Detect and prevent the key as ransomware attackers up the ante

Detect and prevent the key as ransomware attackers up the ante

Posted by HSSL Systems Integrators on Mar 19th 2020

The threat landscape is a volatile place. Just when you think you know where you are, a new development forces a rethink. That means security plans must always be flexible enough to adapt to changing circumstances. We’ve seen this over recent months with an evolution in the way ransomware attackers do business. By stealing data before they encrypt it, there’s now extra leverage to force payments: it’s a risk that back-ups alone can’t mitigate.

Worse, attackers are increasingly happy to go after smaller organisations, as the latest raid on SpaceX contractor Visser Precision reveals. This makes it more important than ever that firms detect and block attacks up front.

From Maze to DoppelPaymer

For the past year or more, we’ve seen hackers shifting their attention away from consumers and towards businesses and public sector organisations. This has been matched by a more targeted approach, often including more sophisticated techniques such as lateral movement and “living off the land” to maximise the damage caused before IT security teams can react. The escalation to include data theft ahead of the encryption process can be seen in this context.

The first group to do this was Maze, at the end of 2019. We’ve seen a string of incidents where those unwilling to pay were listed on a dedicated website where data was leaked bit by bit. Some organisations paid up to get their name off the list, which is never advised. And one firm even sought a court order to get the site itself taken down. Sure enough, it popped up on another domain soon after.

Maze has struck a wide sweep of organisations: including several law firms, French construction giant Bouygues and the local government of Pensacola City in the US. Unfortunately, other ransomware groups have followed its lead. Cyber-criminals using Sodinokibi (REvil), Snatch, Nemty, and DoppelPaymer have also begun publishing data from ransomware victims who don’t pay up.

The DoppelPaymer attack on Visser Precision saw the potential impact such attacks could have. It exposed NDAs with partners including defence contractor Boeing as well as Tesla and SpaceX, as well as schematic diagrams for a missile antenna that appears to be Lockheed Martin IP. By going after smaller, perhaps less well defended organisations in sensitive supply chains like defence and space, the hackers could drive ransom demands even higher.

How are they getting in?

The good news for now is that the same tried-and-tested methods appear to be most commonly used to breach organisations’ defences. This means social engineering via malware-laden phishing emails, or targeting of Remote Desktop Protocol (RDP) clients through brute force attacks. Sometimes drive-by-malware and/or malicious advertising is used.

In one notable case, that of UK-based foreign exchange company Travelex, it appears as if an unpatched vulnerability in a VPN product known about for months was exploited.