CYBERSECURITY ALERTS: RANSOMWARE CREWS INVESTING IN CUSTOM DATA STEALING MALWARE- CISCO TALOS WARNS

Cisco Talos in a recent report has hinted that ransomware crews are increasingly shifting their attention from just encrypting victims’ files and then demand money in return, instead they have upgraded to swiping sensitive info straight away. What this means is that some of the more mature crime organizations are developing custom malware for their data theft.

In her published report this week, the threat intelligence unit has reviewed top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTPs).

This 14 were selected or listed based on the volume and impact of attacks or what Cisco report describes as ‘‘atypical threat actor behavior,’’ or using data from criminals’ leak sites, internal tracking, and other open-source reporting including the number of victims on their respective shaming sites.

Those listed are LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona. Some of this gangs are developing bespoke malware for data exfiltration this is according to Talos.

According to the report, this gangs break into their victims’ network, snoop around and steal valuable files, and only then encrypt the data on the network. They generally post this victims names on their leak sites, extort (or attempt to extort) the organizations for massive sums of money, and in a situation when negotiations break down, the criminal gang leaks a sample of the stolen data to further turn up the pressure on victims to pay the ransom demanded.

SIMILAR TRENDS OF ATTACKS OF THE GANGS

The reports suggests that these gangs follow similar trends in their operations or attacks which generally is gaining initial access and then establishing persistence in the victim’s environment, they then build from this initial step.

From their initial steps, they snoop around for valuable data and credentials to steal and use that access to move laterally and escalate privileges so they can burrow deeper in the network and finally, they copy chosen data and then deploy the ransomware encryption code.

SOME OF THE GANGS PRIORITIZE INFOSTEALER MALWARE

This gangs uses the combination of social engineering, network scanning, and other research publicly available to learn about their victims and how to best break into systems of their host. They target networks with valid accounts as the most common mechanisms, the tech giants reported that one of the ways these imposters obtain these legitimate account credentials is by the ‘‘infostealer malware’’ as recently witnessed in the Snowflake customer’s data theft incidents says Cisco Talos.

This infostealers are tools these gangsters leverage in collecting credentials and personal data of victims and then sell them as credential dumps on the dark web this is according to Cisco Talos security analyst James Nutland.

THEIR CONTINUOUS FIGHT AGAINST THEIR DISMANTLING.

There have been efforts to curtail these treats, though the fight back is enormous as some of these mature ransomware work in synergy. For example, BlackByte and LockBit offer custom built data-exfiltration tools to their affiliates, James Nutland revealed that ‘‘their exhibition tools targets windows hosts written in the Go programming language and facilitates the transfer of stolen files to an external server, or cloud storage services.’’

StealBit malware was created to limit the treats, it can drag and drop files of the actors choosing as this helps minimize overall efficiency of data exfiltration this helped dismantle some of them like LockBit. But then, LockBit had to reproduce its own proprietary StealBit malware.

WE AT MACKLEMORE SOLUTIONS: Macklemore Solutions, we don’t just give you the desired visibility, we help you build a website that can resist attacks and protect your business files.