A couple years ago during a webinar on the importance of backups as a ransomware defense, I shared a sudden thought that it wouldn’t be long before ransomware attackers resorted to blackmail/extortion against victims that refused to pay for the decryption key.
And sure enough we are seeing that as an increasing trend. Even companies who have great backups and a fast recovery process are vulnerable to an emerging strategy in ransomware attackers where they exfiltrate a customer’s most private data before demanding ransom. If the customer refuses payment and initiates restoring their system the attacker then reveals what information they have exfiltrated and threatens to post it online if the ransom goes unpaid.
That threat is a completely different ball of wax. Because now we just shifted from an Integrity and Availability threat to a Confidentiality threat. And of course there is the possible nightmare of privacy and other compliance regulations depending on the nature of the data that’s been exfiltrated.
Encryption/exfiltration combo attacks greatly broaden the potential for attackers to hit pay dirt because it gives them leverage over companies with good recovery capabilities and turns stolen data that may not be valuable to the attacker (for resale or re-use) into a valuable bargaining chip just because of its confidentiality value to the victim.
This is just one of the interesting developments in ransomware that I’m finding as I analyze recent malware attacks. I find these aspects of ransomware particularly interesting:
- The value of monitoring terminated processes
- Network traffic patterns of ransomware
- I/O patterns of ransomware
- Living off the land techniques
In this real training for free session I will discuss all of this and share a lot more, including detection methods and MITRE ATT&CK techniques commonly used in ransomware attacks, such as:
- Phishing (T1566)
- System Services (T1569)
- Command and Scripting Interpreter (T1059)
- And many others
We will also take a look at targeted ransomware and key tactics used by attackers of that ilk. I’ll share what we know about some high-profile attacks such as the one against Honda, Xerox, and Garmin to name just a recent few.
LogRhythm is sponsoring this real training for free session and Brian Coulson from the Threat Research team will briefly demonstrate how their NextGen SIEM Platform helps detect the latest techniques of ransomware attackers.
Please join us for this real training for free event.