The first half of 2023 saw a dramatic increase in ransomware attacks with over 2000 incidents, representing a 67% increase from H1 2022 and setting a record for the highest number of hacks and leaks ever recorded in a 6-month period since 2021. Unfortunately, that puts 2023 on track to be the biggest year ever for ransomware attacks, which no doubt has many companies on edge, wondering, "Are we next? Are we prepared?"
While not all ransomware is the same, many deploy a predictable pattern of tactics- an MO, or modus operandi, much like an organized crime family. Studying these ransomware families offers not only visibility into the typical access vector and execution of their attack but also valuable insight into how organizations like yours can defend against them.
Over the past few months, NCC Group's Digital Forensics and Incident Response team has encountered a series of ransomware crime families, each displaying common yet distinct tactics, techniques, and procedures (TTPs). Here's what we've learned and some actions your organization can take to be better prepared.
Active ransomware groups
Avoid BlackCat's witchcraft for Windows and Linux.
First detected in November 2021, BlackCat stirs up a cauldron of turmoil with its ransomware-as-a-service (RaaS) model that gives multiple threat actors access to your systems and serves up a double-extortion scheme. After encrypting and exfiltrating your data, the threat actors then blackmail you for the ransom by threatening to publish it.
Because it's written in Rust—a more secure programming language—it can target both Windows and Linux, which gives it a broad attack landscape, fast performance, and sinister efficiency.
But BlackCat's dark magic isn't infallible. Here's what to do:
- Implement multifactor authentication (MFA). BlackCat's threat actors exploit weak passwords, so training users on the importance of strong passwords and enabling MFA can thwart access.
- Deploy an Endpoint, Detection & Response (EDR) solution. This solution vastly improves an organization's ability to identify and contain a threat actor.
- Require User Account Control (UAC). BlackCat exploits a specific command-line tool in the Windows Registry, and mandating UAC can limit access and the ability to execute remote commands, scripts, and applications.
D0nut glaze over these security tips.
Another double-extortion scheme, D0nut adds a sticky layer by encrypting the hypervisor, locking down virtual machines, and bringing your systems to a standstill for (potentially) weeks on end. After gaining network access through an externally facing service, D0nut moves laterally to find and compromise a host storing sensitive data for exfiltration.
In a devilishly delicious twist, it also attempts to terminate any antivirus or EDR processes and prevents Windows Defender from interfering with its dirty deeds, rendering your systems defenseless.
Best practice to defend against this sugar-coated nightmare includes:
- Isolating hypervisors. Placing this critical virtual machine infrastructure in a separate domain/workgroup can thwart access and encryption.
- Disable unused services. This is a smart strategy across the board because any unused/dormant tools can be a prime target for bad actors. In this case, disabling Secure Shell (SSH) on ESXi hosts is key.
- Restrict internet access on servers. Permit external access only with known, secure IP addresses and domains required for operations to prevent command-and-control communications and data exfiltration.
Avoid the trap of NoEscape.
A relatively new addition to the ransomware crime family tree, NoEscape traps victims with a triple threat: the double extortion of ransomware and data exfiltration, plus the ability to add on a Disrupted Denial of Service (DDoS)/spam attack campaign to cause further havoc.
NoEscape targets public-facing infrastructure. In some cases, via exploitation of a Microsoft Exchange server, as NCC Group observed while conducting the investigation. While its perpetrators seem a bit less sophisticated- using a kitchen-sink approach to disable antivirus and dump credentials- NoEscape is still surprisingly efficient, with only about a 30-day turnaround from initial access to data exfiltration and ransomware execution.
While it might seem hopeless, here are some of our essential findings to help avoid a NoEscape situation:
- Patching. Vulnerable external facing servers are the access point of choice for NoEscape, and keeping up-to-date with patching across your entire environment—including the application level—is the first line of defense.
- Tooling and configuration. Deploy an EDR, MFA, and Security Event Information Management System (SEIM) to identify, prevent, and investigate any suspicious activity as quickly as possible to minimize damage.
- Incident simulation. Having a ransomware mitigation plan is only helpful if you can execute it. Simulation training provides real-world experience to ensure your plan is effective and helps you learn to adapt to unexpected twists (like a DDoS) before a real compromise occurs.
Don't let Medusa turn your backups to stone.
Like its namesake, this double-extortion RaaS attack can petrify even the most resilient organization. Not only does Medusa wreak havoc with its prolonged defense evasion (nearly a year in some cases), data exfiltration, and ransomware, but it also inhibits recovery by deleting all local and cloud backups as well as all virtual machines from the Hyper-V storage.
Once Medusa sets her gaze on an external facing web server, she deploys webshells to gain access, creates a new admin user on the server, and then unleashes her wrath, ultimately publishing leaked data to the newly-launched Medusa Blog.
Avoid getting petrified by Medusa with these tips:
- Disable the WDigest registry key. An activated WDigest registry key allows the threat actor to dump credentials because it stores login credentials in cleartext. Disabling it and ensuring it stays that way can prevent credential access.
- Isolate Hypervisors. Place them in a separate domain or add them to a workgroup to ensure any compromise in the domain in which the hosted virtual machines reside doesn't expose the Hypervisors.
- Double-check backups. Regularly test backup solutions and run offline/truly immutable backups routinely so that if a threat actor sabotages online backups, offline ones are still available.
Securing your territory
In each of these Ransomware cases, a failure to prevent and detect the attacker means they're often inside an IT environment unobserved for extended periods, with inadequate security measures allowing them to disrupt their victims' organizations successfully.
Although threat actors are continuously evolving their tactics and techniques, there are several risk mitigation activities NCC Group recommends clients to implement:
- Assess and improve backup and restoration capabilities.
- Ensure your threat detection, vulnerability, and patch management activities are fit for purpose.
- Periodically attest to the robustness of your network, including its segmentation and endpoints.
- Implement antimalware software and consider application whitelisting.
- Review and improve your Identity and Privileged Access Management.
- Develop and periodically exercise your Ransomware and Incident Response playbooks.
While every organization will have its own unique context, applying these best practices and strategic recommendations can provide a strong defense to avoid becoming the next victim.
Having a reliable DFIR partner at hand through a retainer agreement will give your organization, customers, and investors additional peace of mind. Our practitioners can assist your cyber and legal strategies before, during, and after incidents, helping reduce the impact and duration of a Ransomware attack.
Stay tuned to NCC Group's Global Threat Intelligence blog.
Find the latest cyber security research, threat actor developments, deep dives into the Tactics, Techniques, and Procedures (TTPs) we're observing, and up-to-date defense tactics.