Ransomware as a Data Breach Decoy
Gone are the days of small-time cybercriminals using ransomware to earn a quick buck. Ransomware–and the criminals who use it–have certainly evolved. Though it initially made a name for itself as a tactic of the lesser-skilled criminal, malicious actors are now exploiting the established expectations of its impact and limitations in order to hide inside a network.
For those organizations with robust security strategies, ransomware had become little more than an annoyance. They were able to recover rather quickly using backups. More often, though, that’s not the case. In the past two years, many municipalities have fallen victim to costly ransomware attacks that have left their systems inoperable for days, weeks and even months, which begs the question of whether they were also victims of a data breach.
Increasingly, in many of the compromises Prevailion is tracking, we have seen that attackers are indeed doing more than encrypting the system files. After malware associated with ransomware groups first compromises the system, it does not appear to launch an encryption attack right away, but instead continues to actively communicate with the attacker’s Command and Control (C2).
Where Is the Ransomware?
Ransomware typically finds its way into an organization by way of phishing emails, but it can also be hidden in malicious websites so that when an unsuspecting user clicks, the systems are infected. Attackers are evolving in their tactics, though. According to a 2019 CSO Online article, “More sophisticated attackers are using ransomware to cover their tracks in a more serious attack.”
Prevailion has seen multiple instances of ransomware having compromised an organization without actually activating. What does that mean? The ransomware was able to get on the network but did not appear to launch the encryption attack. Instead, it remained active by continuing to communicate with the attacker’s C2. Prevailing platform has identified C2 beaconing from a range of ransomware, includingPetya, PayCrypt, TorrentLocker, Locky, and even TeslaCrypt, which have been beaconing from the networks of major hospitals in the US, Canada and France as well as pharmaceutical companies and US universities.
Why Does Ransomware Infect but not Encrypt?
Ransomware is increasingly being used to exfiltrate data prior to encryption, which means that a couple different things could be happening. First, the attacker may be trying to or actually exfiltrating substantial data from the organization before shifting to the extortion scheme. This process may take time depending on the attacker’s motives.
If the attacker is trying to spread laterally across the organization or gain access to more secure systems, they are more likely to be slow and stealthy. As Bank Info Security reported, “When more advanced attackers gain remote access to a victim’s network, they may spend weeks or months exploring it in depth, trying to escalate privileges to take control of Active Directory, as well as seeking systems that store valuable or sensitive information.”
But ransomware can also be used as a backdoor. In this scenario, the strategy is similar in that the encryption attack doesn’t happen right away, which may also be why Prevailion is still seeing attackers use TeslaCrypt, a now defunct ransomware, as it still provides useful services by gaining a foothold on the network.
Ransomware is an effective tool for multi-stage attacks. First a Trojan is deployed (like Qakbot) which has ties to ransomware groups like ProLock ransomware. Then the Trojan is used as a vehicle for transmitting other malicious payloads.
The bottom line is that ransomware is being used frequently as a tool to compromise networks, not just to carry out ransomware extortion. This is a tool used to infiltrate networks, get a backdoor, exfiltrate data, and potentially carry out other operations either before they launch the encryption attack, or in place of that attack altogether.
Defending against evolving ransomware attacks requires more than having backups. Organizations need a trusted partner that can deliver real-time monitoring of their networks and their partners. If you can identify the initial vector of infection, it is possible to get in front of the actual ransomware attack.