Post-intrusion ransomware continues to be a major threat and spiked in September and October 2019, continuing a trend that had been observed throughout the year, according to a report from Secureworks Counter Threat Unit research team.
Secureworks incident response engagements involving post-intrusion ransomware more than doubled between 2018 and 2019, according to the company’s recent Threat Intelligence Executive Report 2019. There has also been an increase in the number of groups operating these schemes, and many have mature playbooks that have proven successful.
CTU researchers expect the post-intrusion ransomware threat to increase due to its profitability. Organisations can greatly reduce the risk by preventing the initial intrusion. If organisations identify an intrusion, it is important to thoroughly remove all malware and possible access vectors during remediation.
Threat groups primarily use two techniques to establish a foothold. The first method is to leverage existing commodity malware infections. For example, the Ryuk ransomware uses TrickBot infections, and BitPaymer uses Dridex infections. The initial malware is usually delivered by large-scale spam campaigns. The infection can exist for an extended time before the ransomware is deployed.
The second method for initial infection involves scanning for and compromising vulnerable Internet-facing servers. Threat groups typically use the Remote Desktop Protocol to access the Internet-facing portion of the victim’s network. They then compromise a system by exploiting a known vulnerability. The compromised system can be used as a foothold to access the rest of the network.
As the number of sophisticated attacks increases and threat actors demonstrate greater adaptability, it is important to remember that most cybersecurity incidents leverage well-known malware and tools CTU researchers recommend that organisations continuously review their defensive posture against these known threats to implement basic security controls on all systems. For example, using multi-factor authentication on Internet-facing systems could mitigate many attacks. Organisations should also maintain awareness of geopolitical events that could increase risk from advanced threat groups.
The Middle East appears to be in alignment with the global trend highlighted in the report from Secureworks CTU. Gopan Sivasankaran, Senior Manager, Solutioning, Middle East, Turkey and Africa, Secureworks, said: “We’ve seen a definite uptick in post-intrusion ransomware in 2019 and we expect this to follow the international trend and continue to grow in 2020. It’s essential for organisations to ensure they are maintaining the most robust defensive posture.”