How Ransomware Gangs Use Automation, and How You Can Beat It

Posted: 9th February 2022
How Ransomware Gangs Use Automation, and How You Can Beat It

Few topics spark conversation like security automation. Automation is the entire premise around programming; routines and repetitive patterns are tasked to computers while humans work only on higher priorities. For security practitioners, this is essential because even a small network can have thousands of endpoints that need protecting while the security staff is miniscule. Yet the challenge facing organizations in 2022 is how to automate, not just the collation and data collection tasks where machines excel, but to automate the repetitive human decisions made daily to defend an enterprise. Join us for a three part blog series on automation and for a webinar on February 22nd titled, "Fight Ransomware Robots With Automation Intelligence".

Ransomware gangs and security practitioners battle each other similar to how a baseball pitcher and hitter would duke it out. In this game dark web criminal actors focus on causing incidents, while security automation focuses on incident response. To increase their velocity and volume of attacks ransomware gangs are leveraging automation throughout their attack cycle. To keep up, security practitioners have turned to intelligence-led automation, which enables businesses to defend at scale with the speed necessary to make contact on every pitch. Much like baseball, in the cyber world there can be no ties. Intelligence provides the upper hand. 

To help security practitioners gain an advantage, Recorded Future’s Insikt Group reported on automation in the criminal underground. In their report, Insikt Group identified 10 key strategies ransomware criminals use automation to enable their attacks.

  1. Breaches and sale of databases
Hacked and compiled databases are sold on underground forums. These databases, often consisting of user credentials, give threat actors access to accounts and credentials of clients and employees. Once threat actors have access to these user-level accounts, actors can use leverage techniques, such as local privilege escalation vulnerabilities, which can be used to gain further access to internal systems or to commit fraud.
  1. Checkers and brute-forcers 
Stolen credentials from automated marketplaces need validation in order to ensure they will function as the criminals expect. Tools such as checkers can help threat actors to quickly and efficiently validate or access passwords for thousands of accounts. Brute-forcers are tools which automatically cycle through thousands of passwords a second in order to defeat systems with unlimited login attempts.
  1. Loaders and crypters
Loaders and crypters are tools which allow threat actors to obfuscate and deliver malicious payloads, bypassing antivirus solutions.
  1. Stealers and keyloggers 
Stealers and keyloggers enable threat actors to gather sensitive information from victim systems, including credentials, personally identifiable information (PII), payment card information, and other data.
  1. Banking injects
Threat actors use banking injects as fake overlays over legitimate sites to financial institutions and similar sites where they can collect sensitive information from victims trying to visit the legitimate site.
  1. Exploit kits
Exploit kits allow threat actors to use multiple exploits simultaneously to target various vulnerabilities across different targets.
  1. Spam and phishing services
Threat actors gain access to hundreds of thousands of potential victims for their lures with spam and phishing services.
  1. Bulletproof hosting services (BPHS)
Bulletproof hosting services (BPHS) provide secure hosting for malicious content and activity, and assure anonymity to threat actors.
  1. Sniffers
Sniffers infiltrate legitimate online shopping sites and collect sensitive information such as payment cards and the PII of customers from trusted online stores.
  1. Automated marketplaces
Automated marketplaces and logs vendors allow threat actors to sell stolen credentials and digital fingerprints to other threat actors, who use them for fraud or to facilitate further breaches, frequently circumventing anti-fraud measures.

Bad actors are well acquainted with subverting defensive automated technology. For example, they might craft malicious code to appear normal to automated scans, such as antivirus applications. Security teams with careful monitoring and logging established can create rules to detect these seemingly-normal patterns and behaviors for the malicious files they are. However, threat actors can quickly take action, such as rotating their infrastructure, to get around being blocked. This means rules must be manually generated for each new iteration of malware, leading to a security treadmill where efficiencies are lost to an endless cycle of detection/patching new malware. 

Step off the treadmill with Intelligence. Intelligence gives your team a cheat code, enabling them to pull rules already tested to identify and mitigate ransomware attacks from doing damage.

Join us for a webinar on February 22nd titled, "Fight Ransomware Robots With Automation Intelligence" to learn more about how automation can assist your organization.