The digital realm is in a continuous state of flux, especially with the rise in cyber threats. Over the years, ransomware attacks have emerged as a major cause of concern for businesses and organizations worldwide. According to recent research, there has been a staggering surge of over 37% in ransomware attacks in 2023 compared to the previous year, with the average enterprise ransom payout surpassing $100,000.
Understanding Ransomware Attacks
Ransomware attacks represent a severe form of cyber extortion. Here, the attacker encrypts the victim’s data, subsequently demanding a ransom in exchange for the decryption key. Interestingly, attackers focus more on the tactics, techniques, and procedures (TTPs) they employ before deploying ransomware, instead of identifying themselves through group names like Noberus, Royal, and AvosLocker.
The Rising Trend of Misusing Legitimate Software
A remarkable trend observed lately is the exploitation of legitimate software in ransomware attack chains. Cybercriminals use these tools to stay covert, making it increasingly challenging for the victim organization to trace the attack source. This misuse also reduces the barriers to entry, thus enabling less skilled hackers to launch potent attacks.
Several legitimate tools such as remote monitoring and management (RMM) tools (e.g., AnyDesk, Atera, TeamViewer, ConnectWise) are frequently misused by cybercriminals. Recent incidents have involved the use of ConnectWise in both Noberus and Royal ransomware attacks.
Stealthy Ransomware Attacks: Misuse of Cloud Content Management Tools
In a recent Noberus attack, cybercriminals utilized Rclone, a legitimate cloud content management tool. After their initial exfiltration attempt using a custom tool called ExMatter was blocked by security software, the attackers used Rclone to exfiltrate files.
In addition, ransomware attackers frequently use tools like AdFind (a command-line query tool) to gather information from Active Directory and map networks. Similarly, PDQ Deploy, a patch application tool typically used by system administrators, is often misused to drop scripts onto victim networks.
The Misuse of Legitimate Cloud Infrastructure
Beyond software, cybercriminals also exploit legitimate cloud infrastructures such as Google Drive, Dropbox, and OneDrive for command-and-control (C&C) infrastructure, as well as for exfiltrating and storing stolen data.
Challenges for Defenders: Attacks Leveraging Legitimate Software
Defenders face a unique challenge with attacks leveraging legitimate software—it’s difficult to block these services or tools outright. As technology continues to evolve, so do the tactics of malicious actors. For example, as more data migrates to the cloud, the infrastructure itself is manipulated for malicious purposes, with tools like Rclone increasingly being abused by cybercriminals.
Mitigating the Risk of Legitimate Software Misuse
Due to the complexity and the ever-evolving nature of these threats, organizations must adopt proactive measures to safeguard their digital assets.
Improve Visibility: Companies need a comprehensive view of their network and must know which software is installed. The discovery of unauthorized legitimate tools should be treated as a high-priority issue.
Implement Least Privilege: User permissions should be minimal without compromising the user experience. This can prevent an attacker from extensively spreading across the network or accessing all data.
Go Beyond Malware Detection: Given the leveraging of legitimate software by malicious actors, it’s essential to adopt security solutions that can detect, analyze, and counter suspicious behavior. Cultivating a culture of security within the organization is equally crucial.
In the digital age we navigate, the landscape of cyber threats remains ever-changing. Organizations must stay vigilant and proactive in their cybersecurity approach, continuously enhancing their defense mechanisms to stay ahead of malicious actors. The misuse of legitimate software and infrastructure by cybercriminals underscores the need for comprehensive network visibility, minimal user permissions, and a security solution that transcends malware detection. Vigilance and adaptability are the watchwords in this ongoing cybersecurity battle.