Unmasking the Top Ransomware Groups of 2023

/in /by

Over the past year, the digital landscape has been a battleground for attacks cybersecurity threats, creating a sense of vulnerability and urgency for organizations. Adlumin’s dedicated threat research and Managed Detection and Response (MDR) teams have been at the forefront of detecting and combating these threats, witnessing firsthand the havoc they have wreaked across countless sectors.  

With ransomware groups and adversaries still on the rise and continually refining their techniques, organizations must remain vigilant and prepared for the malicious activities that lie ahead.  

As we enter the new year, we are shedding light on the top ransomware groups and emerging threats that demand our attention and resilience. 

Ransomware Group Spotlights 

BianLian   

BianLian is a versatile cybercriminal group that has expanded its tactics beyond ransomware attacks. They employ advanced techniques such as customized malware, targeted phishing, and zero-day exploit usage. The group’s expertise is in evading antivirus systems and exploiting unknown software vulnerabilities. 

The BianLian group is a serious threat and is an example of a ransomware group targeting organizations hoping to receive big payouts. 

Read Adlumin’s latest Threat Insights 2023: Volume IV to learn more about two emerging threat actors and three critical vulnerabilities.  

CL0p 

Cl0p, also known as Clop, TA505, and FIN11, is a notorious ransomware group that is known for its advanced tactics and operations. They employ a ransomware-as-a-service (RaaS) model and utilize the double-extortion data disclosure tactic. Their motivation is financial gain through extorting organizations by encrypting their data and demanding ransom payments in exchange for its release. 

Cl0p first emerged in 2019 as a variant of CryptoMix malware distributed through a large-scale phishing campaign. Over time, they have evolved into one of the most sophisticated and effective ransomware groups, frequently exploiting zero-day vulnerabilities to target and compromise numerous systems across the globe. 

Read more about the CL0P ransomware group, trends, and developments in Adlumin’s Threat Insights 2023: Volume II

LockBit 

LockBit is a ransomware group that operates as a Ransomware-as-a-Service (RaaS) model. They provide other cybercriminals, known as “affiliates,” with their ransomware tools to spread and infect victims’ systems. LockBit’s main motivation is financial gain through extortion. They target organizations, particularly in professional services like manufacturing, construction, and technology, by accessing their networks and encrypting their data.  

A ransom payment is demanded in exchange for the decryption key, threatening to leak the stolen data if the ransom is not paid. LockBit’s focus is mainly on small to medium-sized companies. However, they have also targeted larger organizations with victims in North and South America, with no clear regional pattern in targeting.  

Adlumin’s Threat Insights: Volume I give an in-depth analysis of the latest trends and an overview of the effects and recovery from recent ransomware attacks.  

Akira Ransomware 

Akira ransomware is a relatively new malware that emerged in March 2023. The threat actors behind Akira ransomware employ various tactics, such as phishing campaigns and exploiting vulnerabilities in remote monitoring and management software, remote desktop protocol, and other remote access tools. They have also been reported to exploit vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products. 

The motivation of Akira ransomware threat actors is believed to be financial gain. Like most ransomware groups, they encrypt the victim’s files and demand ransom. These ransom payments are typically made in cryptocurrencies, making tracing and identifying the perpetrators harder. 

Read more about Akira Ransomware and the examination from Adlumin’s threat research team in A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware

PlayCrypt 

Play ransomware has been a significant threat since its emergence in 2022, targeting numerous companies and government entities worldwide. This development of PlayCrypt being sold as a service means that PlayCrypt is now accessible to affiliates, essentially allowing a wider range of actors to launch highly effective attacks using this Russia-linked ransomware.  

Affiliates could include skilled cybercriminals, less experienced “script kiddies,” and individuals with varying levels of expertise. This expansion may lead to a substantial increase in the frequency of attacks using Play ransomware. 

Learn more about how Adlumin uncovered evidence that Play ransomware (PlayCrypt) is also being sold “as a service” in PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

Top Industry-Specific Threat Spotlights   

Legal Industry: Phishing 

Phishing attacks have emerged as one of the legal industry’s top cybersecurity threats. These attacks target lawyers and law firms by deceiving individuals into revealing sensitive information such as usernames, passwords, and financial details. Given the substantial amount of valuable and confidential data law firms handle, they have become prime targets for cybercriminals. 

Phishing attacks in the legal industry often take the form of scam emails, mimicking trusted sources like IT service providers, law enforcement agencies, or other professionals with whom lawyers regularly interact. These emails typically employ social engineering tactics to create urgency or manipulate emotions, tricking recipients into clicking on malicious links or downloading malware-infected attachments. 

Adlumin’s latest Threat Insights Legal Edition report details top threats and access methods the legal industry faces.  

Financial Industry: Credential Harvesting 

Financial institutions are particularly vulnerable to credential harvesting attacks because they deal with large volumes of sensitive customer information and transactions. If cybercriminals successfully harvest credentials from bank customers, they can gain direct access to their accounts, potentially leading to financial losses for the customers and the institution.  

These attacks typically start with creating fake websites that closely resemble legitimate banking or investment websites. These fake websites often utilize convincing branding, formatting, and domain names almost identical to the targeted companies. This mimicry is intended to deceive users into thinking they are logging into their actual financial accounts. 

Read more about top threats and access methods the financial industry faces in Adlumin’s latest Threat Insights Financial Edition report.  

 Education Industry: Double Extortion 

Double extortion ransomware has emerged as one of the biggest cybersecurity threats to the education sector. Cybercriminals employ this dangerous tactic to maximize their chances of profiting from malicious activities. Double extortion takes the already damaging effects of ransomware attacks to a whole new level. 

In a traditional ransomware attack, cybercriminals encrypt the victim’s data, rendering it inaccessible until a ransom is paid. However, double extortion ransomware goes a step further. Instead of relying solely on encryption to extort money, cybercriminals also threaten to publicly expose or release the stolen data unless the ransom is paid. 

Read more about how double extortion affects the education industry and mitigation strategies in Adlumin’s latest Threat Insights Education Edition report.  

How Can You Stay Protected? 

Organizations must prioritize their cybersecurity and take proactive measures to protect their sensitive data and networks. Adlumin’s Managed Detection and Response (MDR) service provides a solution to address the growing threat of ransomware and other cyber attacks.  

Here are a few recommendations from Adlumin’s Threat Research Team 

  • Third-party risk management programs should be implemented to assess and monitor the security of vendors and suppliers, and to ensure they are adhering to the same security standards as the financial institution. 
  • Implement application controls to manage and control the execution of software, including allowlisting access programs. 
  • Adopting Zero Trust Architecture, developing and implementing a Zero Trust security architecture and model for your organization can dramatically reduce the risk of unauthorized access and lateral movement within networks. This involves verifying every user and device, regardless of location.  
  • Multi-factor authentication should be implemented where possible to prevent unauthorized access if credentials are stolen. 
  • All employees should be regularly trained in essential cybersecurity best practices, including social engineering identification, phishing, password security, re-use threats, and good browsing hygiene.   

Adlumin’s Managed Detection and Response (MDR) Services combines advanced threat detection capabilities with a team of dedicated experts who monitor and respond to suspicious activities around-the-clock. By incorporating machine learning and AI, Adlumin can quickly detect and respond to potential threats before they cause significant damage. In addition to consistently monitoring ransomware groups’ latest trends and tactics, enabling organizations to stay ahead of their attackers. 

Take the Tour

Discover how Adlumin’s Security Operations Platform paired with MDR Services empowers your team to effectively detect and respond to threats and lightens your team’s workload. Take the platform tour and elevate your organization’s visibility to new heights. 

Experience Adlumin’s Platform Now

Embracing AI in Cybersecurity: The Ultimate Resource Round-Up

/in /by

By: Brittany Holmes, Corporate Communications Manager 

As we move into the new year and reflect on 2023, we have learned the stakes for cybersecurity have reached unprecedented heights. Cyber threats continue to grow in complexity, leaving organizations and individuals vulnerable to data breaches, ransomware attacks, and increasingly sophisticated cyberattacks. Artificial Intelligence (AI) has emerged and risen as a powerful ally in the fight against threats and adversaries.

In this blog post, we’ll explore the current state of AI in cybersecurity as of 2023 and provide Adlumin’s AI round-up of resources to help equip you for the upcoming year. 

AI in Cybersecurity 

AI in cybersecurity has become integral to protecting modern digital systems this past year. Machine learning algorithms analyze and identify patterns in vast amounts of data, enabling organizations to efficiently detect and mitigate potential cyber threats.  

Cybercriminals leverage AI to sabotage defenses, accelerate the development of their tactics and tools like phishing lures, and even lie dormant in the hands of an advanced persistent threat (APT) that’s playing a long game deploying an AI mole in the halls of government or in the defense industry. 

To learn more, read The Intersection of AI and Cybersecurity: A Closer Look.’ 

Making Cybersecurity Faster and Smarter 

The concept of automation often blends into the artificial intelligence (AI) world, where AI makes decisions based on a number of technologies and learned variables. In principle, automation also makes these same types of decisions, but it’s based on rules and patterns. Nonetheless, in cybersecurity, automation is only as smart as we make it. The cyber-world is colossal, and different teams and operations can all use automation in different ways. 

To learn more about automation in a Security Operation Center (SOC) and the pros and cons of automation used in cybersecurity, read ‘How Automation Makes Cybersecurity Faster and Smarter: The Pros and Cons.’ 

AI is Used to Detect Lateral Movement 

Adlumin’s Data Science team constantly develops more robust and holistic solutions for automated defense against network intrusion and data exfiltration. Adlumin recently flagged lateral movement incidents on a customer’s network. The detection was achieved via an AI algorithm designed to aggregate suspicious incidents until they collectively project a high-fidelity threat signal. This prevented further compromise of valuable resources, and Adlumin detection response teams advised the client on remedial action.  

Learn more about how Adlumin’s AI detected and remediated this incident inHow AI is Used to Detect Lateral Movement.’ 

Current, Upcoming, and Future AI Technology   

At Adlumin, we develop AI applications for cyber defense, bringing specific techniques to bear. The central challenge for AI in cyber applications is to find “needle in haystack” anomalies from billions of data points that mostly appear indistinguishable. The applications in this domain are usefully grouped under the term User and Entity Behavior Analytics, involving mathematical baselining of users and devices on a computer network followed by machine-identification of suspicious deviations from baseline. 

Organizations need to build a cybersecurity infrastructure embracing the power of AI, deep learning, and machine learning to handle the scale of analysis and data. AI has emerged as a required technology for cybersecurity teams to scale and protect the complex attack surfaces of organizations. So, when evaluating security operations platforms, organizations need to know how AI can help identify, prioritize risk, and help instantly spot intrusions before they start.  

Learn more about suggested AI solutions to integrate into your cybersecurity plan, AI risks, and pitfalls in Unraveling Cyber Defense Model Secrets: The Future of AI in Cybersecurity.’ 

Embracing AI in Cybersecurity 

The AI round-up of resources highlights the significant role that artificial intelligence, deep learning, and machine learning techniques play in protecting organizations from the evolving landscape of cybersecurity threats. With the increasing complexity and sophistication of these threats, it is crucial for organizations to leverage powerful AI algorithms to analyze vast amounts of data and identify potential security breaches.   

By embracing automation and integrating AI into their cybersecurity strategies, organizations can enhance their security operations, making them faster, smarter, and more effective in detecting and mitigating cyber threats. This collection of resources provides valuable insights and tools to help organizations build a robust cybersecurity infrastructure that can stay ahead of cybercriminals and safeguard their data and systems in the years to come. 

Enhance Your Team 

The chase to stay ahead of threats is not slowing down. Gain valuable insights into the future of threat detection and response with latest Gartner report on emerging tech.  

Learn how AI can enhance your team’s capabilities and shine a bright light on hidden risks.  

Download Now

Adlumin’s Threat Insights: Latest Adversaries and Vulnerabilities

/in /by

Adlumin’s quarterly threat insights focus on rising risks and vulnerabilities affecting businesses. With cyberattacks becoming increasingly prevalent, organizations of all sizes are at risk. Last year, around 76% of organizations were targeted by ransomware, emphasizing the urgent need for businesses to prioritize cybersecurity measures.

Adlumin’s latest report aims to provide insights by examining cyber threats, tactics, and procedures utilized by threat actors, identifying targeted industries and fresh avenues for infiltration, and offering an understanding of the methods employed by these malicious actors. Understanding the tactics and procedures employed by threat actors is crucial in mitigating these risks and safeguarding organizations.

By downloading  Adlumin’s Threat Insights 2023: Volume IV you will gain valuable insights into the latest trends and developments and actionable recommendations to enhance your proactive defense strategies and mitigate cyberattack risks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network.

Download Now

Three Actions to Mature Your Security Posture

/in /by

By: Brittany Holmes, Corporate Communications Manager 

When cybercriminals are consistently evolving their tactics, ensuring the security of your organization’s data and systems has never been more crucial. The increasing sophistication of cyber threats demands that businesses constantly level up their security practices to stay one step ahead of potential breaches. To achieve this, organizations need to go beyond having a security operations platform and consistently think about the potential of their platform. 

While there are various components to consider, three practices stand out as fundamental pillars for strengthening security maturity: vulnerability management, penetration testing, and security awareness training.  

This blog explores each of these components and highlights the reasons why, even implementing just one can significantly elevate your organization’s security posture.

Level Up #1: Vulnerability Management  

Vulnerability management is all about keeping your organization’s network safe from potential threats. You can quickly identify and tend to vulnerabilities, reducing the time it takes to patch them by automating the process. This automated system also provides valuable information about the risks these vulnerabilities pose and offers advice on how to fix them.

It helps you prioritize which vulnerabilities need immediate attention based on the potential harm they could cause. This proactive approach reduces the amount of time that attackers have to exploit these weaknesses, making your network more secure. Implementing vulnerability and patch management is not only a best practice for IT security but also helps ensure compliance with industry regulations. CIS Critical Security Control also indicates CVM as a requirement for meeting IT security best practices and compliance.

Vulnerability Management in Action

Vulnerability management levels up an organization’s security posture by identifying and addressing security weaknesses in its systems and networks. By regularly and consistently managing vulnerabilities, organizations can reduce the attack surface, prevent potential breaches, and enhance overall security resilience.

Here are a few signs that indicate your organization can benefit from Vulnerability Management: 

  1. You want to make the most of your security investments: Vulnerability management helps determine the return on security investment (ROSI), showing the potential financial losses that security measures can prevent. By promptly identifying vulnerabilities within your organization’s environment, these programs reduce the risks and potential costs of cyber-attacks.
  2. You need to streamline your vulnerability management program: Managing vulnerabilities manually can be time-consuming and inefficient. Vulnerability management technologies automate the process, allowing for real-time identification of vulnerabilities as they arise.
  3. You operate in a high-targeted industry: Certain industries, such as financial services or healthcare, are often the primary targets for cyber attacks. Implementing vulnerability management becomes even more crucial if your organization falls within these high-profile sectors.
  4. Your organization is experiencing rapid growth: As your organization expands, it becomes more vulnerable to cyber threats. With vulnerability management, you can ensure that your expanding network and systems are constantly protected. 

Level Up #2: Penetration Testing 

A penetration test, or pen test, is like a real-life game of “cybercriminals vs. defenders” that organizations play to protect themselves from cyber attacks. Experts try to break into the company’s systems in a controlled environment just like a real cybercriminal would. They go through different tactics, like finding weak spots in the system, sneaking in undetected, and even planting malicious software. 

Pen tests are so important because they help organizations understand how strong their defenses are. It’s like testing their security measures to see if cybercriminals could exploit any holes or vulnerabilities. It’s like getting an outside perspective on how well-protected you are.

By simulating real attacks, pen tests can uncover weak spots that the organization’s own security experts might have missed. It’s a way to shine a light on risks that might go unnoticed from the inside. The great thing about pen testing is that it identifies vulnerabilities and shows how much damage they could cause if someone were to exploit them. It gives organizations a heads up on where they need to tighten their security belts.  

Penetration Testing in Action 

Penetration tests can actually help strengthen a company’s security processes and strategies. When executives at an organization see the results of these tests, they can understand the potential damage that could occur and prioritize fixing those vulnerabilities. A skilled penetration tester can provide recommendations to build a solid security infrastructure and help allocate the cybersecurity budget wisely. 

Here are a few reasons your organization might need Penetration Testing:  

  1. You will find system vulnerabilities before cybercriminals
  2. You have the ability to strengthen security strategies and processes 
  3. You will reduce attack dwell time and lower remediation costs 
  4. You will stay compliant  
  5. You can preserve customer loyalty and brand reputation 

Level Up #3: Security Awareness Training 

Security awareness training is a way for IT and security professionals to teach employees to protect themselves and their organizations from cyber threats. It helps employees understand how their actions can put the organization at risk and how to avoid common mistakes.   

In addition, there are common standards and legislations that require organizations to have a security awareness training program in place, KnowB4 details the following: 

  • US State Privacy Laws 
  • NERC CIP 
  • CobiT 
  • Federal Information Security Management Act (FISMA) 
  • Gramm-Leach Bliley Act 
  • ISO/IEC 27001 & 27002 
  • Sarbanes-Oxley (SOX) 
  • Health Insurance Portability & Accountability Act (HIPAA) 
  • PCI DSS 

Research shows that most security breaches are caused by human error, so training is essential in preventing data breaches and other security incidents. It covers topics like proper email, internet usage, and physical security measures like not letting unauthorized people into the office. The best proactive security awareness programs are engaging and delivered in small doses but consistently to fit into employees’ busy schedules.  

Security Awareness Training in Action 

Having proper security awareness training for your team is crucial. It increases your organization’s security and saves you time and money in the long run. By educating your employees about the various threats and risks out there, you can prevent them from making simple mistakes that could hurt your organization.

Think about it – a single moment of carelessness, like checking an email on a public Wi-Fi network, could result in a major breach. But if everyone in your organization knows the dangers and takes the necessary precautions, the chances of a security breach are significantly reduced.  

Here are a few benefits of implementing a Security Awareness Program: 

  1. Saving time and money: Data breaches and similar attacks cost organizations billions of dollars each year. So, spending money on training is a small price to pay if it protects you from potential cyber threats. Time is another valuable resource that can be saved with proper cybersecurity training. If an attack occurs, your team will spend a lot of time the damage and finding ways to prevent future breaches.
  2. Employee empowerment: When your employees are well-informed about phishing emails, malware, and other common threats, they feel confident in recognizing and handling these situations. They won’t have to second-guess themselves or waste time seeking help from IT for simple issues.
  3. Continued customer trust: A data breach can severely damage your reputation. Losing the trust of customers not only results in a loss of revenue but can also impact your partnerships with other organizations. 

Leveling up Your Security Maturity

Cybersecurity detection is not just a fancy term or an added feature to your cybersecurity strategy. It is a proactive approach that can save you from the chaos and damage caused by cyber threats. It’s like shining a light into the shadows where cybercriminals hide, exposing their every move and giving you the upper hand.

By taking these components into consideration, you can stop threats in their tracks and prevent them from causing havoc. Whether it’s implementing one or all of the key components discussed, taking action is crucial.

Organizations can ease the burden on their IT teams by leveraging solutions that provide comprehensive threat detection and response capabilities. Adlumin offers enterprise-grade Managed Detection and Response Services that operate as an extension of your IT team.

For more information about why implementing proactive security measures is essential to leveling up your security maturity, download “The Executive’s Guide to Cybersecurity.” 

PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

/in /by

Key Takeaways

  • Adlumin uncovered evidence that Play ransomware (also known as PlayCrypt) is now being sold “as a service.” Play ransomware has been responsible for attacks on companies and government organizations worldwide since it was first discovered in 2022. Making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware.
  • In recent months, Adlumin has identified and stopped PlayCrypt attacks that had nearly identical tactics, techniques and procedures (TTPs). The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it.
  • Based on the attacks Adlumin has witnessed, small and mid-sized organizations are being targeted and are especially at risk. However, ransomware delivered as a service can often be easier to detect because of the common methods used to deploy it. Security teams should watch for indicators of compromise (IOCs) including malicious IP addresses, domains, TOR addresses, emails, hashes and executables, including the ones identified in the article below.

The Patterns

Play, also known as “PlayCrypt,” was discovered last summer disrupting government agencies in Latin America.  Months later threat actors began using it for targets in the U.S. and Europe. Play, like most ransomware today, employs double-extortion tactics, stealing victim data before encrypting their networks.

Since August, the Adlumin MDR team has tracked separate Play ransomware attacks in different industries. In the attacks Adlumin observed, threat actors used the same tactics, techniques, and procedures (TTP) and followed the same order of steps — almost identically. Furthermore, the indicators of compromise (IOCs) for both incidents were almost indistinguishable.

One of those IOCs includes threat actors using the public music folder (C:\…\public\music) to hide malicious files. Another was using almost the same password to create high privilege accounts. And, in both attacks, many of the same commands were observed.

This high level of consistency in methods used by threat actors is telling. First, it highly suggests reliance on playbooks or step-by-step instructions supplied with RaaS kits. And second, the targeted victims shared a common profile; they were smaller organizations that possessed the financial capacity to entertain ransoms reaching or exceeding $1 million.

The RaaS Kit Market

Purchasing RaaS kits is not difficult, it simply requires a TOR connection and membership to the right dark net forum or market. Once there, a highly experienced threat actor, or even a “script kiddie,” can browse RaaS advertisements.

Below are two ads that Adlumin acquired from RaaS operators peddling their products in the dark web.

Other ransomware ads obtained included those that offered “set-up assistance” “for as low was $200,” and those with “no fees.” Adlumin also observed advertisements offering full builds from $300 to $1100 “ready for deployment.”

One of the ads described the malware being offered as using “many cutting-edge evasion techniques including proprietary methods.”

And in some ads, RaaS operators boasted having ransomware kits for targeting MacOS systems.

“We have developed a new MacOS ransomware as we noticed a lack of it,” the ad read.

At least one post, stated that the ransomware for sale was what “the cool kids are using,” alluding that someone doesn’t have to be “cool” – or perhaps, highly skilled – to purchase and use it.

Easy Enough for a Script Kiddie

Script kiddies are individuals who possess fundamental hacking skills and the knowledge to deploy and execute exploits written by experienced threat actors. They’re able to learn new skills easily and eventually, often become “real hackers” themselves.

Since 2015, researchers have written about the ability script kiddies have for deploying ransomware and often working side-by-side with well-known threat actor organizations.

In March 2022, police in the UK arrested members of the Lapsus$ cybercriminal group known for targeting tech companies such as Okta, Nvidia, Samsung, and Microsoft. The raid included the arrest of teenagers and young adults with ages ranging from 13 to 21, according to the BBC.  It’s not clear, however, if the youngsters were script kiddies simply due to their age.

With enough documentation and technical support – and with generative AI tools now being able to assist them as well – a script kiddie can be more than capable of carrying out an attack. However, attacks by these less-skilled individuals often include a higher degree of basic mistakes that make them easier for an organization with capable cybersecurity operation to stop.

For example, Adlumin has observed ransomware attacks foiled by its security operations platform or its MDR team during an attack’s early stages. In some cases, threat actors don’t even get the chance to encrypt files. There are also incidents where SOAR actions within the Adlumin platform disable accounts created by threat actors, effectively locking them out from the network. Sometimes attacks are carried out, but no data is exfiltrated.  

Money to be Made

Ransomware attacks are very lucrative, especially since 73% of companies attacked pay the ransom. And with double extortion becoming the norm, organizations that don’t pay are publicly shamed by RaaS operators on the clear or dark web.

For script kiddies of any age, ransomware may seem like a great way to make a living and become rich quickly. Also, with high unemployment rates in many countries in Latin America and other parts of the world, cybercrime may be seductive for underemployed or poorly paid computer programmers, or people in similar careers. According to DevelopmentAid.org, “[Poor countries] serve as training grounds for criminal groups in preparation for more ambitious attacks in developed countries.”

When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use. And since there are probably more script kiddies than “real hackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.

Breadcrumbs

IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others discovered from an attack can be very useful to analysts, researchers, and law enforcement. They serve as clues to help put together what transpired during the incident and how. They can also offer some insight about the level of sophistication of the attackers.

When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.

Anything an attacker does in a network can help authorities if they are contacted after an incident. This is why investigators request that victims share any IOCs that could help with their investigations. Even if a business pays the ransom, details like Bitcoin or Monero addresses and transaction IDs, communication or chat logs with threat actors, the decryptor file, and a sample of an encrypted file can be very useful.

If a newbie or script kiddie isn’t meticulous with their work, the FBI could soon be knocking on their door.Conclusion

Ransomware attacks continue to be among the most prevalent cyber threats and increased by 37% in 2023. Companies should expect more ransomware attacks in the future, not less. And if more novice attackers are finding that ransomware attacks can be carried out easily with the help and support provided by RaaS operators, they’ll continue to frequent dark net forums to join the most inviting ransomware affiliate group.

At the same time, novice attackers are more likely to make mistakes since they are not as experienced, potentially leaving behind significant IOCs that the authorities can use to help track and apprehend them.

The Adlumin MDR Team will continue to monitor and stop ransomware attacks carried out by newbies and experts alike. Our security operations platform’s SOAR actions have been successful at foiling these attacks in their early stages, stopping cybercriminals on their tracks.

Furthermore, Adlumin now offers Total Ransomware Defense (TRD), a service specifically designed to detect ransomware activity and stop it. In the unfortunate case that files are encrypted, TRD is able to generate decryption keys to restore systems and networks.

Indicators of Compromise (IOCs)

 Usernames

  • admon
  • daksj
  • admin

Objects

  • exe
  • zip.json.PLAY
  • exe
  • exe
  • PLAY
  • exe
  • ini.PLAY
  • aut
  • omaticDestinations-
  • PLAY
  • exe
  • json.PLAY
  • cdp.PLAY
  • HeartBea
  • updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY
  • exe
  • cookie.PLAY
  • js.PLAY
  • exe

Paths

C:\\Users\\Public\\Music

\\Device\\HarddiskVolume3\\CollectGuestLogsTemp

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

C:\\windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Google\\Chrome\\

User Data\\Default\\Cache\\Cache_Data

Hash: null

C:\\Windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\Mup\\10.20.0.15\\C$\\$Recycl

e.Bin\\S-1-5-21-3568089881-786281157-

4253494709-1103

Hash: null

\\Device\\HarddiskVolume2\\Users\\AAD

_00864e0326c2\\AppData\\Roaming\\Mi

crosoft\\Windows\\Recent\\AutomaticDe

stinations

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\Mup\\10.20.0.15\\C$\\Users\\

administrator\\AppData\\Local\\ConnectedDevicesPlatform

Hash: null

\\Device\\Mup\\10.20.0.15\\C$\\Package

s\\Plugins\\Microsoft.EnterpriseCloud.Mo

nitoring.MicrosoftMonitoringAgent\\1.0.1

8067.0\\Status

Hash: null

\\Device\\HarddiskVolume2\\ProgramDat

a\\USOPrivate\\UpdateStore

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Microsoft\\Windo

ws\\INetCookies

Hash: null

\\Device\\HarddiskVolume4\\Program

Files\\Microsoft Monitoring

Agent\\Agent\\APMDOTNETCollector\\W

eb\\Scripts\\V7.0\\js

Hash: null

C:\\PerfLogs

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

Unraveling Cyber Defense Model Secrets: Machine Learned Detections

/in /by

By: Jeet Dutta, Director of Data Science 

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team and, explore the team’s latest detections, and learn how to navigate the cyberattack landscape. This blog examines how Adlumin Data Science implements automated surveillance against network intrusion and data exfiltration, empowering our incident response teams to track and eliminate threats in four different ways.

The key motivation for Artificial Intelligence in cybersecurity is to find “needle in haystack” anomalies from billions of data points that appear indistinguishable. These applications are usefully grouped under the term UEBA (User and Entity Behavior Analytics), involving mathematical baselining of users and devices on a network followed by machine-identification of suspicious deviations.

Let’s take a look at the innovations and threat alerts in the works. 

Lateral Movement

The Adlumin platform has long featured an AI detection for lateral movement based on deviance from the UEBA baseline of daily access for any account in the network. A separate AI algorithm, developed subsequently to boost fidelity in lateral movement alerts, identifies anomalous logons among Windows users by aggregating events that don’t belong in a machine-defined context for combinations of users, hosts, logon types, and access timestamps. Collectively, the two independently developed algorithms project a high-fidelity threat signal.

The latest round of updates soon to roll out to our lateral movement detection framework will include data filtering and real-time scoring. Applying domain knowledge to filter out logon events unlikely to originate from a threat actor will further boost fidelity. Scoring events as they are ingested into the platform made possible via innovations in our cloud architecture will go a long way to improve the timeliness of the alert. 

Malicious Scheduled Task 

After compromising a privileged account, authenticated threat actors can abuse the Windows Task Scheduler for running malware. Adlumin Data Science will soon deploy a defense against this vulnerability by stringing a sequence of neural networks for isolating process execution anomalies and applying subsequent checks for known indicators of compromise. These checks include verifying the binary hash being called by the scheduler has a history of malware delivery.

Malicious Script Block

Adlumin provides automated detection of malicious PowerShell executions via an AI algorithm that matches each executed command in a customer network against a huge dataset of benign commands, performing string-matching calculations at scale. Script Block executions are excluded, however, being too large for feasibly matching strings.  Adlumin Data Science is in the development of anomalous Script Block detection capability via rule-based filtering and ensemble machine learning methods. 

AI Code Analysis

The malicious PowerShell alert often requires intense and lengthy post-detection incident response from our security analysts, who go through the code in each flagged command. A breakthrough innovation we recently deployed leverages the power of ChatGPT to do the initial heavy lifting. Adlumin data scientists have prompt engineered a new feature that obtains an explanation from GPT4 (the most advanced GPT model) for the command initially flagged anomalous under our proprietary AI model. This results in the delivery to our customer portal of a step-by-step explanation of the command code and independent determination if it is malicious, benign, or questionable.

Experience The Innovations 

In an era where cybersecurity threats are continuously advancing, organizations need enhanced visibility to stay ahead of emerging threats. It is crucial for them to have modern solutions in place to detect and respond to security incidents efficiently, ultimately enhancing their security maturity.

At Adlumin, we understand the vital role of visibility in cybersecurity solutions and offer a tailored Security Operations Platform and MDR services to provide organizations with a 360 view of their IT landscape. But we don’t stop there. We believe in the power of experience, so we invite you to take a platform tour, giving you firsthand access to our solution’s benefits.

Discover how our platform empowers your team to effectively detect and respond to threats by scheduling a demo or signing up for a free trial today. Take the tour and elevate your organization’s visibility to new heights. 

Explore the Platform

How Cybersecurity Automation Speeds Up Detection and Response

/in /by

By: Brittany Holmes, Corporate Communications Manager 

Faced with constantly evolving cyber threats, IT teams today must embrace digital transformation. Post pandemic reality has accelerated some of these evolutions, like more cloud users, more cloud providers, and an obscene number of devices passing Internet of Things (IoT) data to the cloud. All are interdependent and interconnected, delivering the scale, speed, and connectivity expected in our daily digital personal and work lives. More importantly, expanding every organization’s attack surface for cybercriminals.  

While these advancements offer convenience and efficiency, they also expose organizations to a wider array of cyber risks. This has caused IT teams to look for AI-powered threat detection, investigation and response solutions to mitigate threats across their systems, networks and cloud data.  

By understanding the role of automation in protecting against cybercriminals, organizations can strengthen their defense and safeguard their organization. In this blog, we dive into the power of cybersecurity automation and how it ultimately speeds up detection and response. 

Cybersecurity Automation Solutions for Organizations 

User and Entity Behavior Analytics (UEBA) 

UEBA is a machine learning cybersecurity process and analytical tool usually included with security operation platforms. It is the process of gathering insight into users’ daily activities. Activity is flagged if any abnormal behavior is detected or if there are deviations from an employee’s normal activity patterns. For example, if a user usually downloads four megabytes of assets weekly, then suddenly downloads 15 gigabytes of data in one day, your team would immediately be alerted because this is abnormal behavior.  

The foundation of UEBA can be quite simple. A cybercriminal could easily steal the credentials of one of your employees and gain access, but it is much more difficult for them to convey that employee’s daily behavior in order to go unseen. Without UEBA an organization would not be able to tell if there was an attack since the cybercriminals has the employee’s credentials. Having a dedicated Managed Detection and Response team to alert you can give an organization visibility beyond its boundaries.  

Preventative measures are not sufficient. It is better to have the mindset that if a cybercriminal penetrates your system, how will you know or be alerted? Detection is equally as important if there is a foreign intruder.  

Security, Orchestration, Automation, and Response (SOAR) 

SOAR is a form of pure automation that immediately stops a threat even before a security analyst reviews an alert, greatly reducing an organization’s risk. These tools are used for the following operation tasks:  

  • To document and implement processes  
  • To support security incident management  
  • To apply machine-based assistance to human security analysts and operators  
  • To better operationalize the use of threat intelligence  

SOAR takes how IT teams respond to alerts to the next level. When teams are tasked with hundreds, sometimes thousands, of alerts daily, there is no room for human error when evaluating which one should be prioritized as high-risk. SOAR automates organizations’ managed detection and response teams’ response and alert processes and systematically orchestrates them. SOAR functions can initiate and disable accounts in machine time to contain the threat and reduce the amount of damage done. This can occur before an analyst even has eyes on it.  

Organizations Embracing Cybersecurity Automation 

Organizations need to build a cybersecurity infrastructure embracing the power of cybersecurity automation, deep learning, and machine learning to handle the scale of analysis and data. AI has emerged as a required technology for cybersecurity teams, on top of being one of the most used buzzwords in recent years. People can no longer scale to protect the complex attack surfaces of organizations by themselves. So, when evaluating security operations platforms, organizations need to know how AI can help identify, prioritize risk, and help instantly spot intrusions before they start.  

Is your Security Defenses Ready? 

Cybercriminals don’t work a 9-5 schedule; they work around the clock all year round. Most attacks occur during off hours, either on the weekends or in the late night/early morning, to maximize the probability of a successful attack. One of the main benefits of ensuring AI is incorporated into your cybersecurity products and services is the 24×7 network monitoring, which can respond immediately when any threat is detected.  

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Level Up Your Cybersecurity Posture Actionable Steps

/in /by

By: Brittany Holmes, Corporate Communications Manager 

Navigating the cybersecurity landscape is not easy, especially when you are managing everything on your own or with a small team. Advancing your cybersecurity posture requires time to research and an understanding of your current state of security to help navigate a path forward. As the end of the year approaches, it’s important to carve out time and reflect on the current state of your organization’s security position.

No matter where you are on your cybersecurity journey, there are some important questions you should ask yourself to ensure that the necessary steps to strengthen your defenses are being taken.

In this blog, we aim to equip you and your team with the knowledge and awareness to help guide you regardless of where you are on your journey. Below are a few questions you may be asking yourself along the way.

Need help narrowing down an MDR provider?

MDR is a technology that aims to speed detection and response through automation and provide a solution to empower lean teams by acting as an extension to their current security operations. Finding an MDR provider that will meet your organizational challenges takes research and careful consideration.

Here are essential questions you need to ask when considering an MDR provider with answers that will help you make informed decisions when protecting your organization. Read the 8 Essential Questions to Ask: Choosing the right MDR Provider.

Looking to level up your SIEM solution?

The traditional role of SIEM solutions, centered around data ingestion and compliance, is no longer sufficient in the face of complex threats. Security teams must actively seek a modern SIEM solution to combat modern day threats.

Read the Modern SIEM Solutions: What to Look For to uncover five things that should be included in a modern-day SIEM solution to meet evolving cybersecurity challenges head-on.

What type of solution do you need? EDR, XDR or MDR?

Deciding between EDR vs. XDR. vs. MDR can significantly impact your efforts to optimize your resources and your organization’s exposure to threats. It is imperative to understand the differences between the three solutions and how to choose the right one for your organization’s needs.

The Cybersecurity ABCs Explained key takeaways:

  • An overview and comparison of three primary threat detection and response solutions:
    • Endpoint Detection and Response (EDR)
    • Managed Detection and Response (MDR)
    • Extended Detection and Response (XDR)
  • Insights to guide your investment choice with a limited budget while maximizing your cyber protection.
  • The right solution for your organization based on your criteria.
  • Additional considerations and service add-ons.

What should be included in your cybersecurity strategy?

Executives need to have a clear understanding of their cybersecurity solutions to effectively protect their organizations from cyber threats. As key decision-makers, executives are responsible for setting strategic direction and allocating resources towards a robust cybersecurity posture. Without a clear understanding of the solutions in place, you cannot accurately assess risks, make informed decisions, and ensure the security of valuable assets, sensitive data, and the overall reputation of their organization.

This overview guide outlines the current cybersecurity threat landscape and how a security operations platform can help organizations better secure their network while also providing security and IT teams with additional resources. It aims to provide executives with a clear understanding of the platform’s business benefits.

The Executive’s Guide to Cybersecurity will cover:

  • Why implementing proactive security measures is important
  • Three critical elements to incorporate into your cybersecurity strategy
  • The evolution of the threat landscape and the model by which you can protect your organization

Take a Tour: The Ultimate Resource

Adlumin recognizes the importance of visibility when it comes to cybersecurity solutions. Our Security Operations Platform and MDR services provide visibility to your IT landscape, allowing you to see exactly what threats and risks you are facing.

But we don’t just stop at visibility. We believe in the power of experience, which is why we offer the opportunity to try our solution before making a commitment. You can schedule a demo, or sign-up for a free trial to experience firsthand how our platform empowers your team to detect and respond to threats effectively.

Let’s begin with a platform tour in under 5 minutes.

Explore the Platform

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Modern SIEM Solutions in Action: What to Look For

/in /by

By: Brittany Holmes, Corporate Communications Manager 

Organizations face increasing cybersecurity challenges that demand a new approach to Security Information and Event Management (SIEM) solutions. The traditional role of SIEMs centered around data ingestion and compliance, is no longer sufficient in the face of complex security threats. As cybercriminals continually find ways to exploit blind spots, organizations need an evolving SIEM to meet these challenges head-on.  

The current state of SIEMs is marked by the need for enhanced visibility across the entire organization. Cybercriminals can easily hide, making the security team’s jobs more difficult. Recognizing this, modern SIEM solutions have emerged, leveraging advanced analytics and machine learning to ensure improved visibility, risk assessment, and accurate alerts. However, given the evolving nature of threats, assessing the effectiveness of these capabilities in practice is essential. 

The demand for SIEM solutions is skyrocketing, with the global market expected to reach $5.5 billion by 2025. Consequently, organizations seek the right SIEM solution to address their unique needs effectively. When evaluating SIEM options, it is crucial to consider how well they adapt to the evolving landscape and challenges. This requires ensuring that the chosen SIEM solution aligns with the organization’s network infrastructure and provides specific criteria. 

5 Things to Look for in a Modern SIEM 

User & Entity Behavior Analytics (UEBA): Your platform should consistently analyze your operational and security data to uncover threats. UEBA goes beyond traditional rule-based detection and can identify known and unknown threats, including insider threats, compromised accounts, and sophisticated attacks.  

It focuses on threats unique to a user’s activity, which is difficult to identify with rule-based detections. UEBA leverages artificial intelligence (AI) and machine learning (ML) algorithms to detect and identify abnormal behavior within an organization’s network and systems.  

UEBA creates a baseline of behavior for each user and entity and then identifies any deviations from that baseline, which may indicate potential security threats. This contextual analysis helps accurately determine the severity and risk associated with identified anomalies. 

Security Orchestration, Automation, and Response (SOAR): With ransomware on the rise along with other threats, it’s important to halt security incidents when they occur. SOAR provides automated playbooks to take action to contain threats as they occur. These capabilities should go beyond isolating a host and include password resets, disabling accounts, and more.  

SOAR also accelerates response and reduces risks for organizations. It provides the space for IT teams to investigate what occurred and the extent, so they can take appropriate actions to strengthen their security defenses.   

No Data Limits: A SIEM’s effectiveness in detecting threats early depends on its access to a wide array of data sources, including network traffic, endpoints, and cloud data. Data limits can hinder the collection of this comprehensive data, potentially leaving security blind spots and not providing full visibility into an organization’s environment.  

By removing data limits, organizations enhance their ability to detect more threats and have the data required to investigate what occurred. 

Easy Deployment: It’s essential to look for cloud-native solutions that provide easy deployment to minimize disruption to ongoing business operations. Organizations can maintain their IT infrastructure without experiencing extended periods of downtime or significant productivity losses. Additionally, since the solutions are easy to deploy, they should offer a chance to try before you buy.  

One-Touch Compliance Reporting: Compliance reporting is time-consuming, often requiring security teams to sift through vast amounts of data to generate accurate reports. One-touch compliance reporting is a critical feature in SIEM solutions because it saves time and resources and enhances accuracy, real-time monitoring, and overall security posture. By automating the compliance reporting process, organizations can better manage their compliance requirements and reduce the risks associated with non-compliance.  

What the Future Holds for SIEMs 

The future of SIEMs promises enhanced capabilities through the integration of machine learning and artificial intelligence, allowing for more accurate threat detection and automated responses. SIEMs will continue to evolve, offering cloud-native solutions, greater scalability, and simplified deployments to adapt to the changing IT landscape. Additionally, they will play a key role in addressing the growing complexities of compliance, privacy regulations, and data protection as organizations seek comprehensive solutions to secure their digital assets while staying agile in the face of evolving cyber threats. 

Take Control of Your IT Environment 

In an era where cybersecurity threats are continually evolving, SIEM solutions play a pivotal role in safeguarding organizations against these risks. With the right SIEM in place, organizations can stay ahead of emerging threats, detect and respond to security incidents more efficiently, and enhance their security posture for the challenges that lie ahead. The SIEM search may not be easy, but with the right approach, it becomes a critical step toward ensuring a resilient and secure digital environment. 

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Experience a tour of Adlumin’s platform, schedule a demo, or sign-up for a free trial. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Adlumin Secures $70M in Series B for Mid-Market Security Mission

/in /by

SYN Ventures Leads Investment in the Security Operations Platform and Managed Detection and Response Provider Making Sophisticated Security Attainable  

Adlumin, a security operations platform and managed detection and response (MDR) provider, has announced the closure of a $70 million Series B funding round led by SYN Ventures with participation from First In Ventures, Washington Harbor Partners and BankTech Ventures. The funding will accelerate Adlumin’s growth and meet the demand for enterprise-grade security solutions for small and mid-market organizations. 

Adlumin’s proven ability to meet this demand through its modern platform, expert services, and channel-first approach has propelled the company to rank among the top 10% of America’s fastest-growing private companies and earn a spot on The Information’s 50 Most Promising Startups list for 2023.  

With the new funding, Adlumin plans to expand its channel partnerships and continue innovating to better address the evolving needs of its partners and end-users. The company aims to empower service providers who can deliver expert support that may be difficult for organizations to hire and retain. Adlumin also offers its own MDR services and collaborates with managed service providers and managed security service providers to ensure customers have access to 24/7 human insights, threat hunting, and trusted support. The company has recently introduced subscription-based incident response services and additional financial protections, such as a no-cost warranty and discounted cyber insurance policies, to cater to the specific needs of middle-market organizations.  

Read the full press release here. 

Adlumin Cybersecurity

1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907

Get a Demo Free Trial Contact Adlumin
Adlumin Inc 5000

Privacy Policy  Sitemap  GDPR Privacy Notice

GDPR Data Processing Addendum  GDPR Privacy Request Form

Copyright 2024 Adlumin, Inc. All Rights Reserved