by in
…attackers waited at least three days after breaking into a network to identify key systems to target with their ransomware…
Link:
Summary:
- Article by Jai Vijayan on Darkreading.com, citing research by FireEye.
- The article highlights an increasing trend in attacks using Ransomware: threat actors are spending more time probing internal infrastructure before executing ransomware.
- Attackers taking bigger risk for bigger reward, looking for higher-value systems/data and additional attack opportunities
- Hoerver this also provides defenders more opportunity to detect an attackers presence before ransomware does irreversible damage
- Attackers are waiting at least 3 days after breaking in to a network to execute ransomware.
- Mapping networks and systems and identifying high-value targets gives them more leverage against their target & bigger ransom demands
- Also provides opportunity to pivot to different attack techniques, such as identity theft, fraud, etc
- Ransomware that is delayed post-compromise includes: Ryuk, Clop, Bitpaymer, Doppelpaymer, Lockergogo, Maze, and Sodinokibi.
- Ransomware overhwhelmingly deploymed outside office hours:
- 76% executed outside normal office hours
- 27% during weekends
- 49% before 8am or after 6pm
- Only 24% executed during office hours
- Drive-by-downloads, weak and unprotected Remote Desktop Protocol (RDP) services, and phishing with a malicious link or attachment were the most common initial infection vectors in the ransomware attacks.
- Advice:
- Defenders should always assume network is compromised and look for indicators an attacker is dwelling internally
- Ensure protection mechanisms in place for common initial infection vectors
- Implement 24/7 monitoring capability (either in-house technology & staff, third party services, outsourced, or a mixture)
Share Post:
