Ransomware is evolving and today’s operators are mostly interested in going after high-value targets, as opposed to casting a wide net. This is according to a new report from cybersecurity company Trend Micro.
In the report, the company explains that most contemporary ransomware operators have a “ruthless focus” on organizations posting more than $1 billion in revenue. Further, with IT security teams and SOC being “already stretched”, the threat becomes even greater.
Trend Micro analyzed a total of 16 ransomware groups operating between March 2020 and January 2021. Of these, Conti, Doppelpaymer, Egregor, and REvi were the most dangerous in terms of the number of victims, while The Cl0p hosted the largest amount of stolen data (5TB).
The attack process is similar across the board. Attackers first access the network through weak credentials on exposed RDP services, or other externally facing HTTP services. Then, they use legitimate administrative tools to move laterally across the network, in search of valuable systems and data. The next step is a “call home” system, usually set up with Cobalt Strike and protocols that can pass through firewalls, such as HTTP, HTPPS, and DNS.
Once enough data has been exfiltrated and key systems identified, the ransomware payload is launched and the network encrypted and locked. The hackers then threaten to publish the data on TOR-protected websites, unless a ransom fee is paid.
“Modern ransomware attacks are highly targeted, adaptable and stealthy – using proven approaches perfected by APT groups in the past,” said Bob McArdle, Director of Cybercrime Research at Trend Micro. “By stealing data and locking key systems, groups like Nefilim look to extort highly profitable global organizations.”