Ransomware Groups Focus on Defense Evasion to Steal Data

Ransomware Groups Focus on Defense Evasion to Steal Data



Ransomware attackers are increasing their focus on avoiding detection in order to prolong their presence on targeted networks, a recent report from Cisco Talos indicates. This shift is driven by the rise of the double-extortion ransomware model, where hackers not only encrypt systems but also threaten to leak stolen data unless a ransom is paid.

To achieve their goals, threat actors need to maintain access to networks over an extended period of time to understand the network structure, identify valuable data, and locate resources that can support their attack efforts. As a result, attackers are employing a variety of techniques to evade detection and move laterally within networks after gaining initial access.

Key evasion tactics include disabling security software, obfuscating malware code, modifying system registries, and establishing persistence through automated mechanisms. Once persistent access is secured, attackers focus on locating and exfiltrating sensitive data before encrypting the network and demanding ransom payments.

One significant trend identified by the report is the increasing use of data exfiltration as the primary method of extortion by ransomware groups. Attackers often hide the exfiltration process using compression and encryption tools to transfer stolen data to external servers controlled by adversaries or through command and control mechanisms.

Additionally, ransomware actors are exploiting both known and zero-day vulnerabilities in public applications to gain initial access to networks, escalate privileges, and establish persistent access. Three vulnerabilities highlighted in the report are CVE-2020-1472, CVE-2018-13379, and CVE-2023-0669, which have been utilized by major ransomware groups in recent attacks.

To defend against evolving ransomware tactics, organizations are advised to implement regular patching, strong password policies, multi-factor authentication, network segmentation, SIEM systems, least privilege access controls, and minimal exposure of IT systems to the Internet.

By staying informed about the tactics and procedures employed by ransomware groups and implementing these key defensive measures, organizations can strengthen their security posture and mitigate the risk posed by these increasingly sophisticated threat actors.

Article Source
https://www.infosecurity-magazine.com/news/ransomware-defense-evasion-data/