To avoid detection, ransomware actors use “defensive evasion techniques” such as disabling or modifying security software, including anti-virus programs and scoring solutions. They also try to disable security features in the operating system to prevent detection of the ransomware payload,” Nutland wrote. “Enemies will often hide malicious software by packaging and compressing the code, eventually extracting it from the head when executed. They will also modify the system registry to disable security warnings, configure software to run at startup, or block certain recovery options for users.”
Talos noted a number of additional ransomware trends, including:
- The MFA benefits from: “Enemies can send emails containing malicious attachments or URL links that will execute malicious code on the target system, using player tools and malware, and using multi-factor authentication (MFA). There are many ways that adversaries hope to bypass MFA, either through misuse or because they already have valid account information. Most notably, we have seen an increasing number of ransomware actors attempting to exploit vulnerabilities or vulnerabilities in Internet-facing systems, such as legacy or unpublished software.”
- Want long-term access: “… actors will look to establish long-term access, ensuring that their operations will be successful even if their first entry is found and fixed. Attackers often use automated methods of malware persistence, such as using AutoStart at program startup, or modifying registry entries. Remote access software tools for creating local, domain and/or cloud accounts can also be deployed to obtain secondary authenticated access.”
- It lists the target areas: “After gaining continuous access, threat actors will then attempt to calculate the target’s location to understand the network architecture, find resources that can support the attack, and identify valuable data that can be stolen in a double hack. Using a variety of local resources and legitimate resources, they take advantage of weak access controls and escalate privileges to the administrator level to advance in the chain of attacks.”
- To use network scanner utilities: “We have seen the popular use of many network scanner utilities in combination with local operating system tools and utilities (external binaries) such as Certutil, Wevtutil, Net, Nltes and Netsh to interface with standard operating system functions, exploit trusted applications and processes, and assist in the delivery of malware. “
- Double fraud: “In a shift in focus to the dual-exploitation model, many adversaries collect sensitive or confidential information to be sent to an external device controlled by the adversary or through some C2 method. File compression and encryption utilities WinRAR and 7-Zip have been used to hide files for unauthorized data transfer, while adversaries often extract files using the official RMM tools mentioned earlier. Custom data filtering tools have been developed and used by mature RaaS operations, offering custom tools such as Exbyte (BlackByte) and StealBit (LockBit) to facilitate data theft.”
Earlier this year, Talos wrote that bad actors performing advanced persistent threat (APT) attacks aren’t just looking to gain access to your network. They want to sneak in and stay to collect important data or make plans for future attacks. Post-compromise threats are on the rise, and are mostly aimed at aging network infrastructure and peripheral devices that are long past the end-of-life stage and may be highly vulnerable without being patched.
Some of the things businesses can do to combat ransomware attacks include regular and consistent patches and updates to all systems and software to address vulnerabilities quickly and reduce the risk of exploitation, according to Nutland. “Use strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security,” Nutland said.
Securing the network to isolate sensitive data and systems, preventing joint movement in the event of a breach. In addition to using network access control methods like 802.1X to authenticate devices before granting network access, verify only authorized device connections, Nutland wrote.
“Use a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to deploying EDR/XDR solutions across clients and servers to provide advanced threat detection, investigation, and response capabilities,” Nutland wrote. .
Source link