Once the ransomware messes up your ops, expect polite demands for serious coin
Criminals behind ransomware attacks are drinking the digital disruption Kool-Aid, changing their attack methods in new and nasty ways to target business according to forensics outfit Mandiant.
Ransomware and extortion hacks are on the up, the firm says, along with the quiet compromise of code.
It is part of the findings into the US company’s forensic examinations into some of the biggest breaches of last year.
Mandiant does not reveal its clients but the company does business with household names and interacts with some of the world’s most sophisticated attackers.
“Gunslinger” attackers driven by profit now dominate attacks on business and use Bitcoin as a means to receive ransom payments.
“The most interesting new trend in 2015 was an increase in the number of disruptive attacks we responded to,” researchers write in the report [PDF].
Why waste energy spear phishing when you can pop a partner?
“This past year has shown disruptive attacks have a real effect on organisations large and small.
“Some of these attacks were purposely carried out in public, and involved leaking data or broadcasting ransom demands in an attempt to embarrass or damage the victims in some way [and] we have seen cases where the attackers tried to remain private.”
Mandiant does not say whether the companies have paid the private ransoms – although in one instance it busted a disgruntled staffer with customer records in hand – but this reporter understands enterprises often pay ransoms for the most serious and capable attacks that cannot be expediently thwarted.
The firm is one of the few to sensibly acknowledge that ransom payment can be the best bet in some scenarios with a mind that attackers may come back with demands for more cash.
It says ransom threats are typically emailed in with demands that sit in a Goldilocks zone of not too high to be ridiculous and not too low to make attackers look lightweight.
Disruptive hackers can also be script kiddies and therefore just as likely to raid the public database of a library as they are to than attempt to drop dox for a serious government agency.
Some attackers have used system-level privileges to destroy drives using scheduled tasks tasks that reboot wipe and reboot boxes. Others targeted specific systems obliterating workstations, servers, and domain controllers.
The firm also notes that the bulk export of personal identifiable information is booming and has reached new heights.
One tracked Chinese threat actor exported US social security numbers and other records in batches of a million per transfer.
Attackers are also starting to regularly pop networking gear during hacks in a bit to maintain persistence.
Cisco router images are a choice target for some, with an unnamed telco finding its firmware had been exfiltrated, back-doored, and re-flashed with matching timestamps by an impressive attack group.
Outsourcing partners are another perennial security risk, the forensics firm warns.
Popping partners allows criminals to shortcut the attack lifecycle avoiding the need to create spear-phishing emails and reducing the chance of detection. ®