Ransomware as a Data Breach Decoy

Ransomware thumbnail image
16 September 2020

Gone are the days of small-time cybercriminals using ransomware to earn a quick buck.

Ransomware–and the criminals who use it–have certainly evolved. Though it initially made a name for itself as a tactic of the lesser-skilled criminal, malicious actors are now exploiting the established expectations of its impact and limitations in order to hide inside a network. 

For those organizations with robust security strategies, ransomware had become little more than an annoyance. They were able to recover rather quickly using backups. More often, though, that’s not the case. In the past two years, many municipalities have fallen victim to costly ransomware attacks that have left their systems inoperable for days, weeks and even months, which begs the question of whether they were also victims of a data breach. 

Increasingly, in many of the compromises Prevailion is tracking, we have seen that attackers are indeed doing more than encrypting the system files. After malware associated with ransomware groups first compromises the system, it does not appear to launch an encryption attack right away, but instead continues to actively communicate with the attacker’s Command and Control (C2).  

Where Is the Ransomware?

Ransomware typically finds its way into an organization by way of phishing emails, but it can also be hidden in malicious websites so that when an unsuspecting user clicks, the systems are infected. Attackers are evolving in their tactics, though. According to a 2019 CSO Online article, “More sophisticated attackers are using ransomware to cover their tracks in a more serious attack.” 

Prevailion has seen multiple instances of ransomware having compromised an organization without actually activating. What does that mean? The ransomware was able to get on the network but did not appear to launch the encryption attack. Instead, it remained active by continuing to communicate with the attacker’s C2.  Prevailing platform has identified C2 beaconing from a range of ransomware, includingPetya, PayCrypt, TorrentLocker, Locky, and even TeslaCrypt, which have been beaconing from the networks of major hospitals in the US, Canada and France as well as pharmaceutical companies and US universities. 

Why Does Ransomware Infect but not Encrypt?

Ransomware is increasingly being used to exfiltrate data prior to encryption, which means that a couple different things could be happening. First, the attacker may be trying to or actually exfiltrating substantial data from the organization before shifting to the extortion scheme. This  process may take time depending on the attacker’s motives. 

If the attacker is trying to spread laterally across the organization or gain access to more secure systems, they are more likely to be slow and stealthy. As Bank Info Security reported, “When more advanced attackers gain remote access to a victim’s network, they may spend weeks or months exploring it in depth, trying to escalate privileges to take control of Active Directory, as well as seeking systems that store valuable or sensitive information.” 

But ransomware can also be used as a backdoor. In this scenario, the strategy is similar in that the encryption attack doesn’t happen right away, which may also be why Prevailion is still seeing attackers use TeslaCrypt, a now defunct ransomware, as it still provides useful services by gaining a foothold on the network.

Ransomware is an effective tool for multi-stage attacks. First a Trojan is deployed (like Qakbot) which has ties to ransomware groups like ProLock ransomware. Then the Trojan is used as a vehicle for transmitting other malicious payloads.

The bottom line is that ransomware is being used frequently as a tool to compromise networks, not just to carry out ransomware extortion. This is a tool used to infiltrate networks, get a backdoor, exfiltrate data, and potentially carry out other operations either before they launch the encryption attack, or in place of that attack altogether. 

Defending against evolving ransomware attacks requires more than having backups. Organizations need a trusted partner that can deliver real-time monitoring of their networks and their partners. If you can identify the initial vector of infection, it is possible to get in front of the actual ransomware attack.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.