Posts

Ryuk Ransomware

OVERVIEW
Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

RANSOMWARE DETAILS
Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Fig 1. An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness

REFERENCES

  • https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
  • https://techcrunch.com/2020/09/28/universal-health-services-ransomware/
  • https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
  • https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  • https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
  • https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  • https://www.cpomagazine.com/cyber-security/ryuk-ransomware-still-targeting-hospitals-during-the-coronavirus-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-keeps-targeting-hospitals-during-the-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

WastedLocker Ransomware

OVERVIEW
First discovered in May, WastedLocker ransomware is a relatively new strain from the group known as Evil Corp, which was previously associated with the Dridex banking Trojan and BitPaymer ransomware. This ransomware group was brought to our attention with the recent ransomware attack against Garmin. In our research, we discovered why these targeted attacks are even harder to defend against. Read on to learn what to look for and how to avoid this new strain.

RANSOMWARE DETAILS
WastedLocker attacks start with a drive-by compromise to gain initial entry. The attackers use the SocGholish framework to hack legitimate websites that display fake software update alerts to visitors. Attempting to download these fake alerts will deliver PowerShell scripts onto the user’s device, which subsequently download Cobalt Strike. Cobalt Strike then allows the attackers to gain access, move laterally through the target’s network, and deliver the WastedLocker ransomware to the victim host.

Before deploying the ransomware, the attackers perform the following tasks within the target’s network:

  • Escalates privileges via UAC bypass method
  • Disables Windows Defender
  • Gathers information about victim’s environment
  • Performs credential dumping

WastedLocker attackers have also been observed in previous attacks to utilize living-off-the-land (LOFT) tools to perform tasks. For example, using the Windows Sysinternals tool PsExec to disable Windows Defender, using PowerShell and WMIC to profile the target’s environment.

Upon successful encryption of a victim’s file, the ransomware appends a file extension that is a combination of the target organization’s name and the string “wasted”. In the case of the Garmin attack, the file extension “.garminwasted” was appended to encrypted files. For each encrypted file, the ransomware also creates a ransom note with the same name appended with “_info” at the end of the file extension, such as “.garminwasted_info”.

Example of a ransom note

Figure 1 – Example of a ransom note

Aside from encryption, the WastedLocker ransomware is also capable of deleting Windows shadow copies to wipe backups and file snapshots to make recovery impossible.

The method of payment provided to decrypt WastedLocker is to contact one of the emails listed within the ransom notes. As of now, email addresses that have been used by the attackers are can belong to either ProtonMail, Eclipso, Tutanota, or Airmail.

Unlike many other ransomwares this year, WastedLocker ransomware does not steal victims’ files but simply encrypt them. However, it is worth noting that WastedLocker attacks are highly targeted and ransomware samples used are each customized for the target organization. This means that standard IOCs such as the file hashes of previous samples would not be very helpful or useful in detections.

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place, or at minimum have backups separate from production systems, for your critical files or systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

ABOUT PROFICIO

Proficio’s Managed, Detection and Response (MDR) solution surpasses the capabilities of traditional Managed Security Services Providers (MSSPs). Our MDR service is powered by next-generation cybersecurity technology and our security experts partner with you to become an extension of your team, continuously monitoring and investigating threats from our global networks of security operations centers. Learn More About Proficio’s Services

REFERENCES

  • https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
  • https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/
  • https://www.bleepingcomputer.com/news/security/dozens-of-us-news-sites-hacked-in-wastedlocker-ransomware-attacks/
  • https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
  • https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

Details on Threat Group That Claims to Have Obtained President Trump’s Legal Documents

REvil/Sodinokibi Ransomware
OVERVIEW
The REvil/Sodinokibi threat group has taken ransomware attacks to a new level. While most variants, like the recent strain of DoppelPaymer ransomware, encrypt victim’s files, Proficio’s Threat Intelligence Team has seen an uptick of strains that also steal data to further pressure victims into paying ransoms. This group, infamously known as the one claiming to have obtained President Donald Trump’s legal documents, more recently attacked the law firm Grubman Shire Meiselas & Sacks (GSMLaw) which resulted in the exfiltration of multiple celebrities’ legal documents.

In this blog, we will be sharing additional details we discovered based on our research on the REvil/Sodinokibi ransomware.

RANSOMWARE DETAILS
REvil/Sodinokibi ransomware was discovered back in April 2019, where it was initially found to propagate via exploitation of a vulnerability in Oracle WebLogic. REvil/Sodinokibi is a ransomware-as-a-service (RaaS) and was suspected to be associated with GandCrab, a RaaS that had shut down operations in May 2019. REvil/Sodinokibi was found to share similar codes with GandCrab ransomware, such as the random URL generation.

Within the past year, REvil/Sodinokibi threat actors have been observed to utilize multiple techniques to spread ransomware to targets. Based on our research, some of distribution methods used are:

  • Oracle WebLogic vulnerability (CVE-2019-2725)
  • Malspam campaigns
  • Hack WordPress sites and fake forum posts containing a link to the ransomware installer
  • Breach managed service providers (MSPs) via exposed RDP
  • Webroot SecureAnywhere console in MSPs that deploys ransomware on the MSPs’ customers systems
  • RIG exploit kit
  • Pulse Secure VPN vulnerability (CVE-2019-11510)

Once the ransomware is delivered to a victim device, it can perform the following tasks:

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information

Upon successful encryption of the victim’s files, the ransomware appends a randomly generated file extension to the file name made up of 5 to 10 alphanumeric characters. A ransom note is dropped onto the victim’s device with instructions on how the victim can pay the ransom.

Example of a ransom note

Figure 1 – Example of a ransom note

REvil/Sodinokibi threat actors usually provide two methods of payment. The first method is to access a Tor site using a Tor browser; the other is to use their secondary website. Earlier attacks provided “decryptor[.]top” as their secondary payment site, however more recent attacks appear to have switched to “decryptor[.]cc” instead.

Since January 2020, the threat actors behind the REvil/Sodinokibi ransomware have started to publish data stolen from victims that did not pay their ransom on time. This method of pressuring victims was inspired by Maze ransomware, which started this trend among ransomwares.

ADDITIONAL ACTIONS BY THE THREAT INTELLIGENCE TEAM

PRECAUTIONARY AND DETECTION MEASURES
Prevention is better than a cure, and given the popularity of ransomware attacks, you always need to be prepared. When possible, you must safeguard yourself and your organization to avoid being the next victim of ransomware attacks. We recommendthe use of a managed EDR service to help you deal with any ransomware attack quickly.

We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools update to date to provide detection and prevention from the spread of ransomware.
  • Make use of managed EDR services to quickly react and contain any ransomware identified before any major damage can be done.
    • Managed EDR services can also play a big part in monitoring and alerting on attack vectors that are often used as distribution methods for ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close any unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

 

REFERENCES

  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-via-fake-forums-on-hacked-sites/
  • https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-targeting-asia-via-the-rig-exploit-kit/
  • https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
  • https://www.secureworks.com/research/revil-sodinokibi-ransomware
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
  • https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/
  • https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html?m=1
  • https://www.pcrisk.com/removal-guides/14942-sodinokibi-ransomware

DoppelPaymer Ransomware

OVERVIEW
Recently, Proficio’s Threat Intelligence Team has observed a surge in ransomware cases that take advantage of the current COVID-19 situation. In this blog, we will discuss a variant of ransomware named “DoppelPaymer”, which has significantly raised its popularity over the last month, and provide additional details discovered during our research.

RANSOMWARE DETAILS
“DoppelPaymer” is said to be the evolution from “BitPaymer Ransomware”. This strain of ransomware is an enterprise-targeting variant. Based on its history of attacks and the information within the ransom notes, we believe that the threat actor group is targeting English-speaking victims.

While earlier builds of the malware were identified back in April 2019, the first known victims of DoppelPaymer ransomware were seen in June 2019. DoppelPaymer ransomware is likely a variant of BitPaymer Ransomware, where initial ransom notes would contain the string of text “BitPaymer”. The name “DoppelPaymer” was given by researchers to identify this new variant of ransomware found in the wild. Following that, the threat actor appears to have adopted this name and has changed the string of text from “BitPaymer” to “DoppelPaymer” within the ransom notes. Based on the similarities between both ransomware variants, the threat actor groups for DoppelPaymer are suspected to be likely a split from INDRIK SPIDER cybercrime group.

DoppelPaymer ransomware is known to consist of both Dridex and BitPaymer source code. Several other interesting traits that were observed, including:

  • Encryption method 2048-bit RSA + 256-bit AES
  • Encrypted files are renamed with a “.locked” extension
  • Latest version of variants mark data with “.doppeled” appendix
  • Ability to terminate processes and services that may interfere with file encryption using the technique ProcessHacker

DoppelPaymer ransomware is usually dropped by the Dridex trojan; however, this ransomware is not limited to one distribution method. Based on our research, the following are some of the distribution methods that have been observed over the year:

  • Insecure RDP configuration
  • Email spam and malicious attachments
  • Deceptive downloads
  • Botnets
  • Exploits
  • Malicious advertisement
  • Web injects
  • Fake updates
  • Repackaged
  • Infected installers

Upon successful infection and encryption of data on the victim’s computer, the victim’s files would be renamed, and a ransom note in text file format could be found within the victim’s system.

Ransom notes sample

Figure 1 Ransom notes

It’s interesting to note that there is no ransom amount stated within the text file. Instead, a list of instructions was being provided to the victim to follow strictly. The victims were requested to download “Tor Browser” and to subsequently type into an address bar provided to access the DoppelPaymer portal.

Accessing Tor link in Ransom Notes Sample

Figure 2 Accessing Tor link found in ransom notes

DoppelPaymer Ransomware Payment Portal Sample

Figure 3 DoppelPaymer Ransomware Payment Portal

After the portal was accessed from the Tor browser, the victim would be provided with several key pieces of information, such as a countdown timer for a “special price”, a unique reference ID used to identify the victim, the ransom amount and a BTC address where the ransom payment can be sent to.

Further research on DoppelPaymer ransomware reveals that, in the earlier days, victims who are not willing to pay the ransom would have their data sold on the darknet. Following the trends from various ransomware groups such as Maze , the DoppelPaymer threat actor group was inspired to launch a public website for use as a shaming platform to victims who are not willing to pay the ransom.

A video demonstration of file encryption can also be seen on YouTube.


PRECAUTIONARY MEASURES
Prevention is always better than a cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of a ransomware attack. We advise using a managed EDR service to better prepare yourself for dealing with a ransomware attack. We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

For the latest information from our Threat Intelligence Team on the DoppelPaymer attacks and other threats, please visit our Twitter Feed.

Mailto and Mailto-2 Ransomware

OVERVIEW
In October of 2019, a group of relatively new ransomware strains called Mailto and Mailto-2 were found in the wild. These two ransomware types were also known as “Kokoklock” and “Kazkavkovkiz” where the names have been used interchangeably with no clear definitions at this point of time.

This ransomware group gained attention with the recent ransomware attack against the Australian Toll Group. The Australian Toll Group has subsequently disclosed that their network was being attacked by the Mailto ransomware prior to a service disruption and system shut down.

The Proficio Threat Intelligence Team posted information about Toll Group attacks in our Twitter Feed. In this blog, we share some of our findings pertaining to this new ransomware’s behavior in the wild.

RANSOMWARE DETAILS
This type ransomware is relatively new and first surfaced in late 2019, and as such there is limited information available. Mailto ransomware was seen in the wild during the month of September where Mailto-2 ransomware was seen around October. They are recognizable by the extension that is appended to encrypted victims’ files.

There is some evidence that Mailto actors may have utilized techniques such as phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users’ address book to spread malware. At this time, there is no known information on the cyber groups that are responsible for these types of ransomware, nor is there information on the C2 activities on them.

Upon successful infection of the victims’ systems, both variants of ransomware include a personal extension on infected files, a ransom note and a readme text file to instruct victims on how to make the ransom payment. The main visible difference between “Mailto / Kokoklock” and “Mailto-2 / Kazkavkovkiz” is the personal extensions appended onto the encrypted file.

At this time, the only other notable information that distinguishes this ransomware strain from others operating in the wild is that the targets are instructed to communicate with the attacker via an email provided in the ransom notes. Ransom notes associated with this ransomware include two email addresses with the email domains “@cock[dot]li” and “@tutanota[dot]com”. “Tutanota” is a free and open-source, end-to-end encrypted email. “Cock[dot]li” appears to be a free anonymous email service also known as “Cockmail”, which has been seen to be used in multiple malicious activities.

Figure 1 – An example of ransom notes

Beyond the ransom notes, we are also able to differentiate Mailto ransomware based on the file extension appended on the encrypted files. Following the file extension “[dot]mailto”, “Mailto / Kokoklock” ransomware would append six random alphanumerical digits onto the encrypted files while “Mailto-2 / Kazkavkovkiz” ransomware would append four or five random digits onto the encrypted files. While these extensions are the only ones currently seen in the wild, they may vary over time.

Other noticeable differences between both ransomware variants include the following:

  Mailto / Kokoklock Mailto-2 / Kazkavkovkiz
Decryptor tool Netwalker NIL
Encryption Method Suspected Salsa20 Stream Cipher AES
Format of encrypted files .mailto[<email_address>].<6_alphanumerical_random_digits> .mailto[<email_address>].<random_digits>
Readme file format <6_alphanumerical_random_digits>-Readme.txt <random_digits>-Readme.txt
Other behaviour Seen to masquerade as a legitimate program [Sticky password] NIL

 

PRECAUTIONARY MEASURES
Prevention is better than a cure. It is advisable to safeguard your organization to avoid being the next victim of this ransomware attack. We recommend your organization consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection of and prevention from the spread of ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

The Proficio Threat Intelligence Team will continue to monitor developments around this this new ransomware and provide updates as applicable.

Extortion-based cyber attacks: The next evolution in profit-motivated attack strategies

Today, data breaches have impacted just about every industry possible. From entertainment to the restaurant industry, no sector or organization appears to be safe, and it has been predicted that cyberattacks are going to get even worse.

Adding chaos to the mix

Recent high-profile ransomware attacks, such as WannaCry and NotPetya, demonstrated the continued global expansion of high-stakes hacks.

These attacks signaled that hackers were turning to havoc-causing methods to cause chaos and garner bitcoin profits from their victims. With the successful launch of these two attacks, ransomware has continued to gain traction, but companies are beginning to catch up through heftier investments into cybersecurity preparedness. Therefore, traditional malware that encrypts files is becoming easier to detect and stop earlier in the attack.

Due to this, and the fact that the stakes have been raised with Equifax and other high-profile data breaches, we should expect to see hackers turn to more volatile forms of cyberattacks. Since there is so much personally identifiable information (PII) available on the dark web already, hackers don’t receive the same return on exposing or selling it as they once did. Now, hackers will go after even more valuable information and confidential corporate data or threaten complete destruction to receive a bigger pay out.

The worst is yet to come

In 2018, the environment for cyberattacks will be considerably more destructive as hackers aim to create even more chaos in order to continue to turn profits. IT security teams will inevitably witness more guerilla-like tactics where cyber criminals may use more extortion-based methods. This means we’ll see hackers threaten to destroy data, launch DDoS attacks, and other forms of threats to get payment from their victims.

Instead of simply encrypting data and holding it hostage, these hackers will show their victims a little snippet of their plan by removing a small portion of data first, and then demand ransom to prevent further deletion. Organizations need to take these threats very seriously as unpreparedness may turn out in the ruin of an entire brand and company.

Prepare today for tomorrow

To prevent these malicious forms of attacks, enterprises need to prepare today to keep their company data safe for tomorrow. So, how do you stop, or at least mitigate, these attackers whose end goal is composed of disorientating and pressuring teams into handing over the information and/or bitcoin payment they’re seeking? There are a few key steps companies and their IT security teams can take:

  • Evaluate the capabilities of your staff, infrastructure, and processes to ensure they are prepared when hackers start attacking network endpoints. If companies find they don’t have the right talent in place to identify indicators of attack and compromise, they won’t be able to remediate advanced attack scenarios. Increasing investments in technology, and adding services to supplement the shortcomings of in-house staff, can help ensure organizations aren’t left vulnerable to hackers.
  • If the team is struggling to identify indicators of attack and compromise, the fine-tuning of the company’s security information and event management system (SIEM) is likely needed. This can be achieved through building use cases, correlation rules, and by developing an escalation runbook that will depict the workflow in the event of an incident. As new attack scenarios come up, use cases and correlations rules need to be continually updated so the SIEM tool knows what it should be looking for. Otherwise, IT security teams won’t be able to identify which alerts are relevant attacks and which ones are not.
  • Once the SIEM is fine-tuned and knows what to types of alerts to be looking for, the security team must know what to do in the event of an advanced attack scenario. Knowing what next steps to take will help stop hackers as early in the kill chain as possible. If they’re not stopped, hackers can quickly laterally propagate across a network, take data hostage, and use it against an organization.
  • Once the staff is trained, the proper infrastructure has been put in place, and the correct services investments have been made, the cybersecurity program should be prepared for 2018-level attack scenarios. However, that doesn’t mean IT security teams can have a “set it and forget it” mentality. Security programs need to be continuously tested internally just like they’re going to be tested by hackers trying to gain access to a network. At the end of the day, hackers don’t play by a set of rules, so anticipation and constant evolution is key. Enterprises should (at a minimum) perform an annual assessment with a group of ethical hackers to closely mimic a real attack. Doing this on a regular basis can provide clarity into whether the company is prepared and strong enough to handle a potential cyberattack.

Evaluating the strength of your organization’s current cybersecurity posture, and knowing which infrastructure, technology and services investments need to be made, can help companies understand how to better protect themselves. Hackers don’t wait for a company to piece together a cybersecurity program when planning their next move. As these cyber criminals lean towards more destructive, extortion-based hacking methods, enterprises need to be ready, and continuously update and test processes to ensure the safety of their company’s sensitive data, their brand, and their future.

Winners and Losers from WannaCry

Prevention remains the goal, but detection and response capabilities are equally important. How did your cybersecurity services provider measure up?

Preventing the next big ransomware cyberattack is on everyone’s minds since WannaCry burst onto the scene on May 12, 2017.  But preventing isn’t the only thing CISOs should be focused on. Monitoring and responding to alerts are just as important as prevention. Ensuring that your cybersecurity services provider (MSSP) has state-of-the-art monitoring technologies and response capabilities is a winning approach in being able to thwart any oncoming cyberattack, like WannaCry.

How Does Monitoring Protect My Business Against the Next WannaCry?

Being able to detect any threat when it breaches your perimeter is key. And having comprehensive 24×7 monitoring and analysis is your first line of defense against any potential cyber threat. When researching cybersecurity services for your company, CISOs need to seek out service providers that can provide them with “around-the-clock” monitoring, alerting and response services, not just prevention, in order to be fully protected.

The threat landscape is increasingly complex and hackers are exploiting vulnerabilities across all resources, including your people, processes and technologies. Unlike the visible incursions of the past, new attacks employ both slow and low-profile strategies and rapid moving machine driven attacks designed to pass enterprise security control architectures. Attackers are often able to systematically pinpoint security weaknesses and then cover all traces of their presence as they laterally propagate to compromise other critical IT assets. Employees, contractors, and other insiders are increasingly, and often unknowingly, a source of data breaches.

Accurate monitoring allows your cybersecurity services provider to be proactive with their threat defense techniques in identifying the early stages of attacks and suspicious insider behavior before breaches result in the loss your data. In terms of WannaCry, implementing monitoring techniques that looked at Lateral Movements and User and Entity Behavior Analytics on multiple devices allowed for the detection of malicious movement and thwarted the attack from continuing on. Utilizing multi-vector event correlation techniques, asset modeling, user profiling, and threat intelligence are among the advanced technologies used to identify threats and help prevent security exploits through cybersecurity monitoring and automated response services.

How Quickly Can Your Service Provider Respond to Potential Cyberattacks?

Most breaches take 15 minutes or less to compromise a system. Attackers and malicious code move very fast. On occasions when prevention does not work, your MSSP needs to take fast action, either automated or manually, to block active attacks, contain compromises, and prevent breaches. Accurate detection and the ability to respond quickly is paramount.

When an attacker is scanning your network, a compromised device is communicating to a malicious external location, or malware is propagating laterally, a manual response is often not fast enough to contain the threat and prevent a breach or mitigate malicious activities. Most Security Operations Centers (SOCs) do not have the comprehensive visibility necessary to quickly make informed decisions that can immediately respond to these types of threats. Having an MSSP with Managed Detection and Response services coupled with Endpoint Detection and Response solutions can provide your company with unparalleled Incident Response services to detect and respond to threats on the endpoint, across the enterprise, or on your cloud applications.

The Takeaway

If you want to know if your MSSP is winning or losing in the fight against cyberattacks for your company, then you need to ask them a major question: Are they doing more than just prevention to protect your company from a breach?

There are many MSSPs out there that offer many different variations of cybersecurity services. In order for your company to be fully protected and have a winning strategy against cyberattacks, you need to ensure your MSSP not only focuses on prevention but also has accurate, 24×7 monitoring that detects lateral movements and user and entity behavior modeling along with automated detection and response capabilities to fully protect your company against the next potential ransomware attack.

Contact us today to receive a cybersecurity assessment on your company’s security posture.

Ransomware is under control and nothing to be worried about… April Fools!

Ransomware is no joke; you’d be fooling yourself to think it’s not a problem that’s only increasing in use and severity. It continues to be a huge issue for companies and has gotten a lot of play with cybercriminals who are looking for a low-risk/high-reward method to make a quick buck. A recent report found that ransomware attacks grew by 600% in 2016, which demonstrates the gravity of this attack method that prevents victims from accessing their own files or systems unless they pay a ransom. As organizations continue to comply with the attackers – dipping into their pockets and paying ransom demands – we can expect more cybercriminals to gravitate towards this malicious attack method and may start to see the concept of ransom being applied to other attack vectors as well.

A prankster’s dream: low consequences  

Not only can ransomware be highly profitable, it’s also low risk. It’s an ideal situation for a cybercriminal. Historically, attackers would target high-value personally identifiable information (PII) – social security numbers, credit card information, health records, etc. – in the form of data theft. However, these methods typically leave behind a digital breadcrumb trail back to the hacker and requires multiple steps or often accomplices to convert PII into cash creating even more chances to get caught.

Ransomware attackers often demand payment in Bitcoin, an anonymous online payment system, which enables them to receive payments without leaving evidence of any self-identifying information. Since it’s all electronic, there’s no need to cash a check or transfer money to a personal account. All a hacker needs to do is find someone to successfully phish and it’s payday.

Joke’s on you! Ransomware isn’t just about the malware

As ransomware gains more favor with attackers, we expect to see a quantum shift in the kind of attacks that use the concept of ransom to pursue bigger and more high-risk targets. While the healthcare industry is being hit hard today, utilities, smart cities, and Internet of Things (IoT) devices are the ransom victims of tomorrow. We’ve already seen hackers lock hotel doors and refuse to unlock them until a ransom is paid. This is just the tip of the iceberg of what hackers can do.

While the ransom threat landscape is continuously changing, there are a few things an enterprise can do to prevent data loss:

  • Regularly back up files to allow the organization to reimage an infected machine and restore a file system from backup, with little to no data loss.
  • Keep security solutions as up-to-date as possible, ensuring the protection capabilities of firewalls, antivirus, and intrusion prevention systems are being used to their full capacity.
  • Upgrade to a next-generation Endpoint Protection Platform to block malware.

While these are just a few ways an enterprise can protect themselves, it’s also important to know how to detect ransomware once you’ve been hit. It’s critical to detect malicious code at the endpoint and block it with automated containment or malware removal. While no service is 100% effective at preventing ransomware on the endpoint, it’s key to preventing malicious code from spreading to other devices. It’s also critical to actively monitor for Indicators of Compromise (IOC) and anomalous behavior of devices to detect potential ransomware that is not blocked at the endpoint or other non-malware related attacks and perform automated response actions to contain effects of compromises.

MSSPs with MDR up your game

Using a managed security service provider (MSSP) that provides detection and response services, like Proficio, can help enterprises prepare for this new evolution in the concept of ransom. MSSPs are monitoring 24×7 and possess the knowledge and collective crowd enabled experience that a typical in-house security team simply wouldn’t have. While in-house security teams may see a few ransomware attacks per year, MSSPs see hundreds of attacks per week on their customers’ systems. Therefore, MSSPs have a greater understanding about the different variants, simply because they deal with and remediate a larger volume of threats, and are often able to catch the attack sooner as they know what to look for.

An MSSP will have more advanced analytics and up-to-date threat intelligence to prevent or detect and respond to these attacks at the perimeter or endpoint, in addition to more advanced analytics for the detection and response capabilities. They can engage company staff and implement training exercises, simulating phishing attacks through online training programs and arming enterprise employees with the knowledge they need to identify social engineering attempts.

Fooling the trickster

While ransomware is a powerful threat because of its high profitability and remarkable success rate, it doesn’t mean your organization should be defenseless. By understanding who hackers are going to target next, how the concept and applications of ransom are changing, and how an MSSP can be a strategic security partner, an enterprise can start to put the wheels in motion to prepare for the next generation of attacks. At the end of the day, knowledge, a well-maintained security policy, and a response plan can be key to evading a ransomware trickster.

For more information on how you can protect yourself against ransomware, download a copy of our whitepaper: Ransomware Prevention and Detection

TARGET: Labcorp Ransomware Attack

LabCorp, one of the largest clinical laboratory networks in the US, reported to the SEC that it had many of its assets infected with ransomware. The 50 minute attack that occurred on July 13th beginning at midnight was suspected to be caused by the attackers entering the network via brute force with public RDP and then spreading a variant of SamSam ransomware. Although the attack was contained in 50 minutes, according to CSO Online, the attackers were able to infect 7,000 systems, 1,900 server, and 350 production servers. The attack only is thought to have compromised Windows servers on the LabCorp network.

The attackers behind the RDP brute force attacks leading to SamSam ransomware used the same methods that led to many successful attacks within the last year on multiple healthcare organizations, government entities, and schools. The best known of the recent victims was the City of Atlanta.

This is an additional major company breach where public facing RDP was likely overlooked and enabled massive damage to an organization.

Proficio Threat Intelligence Recommendations:

  • Implement two-factor authentication to any public facing RDP services required for business
  • Implement monitoring use cases to look for any newly detected public RDP services open to the internet and take appropriate action to mitigate each new detection
  • Implement and test rapid responses that can contain spreading ransomware attacks through MDR services or an EDR platform.
  • Validate any public facing Windows servers are up-to-date on patching and endpoint security controls


General Information – Click Here