How do initial access brokers enable ransomware attacks?
Editor’s Note: Unlock the knowledge, resources, and expert advice you need to successfully prevent ransomware attacks from impacting your organization’s operations with this free Ransomware Toolkit…
This October marks the 18th edition of Cyber Security Awareness Month, formerly known as National Cyber Security Awareness Month (NCSAM). In collaboration with the National Cyber Security Alliance (NCSA), the US Cybersecurity & Infrastructure Security Agency unveiled Do Your Part. #BeCyberSmart as the theme for this year. They also named “Be Cyber Smart” as the central theme for the week of October 4 (Cyber Security Awareness Month, week 1).
We would like to bring these ‘cyber intelligences’ to the ransomware problem by discussing the main drivers of RansomOps, the term for the most complex ransomware operations that use APT-like, weak and slow attack tactics so that they can infect as much of the target network as possible and demand even larger ransom demands – some of which now exceed the $ 50 million mark. Let’s start by focusing on how RansomOps uses Initial Access Brokers (IABs).
An overview of Initial Access Brokers (IABs)
According to Digital Shadows, IABs act as middlemen who use their own methods to break into a company’s network, typically for criminal purposes such as mining cryptocurrency or stealing credentials from account to sell them on the black market. Once they gain access to it and establish a certain level of persistence on the targeted network, IABs often sell access to that network to other threat actors, which most often include gangs. ransomware or their affiliates.
One thing that helps IABs establish and maintain access is the fact that many organizations have switched to remote working in the wake of the pandemic, which has resulted in a corresponding increase in exposed remote services that attackers can use. to gain a foothold in vulnerable networks, as InfoSecurity Magazine reported. The pandemic has also prompted organizations to accelerate their adoption of cloud applications, often without implementing basic security features such as multi-factor authentication (MFA) for authorized accounts.
But it’s more complicated than that. Researchers found that insecure Microsoft Remote Desktop Protocol (RDP) vulnerabilities accounted for more than half of all ransomware attacks and, as ZDNet reports, some digital crime groups specialize in scanning the web at the search for these exposed RDP ports. When they find them, they perform brute-force attacks to gain access and then sell that access to dark web markets, giving attackers like ransomware groups an opportunity through which they can gain a foothold in the network. an organization.
We would be remiss if we also ignored recent developments in the ransomware threat landscape. In mid-May, the FBI confirmed that the DarkSide ransomware gang was responsible for the attack on the Colonial Pipeline Company. DarkSide attempted to deflect this attention by attributing the attack to one of its “partners” and saying that it would screen attacks from its affiliates in the future.
Shortly afterwards, KrebsonSecurity confirmed that DarkSide went out of business after someone seized its servers and emptied them of the cryptocurrency the gang used to pay its affiliates. It was around the same time that three Russian digital crime forums banned members from posting ransomware-related ads, The Record noted, depriving groups of one of the most trusted means of recruiting. new partners for ransomware attacks.
How do IABs help RansomOps adapt?
As noted above, IABs free ransomware attackers from the arduous task of gaining initial access and moving sideways across the network so that they can infect and encrypt more assets before demanding payment for the ransom. Ransomware players can now essentially devote all of their time and energy to perfecting their malware payloads and coordinating operations with their affiliates.
The impact of BFIs does not end there. Flashpoint has discovered that ransomware gangs like BlackMatter are using IABs to continue advertising on Russian digital crime forums. Instead of openly discussing ransomware and trying to enlist new hires, they can just log in with an IAB, because nothing prevents them from doing so. This is an opportunity for them to implicitly announce their current operations and to discreetly recruit affiliates.
IABs are also working to ensure that they can provide as much access as possible to targeted networks, which drives up the prices they charge. Here are some of the following stats from The Register that are worth sharing:
- On average, IABs offer access involving stolen credentials for $ 7,100. That’s several thousand dollars less than the average price of RDP access at $ 9,800.
- Access involving the compromise of a Windows domain administrator account falls between stolen credentials and RDP access at an average price of $ 8,167.
- In contrast, the corporate VPN credentials on display fetched an average price tag of $ 2,871.
Interestingly, IAB activity and access sales started to decline on a monthly basis in the second quarter of 2021. According to Cybersecurity Dive, this is when many IABs started to shift their sales to private forums. It is likely that they did so to better escape the police.
Defending against RansomOps
The growth of the IAB market highlights the need for organizations to defend against the ever-changing ransomware threat landscape. Fortunately, organizations can take steps to protect against the RDP attack vector discussed above. They can block RDP port 3389 if they don’t need to use it, for example. If they need certain systems to support RDP, they can put them behind a firewall and monitor them for potential signs of abuse.
Organizations can also implement an anti-ransomware solution that leverages both Indicators of Compromise (IOC) and Behavior Indicators (IOB), the most subtle attack activity that can reveal an attack sooner. Such a solution allows organizations to visualize a ransomware attack wherever it occurs on their network, including the initial access and lateral movement that can precede the delivery of a ransomware payload by weeks or months, giving security teams the time to detect and respond well in advance of any system. can be encrypted.
Cybereason’s advantage over ransomware
The best strategy for organizations is to prevent a ransomware attack from succeeding in the first place. To do this, they must invest in a multi-layered solution that leverages behavioral indicators (BIOs) to detect and prevent a ransomware attack in the early stages of initial entry, before the exfiltration of sensitive data for double extortion, and to long before the actual ransomware payload is delivered.
The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or beneficial chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware with our multi-layered prevention, detection and response, which includes:
- Anti-ransomware and deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques to detect the most complex ransomware threats and end the attack before critical data can be encrypted.
- Intelligence-based antivirus: Cybereason blocks known variants of ransomware by leveraging an ever-growing pool of threat information based on previously detected attacks.
- NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants before execution.
- Fileless Ransomware Protection: Cybereason disrupts attacks using fileless, MBR-based ransomware that traditional antivirus tools lack.
- Endpoint controls: Cybereason strengthens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls, and enforcing full disk encryption on a range of device types, fixed and mobile .
- Protection of behavioral documents: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that exploit malicious macros and other stealth attack vectors.
Cybereason is committed to teaming up with advocates to end endpoint cyber attacks across the enterprise and everywhere, including modern ransomware. Learn more about ransomware defense here or schedule a demo today to see how your organization can benefit from an operations-centric approach to security.