Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:15 PM
Connect Directly

How Ransomware Threats Are Evolving & How to Spot Them

A series of new reports explains how ransomware attackers are changing techniques and how organizations can spot stealthy criminals.

Modern ransomware operators are adopting techniques similar to those of advanced nation-state actors, researchers report. Their attacks are quieter and more long-term as they sit on target networks and search for the exact information they need to bring down their victims.

Sophos researchers today published a series of reports detailing the evolution of ransomware and how attackers are finding new ways to extort more money from large enterprise victims. While the range of ransomware still spans low-level to high-level attacks, their analysis mainly focuses on advanced threats like WastedLocker and Maze ransomware.

"In the old days, everybody was hitting desktops for $400, and there were successful groups doing that and nonsuccessful groups doing that," says Sophos principal research scientist Chet Wisniewski. "Now the successful people aren't bothering with that — they've moved on to more targeted, specific [attacks], either extortion or just incredibly sophisticated enterprise ransomware."

Sophos focused on WastedLocker. In a report, director of engineering Mark Loman and principal threat researcher Anand Ajjan explain how it uses Windows Cache Manager via memory-mapped I/O to evade monitoring by behavior-based tools. This allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. Tools used to monitor disk writes may not notice the malware is accessing a cached document.

"The cleverness, the creativity, and the intimate knowledge of these very, very miniscule technical details to craft a bypass like that is almost unseen in criminal malware," says Wisniewski. "It's the kind of thing we expect to see in espionage-style attacks, not in criminal attacks."

Some attackers bypass technical tools by "living off the land," or using legitimate admin tools to achieve goals. Some use software deployment tools to roll out ransomware instead of delivering patches to Windows machines, Wisniewski says as an example. They may abuse PowerShell, other Microsoft tools, or so-called "gray hat" tools like Metasploit or Cobalt Strike.

This behavior isn't new, Wisniewski says. "What is new is that may be the only indication you're going to get that they're in your network." Organizations may notice small, unusual things once in a while, remedy them, and close the ticket without realizing they're part of a larger incident. By the time they do, an attacker has been in their network for weeks. WastedLocker and Maze will "sit there for a month" to figure out the thing that will shut down their enterprise victim.

"I want to make sure I get the most critical asset they own, and I completely incapacitate it to destroy their business," he says of the attacker mindset. They're willing to take time to figure out the business model, which databases have the crown jewels, and how to steal data from them.

Attackers don't need these techniques to target all companies, Wisniewski notes, but they are necessary for top-tier companies with larger cash reserves and better defenses. He points to SamSam, which represents the "midtier" level of ransomware. The group's dwell time was far shorter at about 72 hours, and it didn't need to identify every asset to achieve its goals. It went for firms with lower defenses, hit their servers, and charged $100,000–$800,000 per victim.

While the motivation is different for each advanced ransomware group, the techniques are similar. WastedLocker is more focused on technical exploitation; threats like Maze rely on double extortion: They charge victims to get their data back, and to stop them from publishing it. They're focused on the more social aspect of how they can manipulate their victims, he adds. Maze has invited other groups to publish on its website and in doing so, boost its marketing.

"None of these groups are technically inept, but the special sauce they bring to the table is different," Wisniewski continues. "Each one of these groups has their own signature."

How to Know If You've Been Compromised
While it may tough to know when an advanced attacker is on your network, it's still possible. Peter Mackenzie, global malware escalations manager at Sophos, shares a few key indicators that could tip off businesses to suspicious activity.

One is a network scanner, especially on a server. Attackers usually start recon by accessing one machine and searching for information like domain and company name, the device's admin rights, etc. They then scan the network to see what else they can access. If the business detects a network scanner like AngryIP or Advanced Port Scanner, question admin staff. If they're not using it, an intruder may be.

Businesses should also watch for tools designed to disable antivirus software, which attackers may use to bypass detection. Mackenzie points to Process Hacker, IOBit Uninstaller, GMER, and PC Hunter as examples of legitimate tools that could point to nefarious activity if they suddenly appear. Further, he says, any detection of MimiKatz should be investigated.

"If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft," he writes. Attackers may also use Microsoft Process Explorer, a legitimate tool that can dump LSASS[.]exe from memory.

Even if malicious files have been detected and removed, businesses should watch for any detection that happens at the same time every day, or in another repeating pattern. This could indicate something is happening but hasn't yet been identified.

An attacker may make themselves known in "test attacks," which are smaller intrusions done on a few computers to see if their deployment method will work. If security tools stop the attack, they may shift strategies before trying again.

"It is often a matter of hours before a much larger attack is launched," Mackenzie says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle a...
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary we...
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPor...
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortl...
PUBLISHED: 2021-05-17
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.