Post-intrusion ransomware threat to increase
Post-intrusion ransomware continues to be a major threat and spiked in September and October 2019, continuing a trend that had been observed throughout the year, according to a report from Secureworks’ Counter Threat Unit (CTU) research team. The company’s incident response engagements involving post-intrusion ransomware more than doubled between 2018 and 2019, according to its recent Threat Intelligence Executive Report 2019. There has also been an increase in the number of groups operating these schemes, and many have mature playbooks that have proven successful.
CTU researchers expect the post-intrusion ransomware threat to increase due to its profitability. Organizations can greatly reduce the risk by preventing the initial intrusion. If organizations identify an intrusion, it is important to thoroughly remove all malware and possible access vectors during remediation.
Threat groups primarily use two techniques to establish a foothold. The first method is to leverage existing commodity malware infections. The initial malware is usually delivered by large-scale spam campaigns. The infection can exist for an extended time before the ransomware is deployed.
The second method for initial infection involves scanning for and compromising vulnerable Internet-facing servers. Threat groups typically use the Remote Desktop Protocol (RDP) to access the Internet-facing portion of the victim’s network. They then compromise a system by exploiting a known vulnerability. The compromised system can be used as a foothold to access the rest of the network.
As the number of sophisticated attacks increases and threat actors demonstrate greater adaptability, it is important to remember that most cybersecurity incidents leverage well-known malware and tools CTU researchers recommend that organizations continuously review their defensive posture against these known threats to implement basic security controls on all systems. For example, using multi-factor authentication on Internet-facing systems could mitigate many attacks. Organizations should also maintain awareness of geopolitical events that could increase risk from advanced threat groups.