4 Factors to Consider Before Building vs. Buying MDR Services

By: Brittany Holmes, Corporate Communications Manager 

When it comes to implementing a Managed Detection and Response solution, organizations often face the dilemma of choosing between building a Security Operations Center (SOC) in-house or buying a pre-existing Managed Detection and Response (MDR) solution from a vendor. The MDR market has witnessed rapid growth due to cyber threats becoming increasingly sophisticated. As a result, organizations recognize the need to ramp up their security operations by adopting MDR services that combine threat intelligence, advanced detection tools, and around-the-clock monitoring. 

Cybercriminals are increasingly developing advanced attack strategies and techniques, making it critical for all organizations to have some form24x7 coverage. Proactive threat detection, continuous monitoring, and incident response are essential components of cybersecurity, ensuring the protection of valuable assets and maintaining customer trust. 

The decision between buying and building an MDR solution should not be taken lightly, as it could significantly affect your organization’s overall cybersecurity posture and operational efficiency. There are crucial factors that need to be carefully considered before making such a decision, including the organization’s objectives and needs, budget, team expertise, technology, and availability.  

4 Factors to Consider Before Building a SOC vs. Buying MDR 

  1. Cybersecurity Budget:

    There is a common misconception that working with an MDR vendor is more expensive compared to building an in-house SOC. However, when evaluating the total cost, it becomes clear that building in-house is often more costly. It is important to consider the affordability of various components, such as equipment, software, staffing, and ongoing maintenance. In addition, outsourcing to a trusted MDR vendor can prove to be cost-effective in the long run. Breaking down the expenses can often reveal additional expenses that can add up to a higher total cost to build in-house.  

    While focusing on building your SOC, organizations may divert internal resources from core business activities, leading to potential opportunity costs. Additionally, building an in-house capability takes time and does not happen overnight, so during this time, it may be difficult to detect threats. By buying an MDR solution from a trusted MDR provider, organizations can quickly implement a robust security posture without the associated time and opportunity costs of building internally.

    Ask yourself: What costs do I need to consider for buying vs. building an MDR solution? 

  2. Security Team Expertise: 

    When considering the implementation of an MDR, organizations should carefully assess their current team’s expertise and determine where their resources and time should be spent. Suppose your organization already has an internal team of cybersecurity professionals. In that case, it may be more beneficial for them to focus on other security operations tasks rather than constantly monitoring the environment and filtering through alerts.  

    Outsourcing the MDR to a trusted vendor can provide a ready-made team of experts in addition to a threat research team, to manage security operations efficiently, allowing the internal team to allocate their time and resources to other important cybersecurity tasks. This approach can help organizations optimize their resources and ensure that the expertise of their internal team is utilized effectively.

    Ask yourself: What expertise is required for an SOC? Do I currently have a team? And where do they need to spend their time? 

  3. Available Cybersecurity Technology:

    The cybersecurity landscape is dynamic, with threat actors constantly evolving their techniques. Organizations that choose to build an in-house SOC must allocate resources for research and development to stay updated on vulnerabilities, emerging threats, and industry best practices. This includes investing in threat intelligence feeds, attending conferences, participating in information-sharing communities, and conducting regular assessments and audits. Such ongoing investments are necessary to ensure that the in-house SOC remains effective and relevant.

    In contrast to MDR vendors, they are built to help organizations take command of their security operations and compliance without the additional need for expertise. Working with an MDR vendor, you should expect consistent updates, new technologies, and innovations that evolve with the current threat landscape.  

    Regardless of the chosen approach, organizations must invest in technology to build and maintain an in-house SOC effectively. This investment includes maintaining and tuning rules, managing the technology, and ensuring seamless integration with existing infrastructure.

    Ask yourself: What technology do I have currently, and what will I need to stay updated with current threats? 

  4.  IT Stack Scalability:

    Planning for scalability in your SOC should include adapting to evolving cybersecurity threats and accommodating your business’s expanding needs. This involves assessing the size and scope of your SOC and determining the necessary resources, such as the number of employees and tools, to support its growth. 

    When it comes to scalability, building an in-house SOC may limit your options. It requires additional investments in recruiting and training staff and acquiring new tools as the business evolves. Additionally, managing the increasing amount of data ingested can become cost prohibitive.

    On the other hand, opting for MDR service providers can offer flexible pricing that allows you to adjust your security resources and requirements as needed. They can help you scale your MDR to handle more data ingestion without incurring excessive costs. 

    Ask yourself: What scalability and flexibility does my growing business need?   

Buying vs. Building an MDR Solution? 

When considering whether to buy or build an MDR solution, it is crucial to start by outlining the ideal solution and assessing the availability of resources in-house. If building is viable, evaluating the time it will take to complete the project and ensuring it aligns with the desired go-live window is important. It is also important to find an MDR solution that can grow and scale with your organization as you build it. However, if building is not feasible within the desired timeframe or at all, exploring MDR providers that can deliver a solution that closely aligns with the ideal one is advisable. The decision between building vs. buying should be seen as a flexible approach to achieving the desired outcome based on your organization’s current circumstances. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Penetration Testing as a Service vs. PenTesting

By: Brittany Holmes, Corporate Communications Manager 

Penetration testing is a vital part of cybersecurity strategies for organizations, helping them identify vulnerabilities in their systems, networks, and applications. Organizations have relied on traditional penetration testing methods, where a team of experts conducts the tests on-site. However, with the rise of technology and cloud-based services, a new approach has emerged – Penetration Testing as a Service or PTaaS.   

This blog discusses the differences between conventional penetration testing and penetration testing as a service, comparing each method. By understanding the differences, organizations can make informed decisions when choosing the right approach for their security needs. 

What is Penetration Testing as a Service (PTaaS)? And how is it different? 

Penetration testing as a service is a revolutionary cybersecurity approach that is gaining popularity. Unlike traditional penetration testing methods, penetration testing as a service takes advantage of the cloud and offers on-demand accessibility, making the entire process more efficient and seamless.  

With penetration testing as a service, organizations can securely access the testing platform through the cloud, eliminating the need for manual setup and configuration of testing environments. This significantly speeds up the testing process and allows for greater scalability since the necessary resources can be easily allocated as needed. 

Additionally, penetration testing as a service employs automation and machine learning technologies to enhance the testing process. These technologies can assist with scanning for vulnerabilities, analyzing results, and even suggesting remediation steps. As a result, it can offer more accurate and comprehensive testing, saving time and effort for organizations. 

To further investigate what solution is best for your organization, let’s explore the differences:  

Who conducts the penetration test? 

Penetration Testing:  

Penetration tests are typically conducted by specialized cybersecurity professionals known as ethical hackers or penetration testers. These individuals have extensive knowledge and experience in identifying and exploiting security vulnerabilities. They follow a systematic approach to test the effectiveness of an organization’s security controls and identify areas where improvements are needed.  

Penetration Testing as a Service: 

Many organizations choose to engage in external penetration testing services provided by third-part services, such as Managed Detection and Response (MDR) providers. These providers have specialized expertise and access to advanced tools and techniques that can comprehensively assess an organization’s security posture. 

How long does a penetration test take? 

Penetration Testing:  

The duration of a penetration test can vary depending on the availability of resources and information, the test’s scope, or the target system’s complexity. On average, a penetration test can take anywhere from a few days to several weeks to complete.   

Penetration Testing as a Service:

With penetration testing as a service, the testing is run based on your convenience or when your team wants to schedule them. Moving penetration tests to ‘as a service’ eliminates needing someone to manually set up pen tests. Instead, they can be scheduled to run on a regular basis or when you want, allowing for consistent assessments and updates. This means the duration can be longer than a one-time conventional test, but it provides more comprehensive and up-to-date security coverage. 

Will there be communication between an organization and the penetration testers? 

Penetration Testing:

During a penetration test, the communication between the penetration testers and the internal team can vary based on the policies and procedures of the organization. In some cases, there may be little to no interaction between the two groups, with the penetration testers working independently and providing updates only to a designated point of contact, such as a project manager. 

Penetration Testing as a Service: 

Two options are offered: the organization runs the tests independently, or an MDR provider manages the tests through a Progressive Penetration Testing Program  

Utilizing an MDR provider allows for seamless and direct communication between internal teams and penetration testers throughout the project, resulting in a more streamlined process. By eliminating unnecessary mediators, the exchange of information becomes more efficient and effective. 

The close collaboration enables any friction or misunderstanding to be promptly addressed, clarified, and resolved during the penetration test. This not only ensures a smoother workflow but also allows for quicker resolution of any issues. 

Additionally, it provides a valuable opportunity for the organization’s employees to enhance their skills by working alongside penetration testers. By actively participating in the penetration testing process, they can gain valuable insights and knowledge, ultimately improving their capabilities in cybersecurity. 

When can I see the results? 

Penetration Testing:  

One of the significant limitations of traditional penetration tests is the delayed communication of results. Typically, the findings are only conveyed at the end of the tests. Consequently, potentially crucial vulnerabilities may remain unaddressed for extended periods, ranging from days to even weeks. 

Penetration Testing as a Service:   

When a penetration tester detects a vulnerability, the platform immediately notifies the organization. This real-time alert allows internal teams to address the issue promptly, even before the penetration test is complete. Organizations can deploy patches and test them against cybercriminals without the need for another round of testing.  

This continuous reporting system, coupled with the ability to collaborate with penetration testers, enables the organization’s IT team to gain valuable insights into the remediation of vulnerabilities. 

Penetration Testing as a Service vs. PenTesting 

Penetration testing as a service offers organizations an affordable and convenient solution for assessing their cybersecurity vulnerabilities. Organizations can quickly identify and mitigate potential threats with on-demand access to human-led penetration testing combined with automation. It also provides continuous monitoring and real-time reports for faster resolution. This approach ensures higher accuracy and data analytics and makes penetration testing more accessible and cost-effective compared to traditional methods. By illuminating potential risks, penetration testing as a service enables organizations to adopt effective defenses and enhance their security posture. 

Ultimately, the choice between penetration testing and penetration testing as a service depends on an organization’s unique needs and financial resources. Traditional penetration testing may be ideal for certain tasks, but it is crucial to assess the areas where assistance is needed and select the most appropriate option to meet the organization’s security requirements. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Finding the Best MDR Provider to Fit Your Needs

By: Brittany Holmes, Corporate Communications Manager 

The managed services sector has had a significant influence and has been a prominent trend in the mid-market cybersecurity industry for the past few years. The MDR market is projected to increase from $1.56 billion in 2023 to $6.29 billion by 2030. Managed services, such as Managed Detection and Response (MDR), Managed Security Service Providers (MSSP), and similar solutions, have emerged in response to the demand. The accelerated growth of the MDR market mainly comes from increasing cybersecurity threats, the adoption of cloud computing, the shortage of cybersecurity talent, and the increase of the Internet of Things (IoT).  

Last year, the global cost of a data breach was USD 4.45 million, which was a 15% increase over 3 years, according to IBM’s latest report. Due to this increase, organizations are investing in MDR services to help reduce their risk of attacks and irreputable damage. As a result, organizations seek a cybersecurity partner to provide all-inclusive cybersecurity services.  

With all the solutions out there, it can be challenging to decide on the right solution for your organization. In this blog, we go back to the basics and break down the different flavors of MDR solutions and what to look for in a provider.  

What is Managed Detection and Response (MDR)? 

It is important to understand MDR and the key aspects that differentiate MDR from traditional security services and its proactive approach to detecting, analyzing, and responding to potential cybersecurity threats. It differs from traditional security services and goes beyond solely relying on automated tools and includes human expertise to continuously monitor and investigate potential security incidents.  

Unlike traditional monitoring services, MDR does not only rely on alerts for incident response. It involves a team of skilled cybersecurity professionals who actively investigate and triage potential threats, providing an extra layer of expertise and context. These professionals work closely with organizations, leveraging their knowledge to understand the unique threat landscape and tailor response strategies accordingly.  

What sets MDR apart is the detection and response of threats. MDR provides a proactive approach that enables organizations to stay one step ahead of cybercriminals, significantly reducing the risk of successful breaches. 

Breaking Down the Flavors of MDR 

When it comes to MDR providers, it’s important to recognize that not all MDRs are the same. While they all aim to provide businesses with the necessary tools and services to detect and respond to security threats, the capabilities and offerings can vary significantly.  

From the sources they pull security data from to the level of response services they provide, MDR providers differ in their approaches and focus areas. Understanding these differences is crucial for organizations looking to choose the right MDR provider that aligns with their specific needs and requirements. 

There are two broad classes of MDR providers: Pure-play MDR and managed endpoint or SIEM. 

#1 Pure-Play MDR 

This category of MDR service providers relies on a proprietary mix of third-party security tools and solutions, such as endpoint, SIEM, cloud access, or others, to collect logs and alerts. These providers use a customized technology stack, which their 24/7 Security Operations Center (SOC) monitors. Most pure-play MDR providers cannot decouple their technology stack from their SOC service offerings. While effective at detecting and responding to threats, this closed-loop approach often limits their ability to offer co-management, work effectively with partners and customer providers, and leaves customers reliant on their SOC to provide reports.  

#2 Managed Endpoint (EDR) or SIEM  

Given the expertise and dedicated resources required to properly manage endpoint and SIEM solutions, many customers outsource management to an MDR or managed IT service provider. Over the last few years, leading providers now offer a managed service based on their core technology offering. This managed service provides updating and operations, detection investigation, and specific response services based on the capabilities of their core technology offering. 

What to Look for in an MDR Provider 

The capabilities and functions of MDR providers can seem overwhelming, so how do you choose one that makes sense for your organization and cybersecurity strategy? First, to ensure the protection of your organization, it is crucial to verify the efficiency of an MDR solution before investing in it. This means making sure that the capabilities fit your needs and understanding that not all solutions are created equally. Here is a list of considerations when evaluating: 

  • Coverage: What methods are used to provide the greatest visibility beyond the endpoint?  
  • Detection: What methods are used to identify threats? Are they applying machine learning or artificial intelligence to detect advanced threats?  
  • Investigation: Will they alert you when things seem malicious? Or do they investigate and confirm for you? Investigations are dependent on the available telemetry, and it is essential to clarify if the provider will investigate alerts or simply notify you. 
  • Response: What does the host containment look like? Do they isolate systems, preventing the spread? Or block network traffic? 
  • Remediation: What type of guidance and/or recommendations will you receive and in what method?  

There are several other factors to consider when choosing an MDR. For example, understanding the service level agreements and communication methods for incident response is crucial. For instance, can you access the same portal as the provider to stay updated on the incident? Can you directly interact with the security analyst to discuss the incident? Also, it is important to evaluate the provider’s reporting capabilities and determine if it is easy to extract the required information when needed. 

Finding the Right Solution  

Cybersecurity professionals have one of the toughest jobs protecting organizations from threats that are changing daily. To help, EDR vs. XDR vs. MDR: The Cybersecurity ABCs Explained breaks down the three primary threat detection and response solutions while giving you visuals to help find the right solution that fits your organization’s criteria.  

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



4 Myths About MDR Security

By: Brittany Holmes, Corporate Communications Manager 

Small and medium-sized businesses (SMBs) constantly search for ways to enhance their data protection and resilience against persistent cybercriminals. However, their security service providers frequently struggle to tackle advanced threats effectively and often don’t know where to start. This has led to a growing interest in Managed Detection and Response (MDR) solutions, which offer around-the-clock proactive defense for organizations with limited resources. As the threat landscape and MDR market continue to evolve, both Managed Security Service Providers (MSSPs) and customers are facing confusion and uncertainty.

In this blog, we debunk common myths surrounding MDR. Our team frequently hears these misconceptions and wants to provide you with the real insights and realities behind them. By dispelling these myths, we will help you understand MDR better and find the ideal solution for your needs.

Myth #1: MDR is too expensive

Fact: Many MDR providers scale to fit your needs in terms of tools and resources, which can be expensive and difficult to replicate internally.

There is a common misconception that MDR services are too expensive for most organizations to afford. However, it is important to consider the value and monetary savings that MDR can provide in the long run. While there is a cost associated with implementing MDR, it is essential to compare it with the alternative options of handling detection and response in-house or not addressing it at all.

When considering the economic situation and the need for budgetary constraints, it is crucial to note that cybercrime is projected to cost the global economy $10.5 trillion annually by 2025. This staggering amount represents the greatest transfer of economic wealth in history.  Specifically, ransomware is expected to be a major threat this year as access to powerful tools becomes increasingly easier and more affordable.

While building an in-house detection and response capability may be an option, it is important to recognize the advantages of partnering with an MDR service provider. These providers scale to fit your needs in terms of tools and resources, which can be expensive and difficult to replicate internally. In addition, it takes a considerable amount of time to establish an effective in-house detection and response capability, whereas MDR service providers can offer a turnkey solution that can be up and running in just 90 minutes.

It is important to note that while cost-effectiveness is a key factor, it is equally important to not simply go for the cheapest solution available. Choosing an MDR provider solely based on price may result in minimal level of service, limited capabilities, and insufficient telemetry.

Finding an MDR provider that strikes a balance between cost and capability ensures that your organization receives the highest level of protection and response.

Myth #2: Our existing solutions will protect us

Fact: New threats emerge daily that may go undetected or be missed by your existing cybersecurity measures, so it is important to have a 24×7 team in place, so nothing slips through the cracks.

Another common misconception is that having other cybersecurity measures in place makes MDR unnecessary. While these measures can offer some level of protection, they are insufficient to ensure complete security for your organization. This is because the landscape of cyber threats is constantly changing and evolving. New threats can emerge that may go undetected or be missed by your existing cybersecurity measures.

This is where MDR plays a crucial role. By continuously monitoring for dangers and providing real-time response, it offers an additional layer of protection that complements your existing security measures. It ensures that your organization is always defended against the full range of cyber threats. In addition, top-notch MDR services also include threat intelligence and human-led threat hunting, which enhances the effectiveness of threat detection. With MDR, you can be confident that your organization is receiving proactive protection against cyber threats.

Myth #3: “Our organization is too small for MDR”

Fact: SMBs are targeted by cybercriminals because they tend to have fewer resources and less robust cybersecurity measures in place.

Many believe that MDR is only essential for larger businesses and organizations that handle vast amounts of sensitive data. While it is true that larger businesses may face greater risks and potential reputational damage from cyberattacks, this does not mean that smaller businesses are immune to such threats. In fact, smaller businesses are frequently targeted precisely because they tend to have fewer resources and less robust cybersecurity measures in place.

For cybercriminals, smaller businesses become attractive targets due to their perceived vulnerabilities as cybercriminals search for easier, less-protected organizations. As a result, successful ransomware attacks can have devastating consequences for smaller organizations. The impact can be so catastrophic that it jeopardizes the very existence of these businesses, disrupting critical systems and processes.

However, MDR services can level the playing field and provide the same protection to small and medium-sized businesses as to their larger counterparts. By implementing MDR services, these organizations can ensure they are fully protected. MDR helps strengthen their cybersecurity defenses and safeguards their sensitive data, reducing the likelihood and severity of cyberattacks. 

Myth #4: MDR takes too long and is too difficult to set up

Fact: Adlumin’s Security Operations Platform takes 90 minutes to implement. 

While MDR may involve advanced technology, implementing it is not complicated. MDR providers, like Adlumin, offer support throughout the implementation process to ensure your organization achieves success. Implementing the Security Operations Platform and MDR is fast and effortless without requiring excessive IT resources or abandoning existing investments.

Adlumin’s platform is cloud-native and serverless, which means onboarding is simple, regardless of your architecture or technology. Our turnkey deployment allows organizations to establish powerful threat detection and response capabilities quickly and smoothly within a matter of minutes rather than months or years. Try a free two-week trial to see the value yourself.  

Advance Your Security with MDR

MDR services are a vital solution in today’s evolving threat landscape, offering around-the-clock proactive defense for organizations of all sizes. MDR is cost-effective in the long run compared to building an in-house capability and provides superior threat detection and mitigation. It complements existing cybersecurity measures, ensuring complete protection against evolving cyber threats. In addition, MDR is essential for SMBs that are frequently targeted by cybercriminals.

Despite the advanced technology involved, MDR implementation is quick and straightforward with the right provider. By partnering with a trusted MDR service provider like Adlumin, organizations can strengthen their security defenses, safeguard sensitive data, and know they are protected 24/7. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Top 4 Cybersecurity Predictions to Be Aware of for 2024

The Adlumin Threat Research Team has peered into the future and unveiled their top predictions for the upcoming year.

With each passing year, hackers become more sophisticated and the consequences of a breach become more severe. To help organizations prepare for the challenges that lie ahead, we have compiled this list of the top four cybersecurity threats to be aware of.  

From the growing threat of Ransomware-as-a-Service (RaaS) to the increasing impact of AI tools, these predictions will arm IT Directors with the knowledge they need to protect their organization from potential risks. So, buckle up and prepare for the top four cybersecurity challenges in the new year. 

1. Increase in Ransomware-as-a-Service (RaaS) Attacks 

Ransomware attacks have become more sophisticated, causing financial, operational, and reputational damage to businesses and organizations. RaaS refers to the model where cybercriminals offer ransomware tools and infrastructure to other hackers, who then deploy the ransomware on their behalf. This has enabled malicious actors with less sophisticated technical skills to carry out ransomware attacks, and share the profits with the original creators.

The rise in RaaS actors is alarming because it lowers the barrier to entry, making ransomware attacks accessible to a broader range of cybercriminals. This means we can anticipate a surge in ransomware attacks as more individuals and groups access these tools. This trend threatens organizations of all sizes and sectors, as no one is immune to being targeted by ransomware attacks. 

2. Shift from Data Encryption to Data Extortion Ransomware 

Ransomware has been a long-standing top cybersecurity threat, but in the new year, a shift in its tactics is predicted. Traditionally, ransomware attacks involved encrypting victims’ data and demanding a ransom for release. However, cybercriminals are expected to focus on data extortion increasingly.

This shift means threat actors will also exfiltrate sensitive information from victims’ systems and encrypt data. They will then threaten to release or sell this data if the ransom is not paid. This new approach adds an extra layer of pressure on organizations to comply with the attackers’ demands, as the exposure of sensitive data can lead to severe consequences, including reputational damage, regulatory penalties, and legal liabilities. 

3. Increased Focus on Cyberattacks Against Hospitality   

This cybersecurity threat prediction for the new year highlights the potential increased focus on attacks targeting the hospitality industry and the expected rise in the sophistication of fraud schemes. As the hospitality sector relies heavily on technology and handles a vast amount of customer data, it has become an attractive target for cybercriminals. This prediction suggests that attackers will continue to exploit vulnerabilities in hotel networks, reservation systems, point of sale (POS) terminals, and other digital platforms to steal confidential information. 

For example, the Marriot Hotel has faced multiple cybersecurity breaches over the past couple of years. Their most recent breach resulted in losing 20 gigabytes of sensitive customer and employee data including credit card information in an extortion attempt.   

4. Increased Impact from Malicious AI Tools

The increased impact of malicious AI tools on both attackers and defenders is predicted to be a major cybersecurity threat. AI technology has evolved significantly, creating a new era in cyberattacks and defense strategies. Cybercriminals leverage AI tools to amplify the scale and sophistication of their attacks, making them harder to detect and mitigate. AI-powered malware can self-propagate, adapt, and evolve, posing immense challenges to traditional cybersecurity measures.

Organizations also protect themselves by using AI tools to enhance their security capabilities. AI can help identify and analyze threats in real-time, assist in incident response, and automate cybersecurity processes. However, these AI tools can generate false positives or negatives, leading to missed or misinterpreted threats and potentially unlocking vulnerabilities.

The use of AI on both sides creates a dynamic and rapidly evolving cybersecurity landscape. Attackers can leverage AI algorithms for advanced evasion techniques. On the other hand, defenders have the daunting task of keeping up with AI-powered attacks while navigating through potential inaccuracies or blind spots in their AI-enabled defense systems. 

Illuminate Threats and Eliminate Risks in 2024

The threat of data breaches and ransomware attacks loom over organizations of all sizes and sectors. It’s no longer a matter of if your organization will get breached or attacked with ransomware but rather when. The harsh reality is that no system is invincible, and cybercriminals are continually finding new ways to exploit vulnerabilities.

While it can be challenging for IT teams to keep pace with evolving threats, innovative technology solutions and security measures are available to alleviate the strain. Organizations can automate threat detection and prevention processes by leveraging advanced security solutions like a Security Operations Platform and pairing them with Managed Detection and Response (MDR) Services, effectively mitigating the risks associated with cyber attacks.

Through the use of AI and machine learning, these solutions analyze vast amounts of data, identify anomalies, and respond to potential threats in real-time, empowering organizations to defend against cyber threats proactively.  

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Unmasking the Top Ransomware Groups of 2023

Over the past year, the digital landscape has been a battleground for attacks cybersecurity threats, creating a sense of vulnerability and urgency for organizations. Adlumin’s dedicated threat research and Managed Detection and Response (MDR) teams have been at the forefront of detecting and combating these threats, witnessing firsthand the havoc they have wreaked across countless sectors.  

With ransomware groups and adversaries still on the rise and continually refining their techniques, organizations must remain vigilant and prepared for the malicious activities that lie ahead.  

As we enter the new year, we are shedding light on the top ransomware groups and emerging threats that demand our attention and resilience. 

Ransomware Group Spotlights 

BianLian   

BianLian is a versatile cybercriminal group that has expanded its tactics beyond ransomware attacks. They employ advanced techniques such as customized malware, targeted phishing, and zero-day exploit usage. The group’s expertise is in evading antivirus systems and exploiting unknown software vulnerabilities. 

The BianLian group is a serious threat and is an example of a ransomware group targeting organizations hoping to receive big payouts. 

Read Adlumin’s latest Threat Insights 2023: Volume IV to learn more about two emerging threat actors and three critical vulnerabilities.  

CL0p 

Cl0p, also known as Clop, TA505, and FIN11, is a notorious ransomware group that is known for its advanced tactics and operations. They employ a ransomware-as-a-service (RaaS) model and utilize the double-extortion data disclosure tactic. Their motivation is financial gain through extorting organizations by encrypting their data and demanding ransom payments in exchange for its release. 

Cl0p first emerged in 2019 as a variant of CryptoMix malware distributed through a large-scale phishing campaign. Over time, they have evolved into one of the most sophisticated and effective ransomware groups, frequently exploiting zero-day vulnerabilities to target and compromise numerous systems across the globe. 

Read more about the CL0P ransomware group, trends, and developments in Adlumin’s Threat Insights 2023: Volume II

LockBit 

LockBit is a ransomware group that operates as a Ransomware-as-a-Service (RaaS) model. They provide other cybercriminals, known as “affiliates,” with their ransomware tools to spread and infect victims’ systems. LockBit’s main motivation is financial gain through extortion. They target organizations, particularly in professional services like manufacturing, construction, and technology, by accessing their networks and encrypting their data.  

A ransom payment is demanded in exchange for the decryption key, threatening to leak the stolen data if the ransom is not paid. LockBit’s focus is mainly on small to medium-sized companies. However, they have also targeted larger organizations with victims in North and South America, with no clear regional pattern in targeting.  

Adlumin’s Threat Insights: Volume I give an in-depth analysis of the latest trends and an overview of the effects and recovery from recent ransomware attacks.  

Akira Ransomware 

Akira ransomware is a relatively new malware that emerged in March 2023. The threat actors behind Akira ransomware employ various tactics, such as phishing campaigns and exploiting vulnerabilities in remote monitoring and management software, remote desktop protocol, and other remote access tools. They have also been reported to exploit vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products. 

The motivation of Akira ransomware threat actors is believed to be financial gain. Like most ransomware groups, they encrypt the victim’s files and demand ransom. These ransom payments are typically made in cryptocurrencies, making tracing and identifying the perpetrators harder. 

Read more about Akira Ransomware and the examination from Adlumin’s threat research team in A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware

PlayCrypt 

Play ransomware has been a significant threat since its emergence in 2022, targeting numerous companies and government entities worldwide. This development of PlayCrypt being sold as a service means that PlayCrypt is now accessible to affiliates, essentially allowing a wider range of actors to launch highly effective attacks using this Russia-linked ransomware.  

Affiliates could include skilled cybercriminals, less experienced “script kiddies,” and individuals with varying levels of expertise. This expansion may lead to a substantial increase in the frequency of attacks using Play ransomware. 

Learn more about how Adlumin uncovered evidence that Play ransomware (PlayCrypt) is also being sold “as a service” in PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

Top Industry-Specific Threat Spotlights   

Legal Industry: Phishing 

Phishing attacks have emerged as one of the legal industry’s top cybersecurity threats. These attacks target lawyers and law firms by deceiving individuals into revealing sensitive information such as usernames, passwords, and financial details. Given the substantial amount of valuable and confidential data law firms handle, they have become prime targets for cybercriminals. 

Phishing attacks in the legal industry often take the form of scam emails, mimicking trusted sources like IT service providers, law enforcement agencies, or other professionals with whom lawyers regularly interact. These emails typically employ social engineering tactics to create urgency or manipulate emotions, tricking recipients into clicking on malicious links or downloading malware-infected attachments. 

Adlumin’s latest Threat Insights Legal Edition report details top threats and access methods the legal industry faces.  

Financial Industry: Credential Harvesting 

Financial institutions are particularly vulnerable to credential harvesting attacks because they deal with large volumes of sensitive customer information and transactions. If cybercriminals successfully harvest credentials from bank customers, they can gain direct access to their accounts, potentially leading to financial losses for the customers and the institution.  

These attacks typically start with creating fake websites that closely resemble legitimate banking or investment websites. These fake websites often utilize convincing branding, formatting, and domain names almost identical to the targeted companies. This mimicry is intended to deceive users into thinking they are logging into their actual financial accounts. 

Read more about top threats and access methods the financial industry faces in Adlumin’s latest Threat Insights Financial Edition report.  

 Education Industry: Double Extortion 

Double extortion ransomware has emerged as one of the biggest cybersecurity threats to the education sector. Cybercriminals employ this dangerous tactic to maximize their chances of profiting from malicious activities. Double extortion takes the already damaging effects of ransomware attacks to a whole new level. 

In a traditional ransomware attack, cybercriminals encrypt the victim’s data, rendering it inaccessible until a ransom is paid. However, double extortion ransomware goes a step further. Instead of relying solely on encryption to extort money, cybercriminals also threaten to publicly expose or release the stolen data unless the ransom is paid. 

Read more about how double extortion affects the education industry and mitigation strategies in Adlumin’s latest Threat Insights Education Edition report.  

How Can You Stay Protected? 

Organizations must prioritize their cybersecurity and take proactive measures to protect their sensitive data and networks. Adlumin’s Managed Detection and Response (MDR) service provides a solution to address the growing threat of ransomware and other cyber attacks.  

Here are a few recommendations from Adlumin’s Threat Research Team 

  • Third-party risk management programs should be implemented to assess and monitor the security of vendors and suppliers, and to ensure they are adhering to the same security standards as the financial institution. 
  • Implement application controls to manage and control the execution of software, including allowlisting access programs. 
  • Adopting Zero Trust Architecture, developing and implementing a Zero Trust security architecture and model for your organization can dramatically reduce the risk of unauthorized access and lateral movement within networks. This involves verifying every user and device, regardless of location.  
  • Multi-factor authentication should be implemented where possible to prevent unauthorized access if credentials are stolen. 
  • All employees should be regularly trained in essential cybersecurity best practices, including social engineering identification, phishing, password security, re-use threats, and good browsing hygiene.   

Adlumin’s Managed Detection and Response (MDR) Services combines advanced threat detection capabilities with a team of dedicated experts who monitor and respond to suspicious activities around-the-clock. By incorporating machine learning and AI, Adlumin can quickly detect and respond to potential threats before they cause significant damage. In addition to consistently monitoring ransomware groups’ latest trends and tactics, enabling organizations to stay ahead of their attackers. 

Take the Tour

Discover how Adlumin’s Security Operations Platform paired with MDR Services empowers your team to effectively detect and respond to threats and lightens your team’s workload. Take the platform tour and elevate your organization’s visibility to new heights. 

Embracing AI in Cybersecurity: The Ultimate Resource Round-Up

By: Brittany Holmes, Corporate Communications Manager 

As we move into the new year and reflect on 2023, we have learned the stakes for cybersecurity have reached unprecedented heights. Cyber threats continue to grow in complexity, leaving organizations and individuals vulnerable to data breaches, ransomware attacks, and increasingly sophisticated cyberattacks. Artificial Intelligence (AI) has emerged and risen as a powerful ally in the fight against threats and adversaries.

In this blog post, we’ll explore the current state of AI in cybersecurity as of 2023 and provide Adlumin’s AI round-up of resources to help equip you for the upcoming year. 

AI in Cybersecurity 

AI in cybersecurity has become integral to protecting modern digital systems this past year. Machine learning algorithms analyze and identify patterns in vast amounts of data, enabling organizations to efficiently detect and mitigate potential cyber threats.  

Cybercriminals leverage AI to sabotage defenses, accelerate the development of their tactics and tools like phishing lures, and even lie dormant in the hands of an advanced persistent threat (APT) that’s playing a long game deploying an AI mole in the halls of government or in the defense industry. 

To learn more, read The Intersection of AI and Cybersecurity: A Closer Look.’ 

Making Cybersecurity Faster and Smarter 

The concept of automation often blends into the artificial intelligence (AI) world, where AI makes decisions based on a number of technologies and learned variables. In principle, automation also makes these same types of decisions, but it’s based on rules and patterns. Nonetheless, in cybersecurity, automation is only as smart as we make it. The cyber-world is colossal, and different teams and operations can all use automation in different ways. 

To learn more about automation in a Security Operation Center (SOC) and the pros and cons of automation used in cybersecurity, read ‘How Automation Makes Cybersecurity Faster and Smarter: The Pros and Cons.’ 

AI is Used to Detect Lateral Movement 

Adlumin’s Data Science team constantly develops more robust and holistic solutions for automated defense against network intrusion and data exfiltration. Adlumin recently flagged lateral movement incidents on a customer’s network. The detection was achieved via an AI algorithm designed to aggregate suspicious incidents until they collectively project a high-fidelity threat signal. This prevented further compromise of valuable resources, and Adlumin detection response teams advised the client on remedial action.  

Learn more about how Adlumin’s AI detected and remediated this incident inHow AI is Used to Detect Lateral Movement.’ 

Current, Upcoming, and Future AI Technology   

At Adlumin, we develop AI applications for cyber defense, bringing specific techniques to bear. The central challenge for AI in cyber applications is to find “needle in haystack” anomalies from billions of data points that mostly appear indistinguishable. The applications in this domain are usefully grouped under the term User and Entity Behavior Analytics, involving mathematical baselining of users and devices on a computer network followed by machine-identification of suspicious deviations from baseline. 

Organizations need to build a cybersecurity infrastructure embracing the power of AI, deep learning, and machine learning to handle the scale of analysis and data. AI has emerged as a required technology for cybersecurity teams to scale and protect the complex attack surfaces of organizations. So, when evaluating security operations platforms, organizations need to know how AI can help identify, prioritize risk, and help instantly spot intrusions before they start.  

Learn more about suggested AI solutions to integrate into your cybersecurity plan, AI risks, and pitfalls in Unraveling Cyber Defense Model Secrets: The Future of AI in Cybersecurity.’ 

Embracing AI in Cybersecurity 

The AI round-up of resources highlights the significant role that artificial intelligence, deep learning, and machine learning techniques play in protecting organizations from the evolving landscape of cybersecurity threats. With the increasing complexity and sophistication of these threats, it is crucial for organizations to leverage powerful AI algorithms to analyze vast amounts of data and identify potential security breaches.   

By embracing automation and integrating AI into their cybersecurity strategies, organizations can enhance their security operations, making them faster, smarter, and more effective in detecting and mitigating cyber threats. This collection of resources provides valuable insights and tools to help organizations build a robust cybersecurity infrastructure that can stay ahead of cybercriminals and safeguard their data and systems in the years to come. 

Enhance Your Team 

The chase to stay ahead of threats is not slowing down. Gain valuable insights into the future of threat detection and response with latest Gartner report on emerging tech.  

Learn how AI can enhance your team’s capabilities and shine a bright light on hidden risks.  

Adlumin’s Threat Insights: Latest Adversaries and Vulnerabilities

Adlumin’s quarterly threat insights focus on rising risks and vulnerabilities affecting businesses. With cyberattacks becoming increasingly prevalent, organizations of all sizes are at risk. Last year, around 76% of organizations were targeted by ransomware, emphasizing the urgent need for businesses to prioritize cybersecurity measures.

Adlumin’s latest report aims to provide insights by examining cyber threats, tactics, and procedures utilized by threat actors, identifying targeted industries and fresh avenues for infiltration, and offering an understanding of the methods employed by these malicious actors. Understanding the tactics and procedures employed by threat actors is crucial in mitigating these risks and safeguarding organizations.

By downloading  Adlumin’s Threat Insights 2023: Volume IV you will gain valuable insights into the latest trends and developments and actionable recommendations to enhance your proactive defense strategies and mitigate cyberattack risks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network.

Three Actions to Mature Your Security Posture

By: Brittany Holmes, Corporate Communications Manager 

When cybercriminals are consistently evolving their tactics, ensuring the security of your organization’s data and systems has never been more crucial. The increasing sophistication of cyber threats demands that businesses constantly level up their security practices to stay one step ahead of potential breaches. To achieve this, organizations need to go beyond having a security operations platform and consistently think about the potential of their platform. 

While there are various components to consider, three practices stand out as fundamental pillars for strengthening security maturity: vulnerability management, penetration testing, and security awareness training.  

This blog explores each of these components and highlights the reasons why, even implementing just one can significantly elevate your organization’s security posture.

Level Up #1: Vulnerability Management  

Vulnerability management is all about keeping your organization’s network safe from potential threats. You can quickly identify and tend to vulnerabilities, reducing the time it takes to patch them by automating the process. This automated system also provides valuable information about the risks these vulnerabilities pose and offers advice on how to fix them.

It helps you prioritize which vulnerabilities need immediate attention based on the potential harm they could cause. This proactive approach reduces the amount of time that attackers have to exploit these weaknesses, making your network more secure. Implementing vulnerability and patch management is not only a best practice for IT security but also helps ensure compliance with industry regulations. CIS Critical Security Control also indicates CVM as a requirement for meeting IT security best practices and compliance.

Vulnerability Management in Action

Vulnerability management levels up an organization’s security posture by identifying and addressing security weaknesses in its systems and networks. By regularly and consistently managing vulnerabilities, organizations can reduce the attack surface, prevent potential breaches, and enhance overall security resilience.

Here are a few signs that indicate your organization can benefit from Vulnerability Management: 

  1. You want to make the most of your security investments: Vulnerability management helps determine the return on security investment (ROSI), showing the potential financial losses that security measures can prevent. By promptly identifying vulnerabilities within your organization’s environment, these programs reduce the risks and potential costs of cyber-attacks.
  2. You need to streamline your vulnerability management program: Managing vulnerabilities manually can be time-consuming and inefficient. Vulnerability management technologies automate the process, allowing for real-time identification of vulnerabilities as they arise.
  3. You operate in a high-targeted industry: Certain industries, such as financial services or healthcare, are often the primary targets for cyber attacks. Implementing vulnerability management becomes even more crucial if your organization falls within these high-profile sectors.
  4. Your organization is experiencing rapid growth: As your organization expands, it becomes more vulnerable to cyber threats. With vulnerability management, you can ensure that your expanding network and systems are constantly protected. 

Level Up #2: Penetration Testing 

A penetration test, or pen test, is like a real-life game of “cybercriminals vs. defenders” that organizations play to protect themselves from cyber attacks. Experts try to break into the company’s systems in a controlled environment just like a real cybercriminal would. They go through different tactics, like finding weak spots in the system, sneaking in undetected, and even planting malicious software. 

Pen tests are so important because they help organizations understand how strong their defenses are. It’s like testing their security measures to see if cybercriminals could exploit any holes or vulnerabilities. It’s like getting an outside perspective on how well-protected you are.

By simulating real attacks, pen tests can uncover weak spots that the organization’s own security experts might have missed. It’s a way to shine a light on risks that might go unnoticed from the inside. The great thing about pen testing is that it identifies vulnerabilities and shows how much damage they could cause if someone were to exploit them. It gives organizations a heads up on where they need to tighten their security belts.  

Penetration Testing in Action 

Penetration tests can actually help strengthen a company’s security processes and strategies. When executives at an organization see the results of these tests, they can understand the potential damage that could occur and prioritize fixing those vulnerabilities. A skilled penetration tester can provide recommendations to build a solid security infrastructure and help allocate the cybersecurity budget wisely. 

Here are a few reasons your organization might need Penetration Testing:  

  1. You will find system vulnerabilities before cybercriminals
  2. You have the ability to strengthen security strategies and processes 
  3. You will reduce attack dwell time and lower remediation costs 
  4. You will stay compliant  
  5. You can preserve customer loyalty and brand reputation 

Level Up #3: Security Awareness Training 

Security awareness training is a way for IT and security professionals to teach employees to protect themselves and their organizations from cyber threats. It helps employees understand how their actions can put the organization at risk and how to avoid common mistakes.   

In addition, there are common standards and legislations that require organizations to have a security awareness training program in place, KnowB4 details the following: 

  • US State Privacy Laws 
  • NERC CIP 
  • CobiT 
  • Federal Information Security Management Act (FISMA) 
  • Gramm-Leach Bliley Act 
  • ISO/IEC 27001 & 27002 
  • Sarbanes-Oxley (SOX) 
  • Health Insurance Portability & Accountability Act (HIPAA) 
  • PCI DSS 

Research shows that most security breaches are caused by human error, so training is essential in preventing data breaches and other security incidents. It covers topics like proper email, internet usage, and physical security measures like not letting unauthorized people into the office. The best proactive security awareness programs are engaging and delivered in small doses but consistently to fit into employees’ busy schedules.  

Security Awareness Training in Action 

Having proper security awareness training for your team is crucial. It increases your organization’s security and saves you time and money in the long run. By educating your employees about the various threats and risks out there, you can prevent them from making simple mistakes that could hurt your organization.

Think about it – a single moment of carelessness, like checking an email on a public Wi-Fi network, could result in a major breach. But if everyone in your organization knows the dangers and takes the necessary precautions, the chances of a security breach are significantly reduced.  

Here are a few benefits of implementing a Security Awareness Program: 

  1. Saving time and money: Data breaches and similar attacks cost organizations billions of dollars each year. So, spending money on training is a small price to pay if it protects you from potential cyber threats. Time is another valuable resource that can be saved with proper cybersecurity training. If an attack occurs, your team will spend a lot of time the damage and finding ways to prevent future breaches.
  2. Employee empowerment: When your employees are well-informed about phishing emails, malware, and other common threats, they feel confident in recognizing and handling these situations. They won’t have to second-guess themselves or waste time seeking help from IT for simple issues.
  3. Continued customer trust: A data breach can severely damage your reputation. Losing the trust of customers not only results in a loss of revenue but can also impact your partnerships with other organizations. 

Leveling up Your Security Maturity

Cybersecurity detection is not just a fancy term or an added feature to your cybersecurity strategy. It is a proactive approach that can save you from the chaos and damage caused by cyber threats. It’s like shining a light into the shadows where cybercriminals hide, exposing their every move and giving you the upper hand.

By taking these components into consideration, you can stop threats in their tracks and prevent them from causing havoc. Whether it’s implementing one or all of the key components discussed, taking action is crucial.

Organizations can ease the burden on their IT teams by leveraging solutions that provide comprehensive threat detection and response capabilities. Adlumin offers enterprise-grade Managed Detection and Response Services that operate as an extension of your IT team.

For more information about why implementing proactive security measures is essential to leveling up your security maturity, download “The Executive’s Guide to Cybersecurity.” 

PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

Key Takeaways

  • Adlumin uncovered evidence that Play ransomware (also known as PlayCrypt) is now being sold “as a service.” Play ransomware has been responsible for attacks on companies and government organizations worldwide since it was first discovered in 2022. Making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware.
  • In recent months, Adlumin has identified and stopped PlayCrypt attacks that had nearly identical tactics, techniques and procedures (TTPs). The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it.
  • Based on the attacks Adlumin has witnessed, small and mid-sized organizations are being targeted and are especially at risk. However, ransomware delivered as a service can often be easier to detect because of the common methods used to deploy it. Security teams should watch for indicators of compromise (IOCs) including malicious IP addresses, domains, TOR addresses, emails, hashes and executables, including the ones identified in the article below.

The Patterns

Play, also known as “PlayCrypt,” was discovered last summer disrupting government agencies in Latin America.  Months later threat actors began using it for targets in the U.S. and Europe. Play, like most ransomware today, employs double-extortion tactics, stealing victim data before encrypting their networks.

Since August, the Adlumin MDR team has tracked separate Play ransomware attacks in different industries. In the attacks Adlumin observed, threat actors used the same tactics, techniques, and procedures (TTP) and followed the same order of steps — almost identically. Furthermore, the indicators of compromise (IOCs) for both incidents were almost indistinguishable.

One of those IOCs includes threat actors using the public music folder (C:\…\public\music) to hide malicious files. Another was using almost the same password to create high privilege accounts. And, in both attacks, many of the same commands were observed.

This high level of consistency in methods used by threat actors is telling. First, it highly suggests reliance on playbooks or step-by-step instructions supplied with RaaS kits. And second, the targeted victims shared a common profile; they were smaller organizations that possessed the financial capacity to entertain ransoms reaching or exceeding $1 million.

The RaaS Kit Market

Purchasing RaaS kits is not difficult, it simply requires a TOR connection and membership to the right dark net forum or market. Once there, a highly experienced threat actor, or even a “script kiddie,” can browse RaaS advertisements.

Below are two ads that Adlumin acquired from RaaS operators peddling their products in the dark web.

Other ransomware ads obtained included those that offered “set-up assistance” “for as low was $200,” and those with “no fees.” Adlumin also observed advertisements offering full builds from $300 to $1100 “ready for deployment.”

One of the ads described the malware being offered as using “many cutting-edge evasion techniques including proprietary methods.”

And in some ads, RaaS operators boasted having ransomware kits for targeting MacOS systems.

“We have developed a new MacOS ransomware as we noticed a lack of it,” the ad read.

At least one post, stated that the ransomware for sale was what “the cool kids are using,” alluding that someone doesn’t have to be “cool” – or perhaps, highly skilled – to purchase and use it.

Easy Enough for a Script Kiddie

Script kiddies are individuals who possess fundamental hacking skills and the knowledge to deploy and execute exploits written by experienced threat actors. They’re able to learn new skills easily and eventually, often become “real hackers” themselves.

Since 2015, researchers have written about the ability script kiddies have for deploying ransomware and often working side-by-side with well-known threat actor organizations.

In March 2022, police in the UK arrested members of the Lapsus$ cybercriminal group known for targeting tech companies such as Okta, Nvidia, Samsung, and Microsoft. The raid included the arrest of teenagers and young adults with ages ranging from 13 to 21, according to the BBC.  It’s not clear, however, if the youngsters were script kiddies simply due to their age.

With enough documentation and technical support – and with generative AI tools now being able to assist them as well – a script kiddie can be more than capable of carrying out an attack. However, attacks by these less-skilled individuals often include a higher degree of basic mistakes that make them easier for an organization with capable cybersecurity operation to stop.

For example, Adlumin has observed ransomware attacks foiled by its security operations platform or its MDR team during an attack’s early stages. In some cases, threat actors don’t even get the chance to encrypt files. There are also incidents where SOAR actions within the Adlumin platform disable accounts created by threat actors, effectively locking them out from the network. Sometimes attacks are carried out, but no data is exfiltrated.  

Money to be Made

Ransomware attacks are very lucrative, especially since 73% of companies attacked pay the ransom. And with double extortion becoming the norm, organizations that don’t pay are publicly shamed by RaaS operators on the clear or dark web.

For script kiddies of any age, ransomware may seem like a great way to make a living and become rich quickly. Also, with high unemployment rates in many countries in Latin America and other parts of the world, cybercrime may be seductive for underemployed or poorly paid computer programmers, or people in similar careers. According to DevelopmentAid.org, “[Poor countries] serve as training grounds for criminal groups in preparation for more ambitious attacks in developed countries.”

When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use. And since there are probably more script kiddies than “real hackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.

Breadcrumbs

IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others discovered from an attack can be very useful to analysts, researchers, and law enforcement. They serve as clues to help put together what transpired during the incident and how. They can also offer some insight about the level of sophistication of the attackers.

When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.

Anything an attacker does in a network can help authorities if they are contacted after an incident. This is why investigators request that victims share any IOCs that could help with their investigations. Even if a business pays the ransom, details like Bitcoin or Monero addresses and transaction IDs, communication or chat logs with threat actors, the decryptor file, and a sample of an encrypted file can be very useful.

If a newbie or script kiddie isn’t meticulous with their work, the FBI could soon be knocking on their door.Conclusion

Ransomware attacks continue to be among the most prevalent cyber threats and increased by 37% in 2023. Companies should expect more ransomware attacks in the future, not less. And if more novice attackers are finding that ransomware attacks can be carried out easily with the help and support provided by RaaS operators, they’ll continue to frequent dark net forums to join the most inviting ransomware affiliate group.

At the same time, novice attackers are more likely to make mistakes since they are not as experienced, potentially leaving behind significant IOCs that the authorities can use to help track and apprehend them.

The Adlumin MDR Team will continue to monitor and stop ransomware attacks carried out by newbies and experts alike. Our security operations platform’s SOAR actions have been successful at foiling these attacks in their early stages, stopping cybercriminals on their tracks.

Furthermore, Adlumin now offers Total Ransomware Defense (TRD), a service specifically designed to detect ransomware activity and stop it. In the unfortunate case that files are encrypted, TRD is able to generate decryption keys to restore systems and networks.

Indicators of Compromise (IOCs)

 Usernames

  • admon
  • daksj
  • admin

Objects

  • exe
  • zip.json.PLAY
  • exe
  • exe
  • PLAY
  • exe
  • ini.PLAY
  • aut
  • omaticDestinations-
  • PLAY
  • exe
  • json.PLAY
  • cdp.PLAY
  • HeartBea
  • updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY
  • exe
  • cookie.PLAY
  • js.PLAY
  • exe

Paths

C:\\Users\\Public\\Music

\\Device\\HarddiskVolume3\\CollectGuestLogsTemp

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

C:\\windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Google\\Chrome\\

User Data\\Default\\Cache\\Cache_Data

Hash: null

C:\\Windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\Mup\\10.20.0.15\\C$\\$Recycl

e.Bin\\S-1-5-21-3568089881-786281157-

4253494709-1103

Hash: null

\\Device\\HarddiskVolume2\\Users\\AAD

_00864e0326c2\\AppData\\Roaming\\Mi

crosoft\\Windows\\Recent\\AutomaticDe

stinations

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\Mup\\10.20.0.15\\C$\\Users\\

administrator\\AppData\\Local\\ConnectedDevicesPlatform

Hash: null

\\Device\\Mup\\10.20.0.15\\C$\\Package

s\\Plugins\\Microsoft.EnterpriseCloud.Mo

nitoring.MicrosoftMonitoringAgent\\1.0.1

8067.0\\Status

Hash: null

\\Device\\HarddiskVolume2\\ProgramDat

a\\USOPrivate\\UpdateStore

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Microsoft\\Windo

ws\\INetCookies

Hash: null

\\Device\\HarddiskVolume4\\Program

Files\\Microsoft Monitoring

Agent\\Agent\\APMDOTNETCollector\\W

eb\\Scripts\\V7.0\\js

Hash: null

C:\\PerfLogs

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6