Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Ransomware Incidents Continue to Dominate Threat Landscape

Cisco Talos' IR engagements found attackers relied heavily on malware like Zloader and BazarLoader to distribute ransomware in the past three months.

Ransomware operators relied heavily on a handful of commodity Trojans, open source reconnaissance tools, and legitimate Windows utilities to execute many of their attacks during the past quarter, according to data from incidents handled by the Cisco Talos Incident Response (CTIR) team.

The data, collected from customer locations between November 2020 and January 2021, showed attackers continuing to overwhelmingly use phishing emails with malicious documents to deliver Trojans for downloading ransomware on victim systems.

Related Content:

Ransomware, Phishing Will Remain Primary Risks in 2021

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

But unlike in the recent past where the Emotet and Trickbot malware families were the primary vehicles for distributing ransomware, many of the Trojans used for this purpose in the past quarter were commodity tools such as Zloader, BazarLoader, and IcedID. According to the CTIR team, nearly 70% of the ransomware attacks it responded to over the three-month period used these or similar Trojans to deliver ransomware.

"We saw a variety of commodity Trojans used this quarter, as opposed to previous quarters in which Trickbot and Emotet were dominant," says Brad Garnett, general manager of the Cisco Talos Incident Response team.

For enterprises, the trend could spell even more trouble on the ransomware front.

"Commodity Trojans are easy to obtain and possess numerous capabilities for lateral movement, command-and-control communications, etc., which can increase the efficacy of a ransomware attack," Garnett notes.

The CTIR team's data from incident response engagements showed ransomware dominated the threat landscape during the three-month period just like it has for the past the seven straight quarters. The most prolific ransomware families included Ryuk, Vatet, WastedLocker, and variants of Egregor.

As they have in the past, ransomware operators took advantage of several open source and legitimate admin tools and utilities to facilitate attacks, move laterally in compromised networks, hide malicious activity, and take other actions. Some 65% — or nearly two-thirds — of the ransomware incidents the Cisco Talos team responded to involved the use of PowerShell, and 30% of the incidents involved the use of PsExec. Other commonly used free and commercially available and dual-use tools included Cobalt Strike, CCleaner for deleting unwanted files, the open source TightVNC for enabling remote control of Windows and Linux PCs, and compression software such as WinRAR and 7-Zip.

Abusing Legit Tools and Utilities
The CTIR team also encountered several incidents where attackers used open source reconnaissance tools such as the Active Directory (AD) search utility ADFind, the AD information-gathering tool ADRecon, and the Bloodhound tool for visualizing AD environments and finding potential attack paths.

As one example of how ransomware operators are leveraging these tools, the CTIR team pointed to an incident where the attackers, after gaining an initial foothold on the victim network, took advantage of the Group Policy replication feature in Windows AD to install Ryuk ransomware. In that instance, the adversary leveraged PsExec to move laterally and execute remote commands. They eventually obtained domain administrator (DA) credentials and used it to encrypt some 1,000 endpoints and wipe backup indexes.

"Ransomware continues to pose the greatest threat to enterprises," Garnett says. "Phishing remains the most observed infection vector for these attacks, underscoring the importance of email security and phishing training."

In addition, enterprises must enable multifactor authentication where possible, disable legacy protocols, and limit use of powerful Windows tools in trusted accounts.

Ransomware was the predominant threat. But the CTIR team also responded to multiple incidents involving malware distributed via poisoned updates to SolarWinds' Orion network management technology. Some 18,000 organizations worldwide — including several Cisco Talos customers — were impacted in that breach. However, only one of the incidents that Cisco Talos investigated involved post-compromise activity. In that incident, the attackers had set up a PowerShell script that looked like it was designed to receive more code likely for executing malicious activity.

Looking at the current quarter, Garnett expects Cisco Talos will have to respond to more SolarWinds-related incidents because the full scope and impact of that incident is likely larger than what's known so far. He also expects the CTIR team will have to respond to more incidents involving the believed China-based Hafnium group and its recent attacks targeting four critical zero-day vulnerabilities in Microsoft Exchange Server.

"For Hafnium, we are actively supporting customers globally across different sectors and continue to see an uptick in IR services requests from customers [impacted by the attacks]," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended fo...
PUBLISHED: 2021-06-21
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauth...
PUBLISHED: 2021-06-21
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulne...
PUBLISHED: 2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5...
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.