Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:15 PM
Connect Directly

How Ransomware Threats Are Evolving & How to Spot Them

A series of new reports explains how ransomware attackers are changing techniques and how organizations can spot stealthy criminals.

Modern ransomware operators are adopting techniques similar to those of advanced nation-state actors, researchers report. Their attacks are quieter and more long-term as they sit on target networks and search for the exact information they need to bring down their victims.

Sophos researchers today published a series of reports detailing the evolution of ransomware and how attackers are finding new ways to extort more money from large enterprise victims. While the range of ransomware still spans low-level to high-level attacks, their analysis mainly focuses on advanced threats like WastedLocker and Maze ransomware.

"In the old days, everybody was hitting desktops for $400, and there were successful groups doing that and nonsuccessful groups doing that," says Sophos principal research scientist Chet Wisniewski. "Now the successful people aren't bothering with that — they've moved on to more targeted, specific [attacks], either extortion or just incredibly sophisticated enterprise ransomware."

Sophos focused on WastedLocker. In a report, director of engineering Mark Loman and principal threat researcher Anand Ajjan explain how it uses Windows Cache Manager via memory-mapped I/O to evade monitoring by behavior-based tools. This allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. Tools used to monitor disk writes may not notice the malware is accessing a cached document.

"The cleverness, the creativity, and the intimate knowledge of these very, very miniscule technical details to craft a bypass like that is almost unseen in criminal malware," says Wisniewski. "It's the kind of thing we expect to see in espionage-style attacks, not in criminal attacks."

Some attackers bypass technical tools by "living off the land," or using legitimate admin tools to achieve goals. Some use software deployment tools to roll out ransomware instead of delivering patches to Windows machines, Wisniewski says as an example. They may abuse PowerShell, other Microsoft tools, or so-called "gray hat" tools like Metasploit or Cobalt Strike.

This behavior isn't new, Wisniewski says. "What is new is that may be the only indication you're going to get that they're in your network." Organizations may notice small, unusual things once in a while, remedy them, and close the ticket without realizing they're part of a larger incident. By the time they do, an attacker has been in their network for weeks. WastedLocker and Maze will "sit there for a month" to figure out the thing that will shut down their enterprise victim.

"I want to make sure I get the most critical asset they own, and I completely incapacitate it to destroy their business," he says of the attacker mindset. They're willing to take time to figure out the business model, which databases have the crown jewels, and how to steal data from them.

Attackers don't need these techniques to target all companies, Wisniewski notes, but they are necessary for top-tier companies with larger cash reserves and better defenses. He points to SamSam, which represents the "midtier" level of ransomware. The group's dwell time was far shorter at about 72 hours, and it didn't need to identify every asset to achieve its goals. It went for firms with lower defenses, hit their servers, and charged $100,000–$800,000 per victim.

While the motivation is different for each advanced ransomware group, the techniques are similar. WastedLocker is more focused on technical exploitation; threats like Maze rely on double extortion: They charge victims to get their data back, and to stop them from publishing it. They're focused on the more social aspect of how they can manipulate their victims, he adds. Maze has invited other groups to publish on its website and in doing so, boost its marketing.

"None of these groups are technically inept, but the special sauce they bring to the table is different," Wisniewski continues. "Each one of these groups has their own signature."

How to Know If You've Been Compromised
While it may tough to know when an advanced attacker is on your network, it's still possible. Peter Mackenzie, global malware escalations manager at Sophos, shares a few key indicators that could tip off businesses to suspicious activity.

One is a network scanner, especially on a server. Attackers usually start recon by accessing one machine and searching for information like domain and company name, the device's admin rights, etc. They then scan the network to see what else they can access. If the business detects a network scanner like AngryIP or Advanced Port Scanner, question admin staff. If they're not using it, an intruder may be.

Businesses should also watch for tools designed to disable antivirus software, which attackers may use to bypass detection. Mackenzie points to Process Hacker, IOBit Uninstaller, GMER, and PC Hunter as examples of legitimate tools that could point to nefarious activity if they suddenly appear. Further, he says, any detection of MimiKatz should be investigated.

"If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft," he writes. Attackers may also use Microsoft Process Explorer, a legitimate tool that can dump LSASS[.]exe from memory.

Even if malicious files have been detected and removed, businesses should watch for any detection that happens at the same time every day, or in another repeating pattern. This could indicate something is happening but hasn't yet been identified.

An attacker may make themselves known in "test attacks," which are smaller intrusions done on a few computers to see if their deployment method will work. If security tools stop the attack, they may shift strategies before trying again.

"It is often a matter of hours before a much larger attack is launched," Mackenzie says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...