy to see how this could become an indispensable tool.

Ransomware Hackers Have Set Their Sights On Exchange Servers

Microsoft Exchange servers are once more in the crosshairs of hackers around the world.  Most recently, hacking groups have been specifically targeting them to deploy BlackCat ransomware.

As is common among ransomware attacks, the hackers here first rifle through an infected network, looking for login credentials, proprietary information, and other sensitive files that they can copy and exfiltrate.  They exploit a target organization in two ways. They ultimately encrypt a target’s files and demand payment to unlock them and then ransom the copied files for additional payment.

This should be regarded as a serious threat.  Although Microsoft tries gamely to keep Exchange servers secure, there are several vulnerabilities in the code. An organization that doesn’t apply security patches as soon as they are available is incredibly vulnerable to these attacks.

It’s a sufficiently significant threat that in April, the FBI issued a Flash Alert about BlackCat, warning that the recent surge in attacks have compromised more than sixty different organizations worldwide.

Their alert reads, in part as follows:

“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.”

The FBI has also requested the assistance of any organization that becomes compromised so they can track the attacks back to their source and take action against them.

Again, per the recent FBI Flash Alert, the specific information they’re looking for is as follows:

“IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

Here’s hoping your organization doesn’t wind up in the crosshairs of the hackers. If you happen to, give the FBI a hand so they can shut these miscreants down.

Hackers Are Teaming Up To Wreak Havoc On Corporate Users

It’s never a good thing when well-organized groups of hackers start working together, but that’s what appears to be happening.

Recently, evidence has emerged that the Black Basta ransomware gang has begun tight-knit cooperation with the infamous QBot malware operation. They share the specific goal of inflicting maximum damage on corporate targets.

While many different groups make use of QBot for initial infection, Black Basta’s use is somewhat different. The group is leveraging it to spread laterally through a network once they have infected it.

The partnership stands to be devastatingly effective.  Black Basta’s ransomware paired with QBot’s penchant for stealing banking credentials and injecting additional malicious payloads could easily deliver a one-two punch that would be very difficult for a company to recover from.

The bad news here is that QBot (also known as QakBot) can move quickly once inside a compromised network.

Fortunately, the way Black Basta is leveraging QBot, there is a window of opportunity between the time that QBot is moving laterally and the actual ransomware infection. So diligent IT Security professionals may be able to stop QBot’s spread before the ransomware payload is deployed.

That’s good in theory but the sad truth is that many companies won’t move quickly enough to stop the ransomware attack, which will leave them crippled from that and see their banking credentials compromised to boot.

Exactly how effective this new partnership will be remains to be seen, but both QBot and Black Basta have made names for themselves as fearsome hacking groups. Black Basta has been breaching dozens of networks over the course of their relatively short existence and QBot has made a name for themselves over a much longer period.

In any case, this is a dangerous combination and you will want to be on the alert for both groups and the ransomware they are deploying.  The hackers represent genuine threats, whether operating on their own or in tandem.

Intel Users Should Update Firmware To Avoid This Ransomware

Not long ago, researchers at Eclypsium got a lucky break.  An unknown and unidentified individual began leaking communications from inside the Conti ransomware organization.

These leaked communications seemed to confirm what has long been suspected:  That there are strong ties between the Conti gang and Russia’s FSB (military intelligence).

This sounds like something right out of a spy movie, but it’s not.  The leaked messages indicate that several members of the Conti gang have been actively working on developing a new attack vector that specifically targets Intel firmware, allowing Conti to launch its ransomware attack.  Some of the black hat developers even got as far as to develop a working proof of concept for others to review.

Firmware attacks are fairly rare, but they do happen.  To pull it off, the attacker would first need to access the system via a conventional in-road.  For example, a phishing email where the victim would unwittingly give the hackers access, or perhaps by exploiting some other known vulnerability.

In one particularly exotic scenario, they could even make this attack work without prior access. They can do this by leveraging Intel’s Management Engine to force the target machine to reboot, then supply virtual media to draw from on the reboot.

It’s unlikely and would take a tremendous amount of skill, but Conti has shown in recent months that they have the expertise to pull something like that off.

Fortunately, word of the new attack vector has gotten out, the details have made their way to Intel, and Intel has updated their firmware.

If you’re using an Intel machine, you should grab the latest update as soon as possible.  Conti is a well-known, notorious gang with ties to Russia.  You don’t want your company in their crosshairs, so do everything you can do minimize that risk.