Trends
In 2021 many leverage an Exchange vulnerability. Dwell time is 5 days. Name and shame websites, call and harass employees, DoS etc. Specialization of malware actors. For example, one group gains access and sells it to other groups (like Emotet). Then the next group might be deploying ransomware developed by some other group. Threat Intelligence expires more quickly therefore operational, raw TI is more important.
How To Find
There are two approaches:
- Shotgun indiscriminate approach
- Post-compromise (penetrate the network, harvest creds, delete backups and deploy ransomware as a second stage).
Most of the threat intelligence is focused on past attacks and known adversaries. Therefore, we stay blind to something unknown and new.
How To Defend
- Make backups and develop a policy and procedures for recovery.
- Check email attachments.
- Adversarial simulations, wargames and briefings and strategic reviews (playbooks, Crown Jewel and function assessment, exercises, governance workshops).
- Missing playbooks: government reach out, forensic deployment, IR retainers, board involvement.
Examples
WannaCry
wmcextension- if it can connect to some weird random URL, it will not trigger the payload. An attempt to detect such tools as iNetSim.
- It’s also a worm that can self-replicate and move laterally across the network abusing Windows SMB protocol vulnerability (Eternal Blue)
- Assymetric algo - RSA-2048
- Decryptor ð -
Jigsaw
funextension- key and IVin the binary
- Symmetric algo - AES-256 CBC mode (required key and IV for encryption and decryption)
- key is trivial to find even with the
strings.exe, but IV is a little more complicated (requires advanced dynamic analysis), but seems to be the same for all samples in the wild. - Decryptor ð - https://bakerst221b.com/docs/blog/2022/02/jigsaw/.
LockerGoga
References
[1] Ransomware: Current Trends and Updates, Cindy Murphy, Magnet Summit 2021
[2]
[3]
[4]