Trending Ransomware Attacks and How to Stop Infection Before Payment
By: Brittany Demendi, Corporate Communications Manager
With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.
In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.
Trending Ransomware Attacks
The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.
LockBit:
LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.
It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.
LockBit attacks in three stages:
- Exploit
- Infiltrate
- Attack
BlackCat:
BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.
After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.
One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.
Medusa:
Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.
Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.
How Ransomware Affects a System of Device
Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:
- Social Engineering Attacks and Phishing Emails: Phishing emails entice employees and victims to download and run malicious attachments, which contain ransomware disguised as a link, PDF, Word document…etc. An attacker can access their system once that link or attachment is opened or downloaded. IBM recently reported that 45% of all ransomware attacks successfully infiltrate through a phishing email or a social engineering tactic.
- Account Compromise: Cybercriminals buy authorized users’ credentials off the dark web or steal or obtain them via brute force. They then use the credentials to log into a computer or network to deploy ransomware directly. A widespread credential theft technique that cybercriminals use is the remote desktop protocol to access a victim’s computer remotely.
- Software Vulnerabilities: It is common for cybercriminals to exploit software vulnerabilities by injecting malicious code into the network or device. Attackers know how common it is for organizations to not have everything patched, making known vulnerabilities the easiest point of entry or technique to plan their attack.
Detection Before Ransomware Execution
One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.
Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.
Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.
