Study brushes anatomy of ransomware attack

NSA attentive to new Sandworm attacks on mail servers Cybersecurity

Security researchers have revealed the anatomy of a ransomware attack to illustrate how cybercriminals accessed a network to install ransomware, all in just two months. Researchers from technology security company Sentinel One examined a server used by cybercriminals in October 2019 to transform a small security hole in a corporate network into an attack based on the Ryuk ransomware.

According to this valuable study, the network was initially infected with the Trickbot malware. Once the malware broke through the network, hackers began scanning the area to find out what they had access to and how to take advantage of it. “Over time, they dig into the network and try to establish the
map and figure out what it looks like. They have a purpose, and
their purpose is to monetize the data, the network, for their gain
illegal, “says Joshua Platt, a Sentinel One researcher, interviewed by ZDNet.

“They already understand that there is potential for making money and
are looking to extend this leverage, “says the researcher
detail their motivations. Once the hackers have decided to exploit the breach in the network, they use tools like PowerTrick and Cobalt Strike to secure their grasp on the network and further explore it, looking for open ports and other devices to which they could access.

A particularly virulent ransomware

It is only then that they decide to proceed to the ransom demand phase. According to Sentinel One, it took about two weeks to go from
initial infection of TrickBot with network profiling and then
the Ryuk malware attack. “Based on the time stamp, we can
guess the two-week waiting time period, “says the company. As a reminder, Ryuk was first seen in August 2018 and was responsible for
multiple attacks around the world, according to the Centre’s opinion
National Cybersecurity Center of the United Kingdom last year.

This is targeted ransomware: the ransom is set according to the victim’s ability to pay, and it can take several days or even months between the initial infection and the activation of the ransom. ransomware, because hackers need time to identify the most critical network systems. But the NCSC said the delay also gives defenders a window of opportunity to prevent the ransomware from launching the attack if they can detect the first infection.

According to the FBI, Ryuk is an extremely lucrative project for its criminal promoters, generating about $ 61 million in ransom between February 2018 and October 2019. The fact that Ryuk succeeded in forcing companies to pay ransoms means that scammers have ‘a rounded war chest with which they can refine their attacks. “It will obviously increase; they have more money and more capacity now to hire even more talent,” warns Joshua Platt.



Rate article