Evolving Ransomware Tactics Include Recruiting Insiders and DDoS Attacks

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit... 

The attention generated by the DarkSide ransomware attack against Colonial Pipeline in May has helped to reshape the ransomware threat landscape. One of the most important modifications came when the digital crime forum XSS announced that members could no longer post about ransomware topics. The Exploit forum followed suit not long after, as reported by Bleeping Computer.

In response to these policy changes, ransomware actors shifted their attention from recruiting affiliates to connecting with initial access brokers who sell access to compromised networks on the black-market. Researchers observed that several users on those forums began asking for assistance with VPN, Citrix, Remote Desktop Protocol (RDP), and other forms of access into corporate networks. The idea is that ransomware gangs can purchase that access and use it to attack a vulnerable organization on their own.

A Shift to Insider Threats

Obviously, working with these initial access brokers costs money and makes ransomware groups dependent on third parties for carrying out their operations. That explains why some gangs are now seeking to bypass initial access brokers altogether.

Take LockBit2.0, as an example. In early August, Bleeping Computer reported that an updated sample of the ransomware strain replaced the Windows wallpaper on an infected machine with an announcement designed to recruit insiders. The malicious wallpaper stated that corporate insiders could receive “millions of dollars” for providing attackers with access to their organizations’ RDP, VPN, and corporate email credentials.

The announcement went on to state that the ransomware actors would send the insider a “virus” to be executed on their local machine, thus enabling the attackers to gain access to the larger corporate network. Those behind LockBit2.0 aren’t the only ones who are trying to corrupt corporate insiders, either.

A couple of weeks following Bleeping Computer’s report, Threatpost reported that a security firm had blocked several emails sent to its customers by a Nigerian threat actor. Those emails offered recipients a 40% cut of an expected $2.5 million ransom payment if they helped to install DemonWare ransomware on a computer or Windows server at their company.

Getting Victims to Negotiate

As discussed above, many ransomware attackers now target insiders to give them the network access they need to exfiltrate their victims’ data prior to the ransomware encryption with the threat of making it public if the victim does not pay a ransom demand as part of a double extortion strategy. But some groups are willing to go even further than that—especially when a victim refuses to respond following an infection.

Back in March 2021, for example, Bleeping Computer reported of an instance in which the Clop ransomware gang emailed its victim’s own customers after having not received a ransom payment. The emails informed the customers of the attackers’ plans to also publish their data if the primary target didn’t comply with their demands. They subsequently urged the recipients to “call or write to this store and ask to protect your privacy” and pressure the primary target to pay the ransom demand.

Other groups take an even more aggressive approach. Per Security Magazine, the Avaddon ransomware gang and others made news in late 2020 by launching distributed denial-of-service (DDoS) attacks against non-compliant victims. The idea is to render the target’s website, network, or other critical business services unavailable until those affected entities bend under the pressure and agree to negotiate.

Defending Against Ransomware

The developments discussed above highlight the need for organizations to defend against ransomware and their ever-evolving tactics. Ransomware gangs didn’t always try to enlist the help of corporate insiders, contact their victims’ customers, and launch DDoS attacks. These are all new techniques that first appeared in one campaign (if not several) before security vendors spotted them in action. That means those practices likely caught some organizations unaware, thus leaving them in a weaker position to protect themselves.

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed