Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Ransomware Incidents Continue to Dominate Threat Landscape

Cisco Talos' IR engagements found attackers relied heavily on malware like Zloader and BazarLoader to distribute ransomware in the past three months.

Ransomware operators relied heavily on a handful of commodity Trojans, open source reconnaissance tools, and legitimate Windows utilities to execute many of their attacks during the past quarter, according to data from incidents handled by the Cisco Talos Incident Response (CTIR) team.

The data, collected from customer locations between November 2020 and January 2021, showed attackers continuing to overwhelmingly use phishing emails with malicious documents to deliver Trojans for downloading ransomware on victim systems.

Related Content:

Ransomware, Phishing Will Remain Primary Risks in 2021

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

But unlike in the recent past where the Emotet and Trickbot malware families were the primary vehicles for distributing ransomware, many of the Trojans used for this purpose in the past quarter were commodity tools such as Zloader, BazarLoader, and IcedID. According to the CTIR team, nearly 70% of the ransomware attacks it responded to over the three-month period used these or similar Trojans to deliver ransomware.

"We saw a variety of commodity Trojans used this quarter, as opposed to previous quarters in which Trickbot and Emotet were dominant," says Brad Garnett, general manager of the Cisco Talos Incident Response team.

For enterprises, the trend could spell even more trouble on the ransomware front.

"Commodity Trojans are easy to obtain and possess numerous capabilities for lateral movement, command-and-control communications, etc., which can increase the efficacy of a ransomware attack," Garnett notes.

The CTIR team's data from incident response engagements showed ransomware dominated the threat landscape during the three-month period just like it has for the past the seven straight quarters. The most prolific ransomware families included Ryuk, Vatet, WastedLocker, and variants of Egregor.

As they have in the past, ransomware operators took advantage of several open source and legitimate admin tools and utilities to facilitate attacks, move laterally in compromised networks, hide malicious activity, and take other actions. Some 65% — or nearly two-thirds — of the ransomware incidents the Cisco Talos team responded to involved the use of PowerShell, and 30% of the incidents involved the use of PsExec. Other commonly used free and commercially available and dual-use tools included Cobalt Strike, CCleaner for deleting unwanted files, the open source TightVNC for enabling remote control of Windows and Linux PCs, and compression software such as WinRAR and 7-Zip.

Abusing Legit Tools and Utilities
The CTIR team also encountered several incidents where attackers used open source reconnaissance tools such as the Active Directory (AD) search utility ADFind, the AD information-gathering tool ADRecon, and the Bloodhound tool for visualizing AD environments and finding potential attack paths.

As one example of how ransomware operators are leveraging these tools, the CTIR team pointed to an incident where the attackers, after gaining an initial foothold on the victim network, took advantage of the Group Policy replication feature in Windows AD to install Ryuk ransomware. In that instance, the adversary leveraged PsExec to move laterally and execute remote commands. They eventually obtained domain administrator (DA) credentials and used it to encrypt some 1,000 endpoints and wipe backup indexes.

"Ransomware continues to pose the greatest threat to enterprises," Garnett says. "Phishing remains the most observed infection vector for these attacks, underscoring the importance of email security and phishing training."

In addition, enterprises must enable multifactor authentication where possible, disable legacy protocols, and limit use of powerful Windows tools in trusted accounts.

Ransomware was the predominant threat. But the CTIR team also responded to multiple incidents involving malware distributed via poisoned updates to SolarWinds' Orion network management technology. Some 18,000 organizations worldwide — including several Cisco Talos customers — were impacted in that breach. However, only one of the incidents that Cisco Talos investigated involved post-compromise activity. In that incident, the attackers had set up a PowerShell script that looked like it was designed to receive more code likely for executing malicious activity.

Looking at the current quarter, Garnett expects Cisco Talos will have to respond to more SolarWinds-related incidents because the full scope and impact of that incident is likely larger than what's known so far. He also expects the CTIR team will have to respond to more incidents involving the believed China-based Hafnium group and its recent attacks targeting four critical zero-day vulnerabilities in Microsoft Exchange Server.

"For Hafnium, we are actively supporting customers globally across different sectors and continue to see an uptick in IR services requests from customers [impacted by the attacks]," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4....
PUBLISHED: 2021-05-07
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documente...
PUBLISHED: 2021-05-07
IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. IBM X-Force ID: 190992.
PUBLISHED: 2021-05-07
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reas...
PUBLISHED: 2021-05-07
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0...