How ransomware gangs use automation and how you can beat it

How ransomware gangs use automation and how you can beat it

February 9, 2022 • Sam Langrock

Few topics spark conversation like security automation. Automation is the whole premise around programming; routines and repetitive patterns are entrusted to computers while humans work only on higher priorities. For security professionals, this is essential because even a small network can have thousands of endpoints that need to be protected while security personnel are tiny. Yet the challenge organizations face in 2022 is how to automate, not just the data collection and collection tasks where machines excel, but to automate repetitive tasks. human decisions done daily to defend a company. Join us for a three-part automation blog series and webinar on February 22 titled “Fight Ransomware Bots with Automation Intelligence.”

Ransomware gangs and security professionals fight each other similar to how a baseball pitcher and a hitter would. In this game, dark web criminal actors focus on causing incidents, while security automation focuses on incident response. To increase the speed and volume of attacks, ransomware groups are leveraging automation throughout the attack cycle. To keep up, security professionals have turned to intelligence-driven automation, which allows companies to defend themselves on a large scale with the speed needed to make contact on any field. Just like baseball, there can be no ties in the cyber world. Intelligence provides the upper hand.

To help security professionals gain an advantage, Recorded Future’s Insikt Group reported automation in the criminal underground. In their report, Insikt Group identified 10 key strategies that ransomware criminals use automation to enable their attacks.

  1. Violations and sale of databases

Hacked and compiled databases are sold on underground forums. These databases, often made up of user credentials, allow threat actors to access customer and employee accounts and credentials. Once threat actors have access to these user-level accounts, actors can use leverage techniques, such as local privilege escalation vulnerabilities, which can be used to gain additional access to internal systems or to commit fraud. .

  1. Lady and brute force

Credentials stolen from automated marketplaces need to be validated to ensure they work as criminals expect. Tools like audits can help threat actors quickly and efficiently validate or access passwords for thousands of accounts. Brute-forcers are tools that automatically cycle thousands of passwords per second to defeat systems with unlimited login attempts.

  1. Chargers and encryptors

Loaders and crypters are tools that allow threat actors to obfuscate and deliver malicious payloads, bypassing antivirus solutions.

  1. Thieves and keyloggers

Stealers and keyloggers allow threat actors to collect sensitive information from victim systems, including credentials, personally identifiable information (PII), payment card information, and other data.

  1. Bank injections

Threat actors use bank injections as false overlays on legitimate sites for financial institutions and similar sites where they can collect sensitive information from victims attempting to visit the legitimate site.

  1. Exploit kit

Exploit kits allow threat actors to use multiple exploits simultaneously to target various vulnerabilities at different targets.

  1. Spam and Phishing Services

Threat actors gain access to hundreds of thousands of potential victims for their bait with spam and phishing services.

  1. Bulletproof Hosting Services (BPHS)

Bulletproof Hosting Services (BPHS) provide secure hosting for malicious content and activity and ensure anonymity for threat actors.

  1. Sniffer

Sniffers infiltrate legitimate online shopping sites and collect sensitive information such as customer payment cards and PII from reputable online stores.

  1. Automated Markets

Automated marketplaces and registry providers allow threat actors to sell stolen credentials and fingerprints to other threat actors, who use them for fraud or to facilitate further breaches, often circumventing anti-fraud measures.

Bad actors know well how to subvert defensive automated technology. For example, they could create malicious code so that it appears normal to automated scans, such as antivirus applications. Security teams with established careful monitoring and logging can create rules to detect these apparently normal patterns and behaviors for malicious files that are. However, threat actors can act quickly – for example, rotate their infrastructure – to get around the blockade. This means rules must be manually generated for each new malware iteration, leading to a security treadmill where efficiency is lost due to an endless loop of detecting / patching new malware.

Get off the treadmill with Intelligence. Intelligence provides your team with a cheat code, allowing them to extract pre-tested rules to identify and mitigate ransomware attacks from causing harm.

Join us for a webinar on February 22 entitled “Fight Ransomware Bots with Automation Intelligence” to learn more about how automation can help your organization.

Leave a Comment

Your email address will not be published.