News, posts and events

Patience pays off for ransomware groups

Written by Mike Ahmadi | January 20, 2023

Ransomware is the bain of organizations in these times, and in the next few weeks, I’ll be exploring it in more detail.

I recently read an interesting article about a cybersecurity company that discovered a variant of the Babuk ransomware in 2021. The source code is available on GitHub. As it turns out at least a few enterprising threat actors are indeed interested and have been working diligently to create variants of this ransomware attack that can evade all sorts of anti-malware tools. They seem to have success; the article speaks of a large affected enterprise with over 10,000 servers and workstations.

Now, the fact that the attackers were able to create software to evade detection is interesting, but what I find even more interesting is that the attackers apparently had “two weeks of full reconnaissance prior to launching their attack”, and only when they knew they were in full control and had compromised the main domain controller did they launch their attack.

Being patient and calculating in the world of malware attacks can certainly pay off much more than a “drive by” attack would. Once in, they can often rummage around within your organization with ease.

Many of us are well aware that attackers have become much more sophisticated over the last few years, and as ransomware has proven to be a fairly effective way for bad actors to make money, the way ransomware is deployed has indeed become much more sophisticated. Why hit only one system if you can hit all of them?

It is very important to understand that the organization in question basically had no idea anything was amiss, until the final blow was rendered. The investigation is still ongoing but apparently Mophisec, who published the article on their blog, was able to stop the attack before it was fully executed. Kudos to them for that!

Along with social engineering, vulnerabilities are often used as an initial entry point for ransomware attacks. A vulnerability is a weakness in a software or system that can be exploited by an attacker to gain unauthorized access or perform malicious actions. In order to deliver and execute ransomware on a victim's system, attackers often exploit vulnerabilities in software or systems to gain initial access. 

One of the most important points Arctic Security makes is that not having evidence of compromise does not mean you have not been compromised. The mere existence of the potential for an attacker to exploit your systems and get inside is enough reason to be very concerned.

In the biological world when you have a compromised immune system you must constantly be aware of the potential for getting sick, and the existence of multiple biological vulnerabilities means that you can indeed get very sick, and sometimes you may not know what is going on because it can be an entirely new pathogen. The same holds true for the networked world. If there is a way for an attacker to get in, there is a very high likelihood that an attacker will get in, and it could very well be that the attacker is lurking at any time.

None of this is intended to sound alarmist. This is meant to serve as a reminder that it is important to identify vulnerabilities, close the doors, and plan for recovery. Once the criminals are in, they are very difficult to detect. I can assure you that the attackers will continue to get more sophisticated, and we are very likely going to see attacks that combine both physical and cyber attacks in order to deliver maximum impact.

I'll dig into that in the next few blogs around this topic of cyber extortion.