There has been a dynamic shift in the direction that cyber criminals are taking and it appears that they are transitioning from a money-making focus to one that involves “destruction of service”. The entire goal of this type of ransomware reformat is to not only infiltrate the network of a company but to bring the entire network down. The sophistication of these breaches has entered a new realm, which includes a few variations in attack formats.
According to TechData:
“The latest wave of ransomware attacks, including WannaCry, Petya and NotPetya, show not only an increase in sophistication of these types of attack, but also a change in motivation. Although NotPetya is ostensibly a ransomware variant, the threat actors appeared to have no interest in making money, and were more concerned about damaging companies by disrupting operations.”
“However, NotPetya also appears to have spread by compromising M.E.Doc, a Ukrainian financial services software maker, and then altering an automatic update to include NotPetya, delivering it to every client. The vast majority of antivirus and antimalware software was unable to detect the malicious content. It then restarted the victims’ machines, encrypting the data, and then overwriting the master boot record with its own custom loader. Once this process was completed, the data on the machines was unrecoverable unless it could be restored from backup.”
Accessing a network administrator’s credentials is one the built-in abilities of some of these viruses. Due to multiple users, it is quite common for the credential identifiers for local admins to be on a company’s network. As individual admins log into their computers they leave a bread crumb trail behind and this is how the ransomware locates and accesses the information. NotPetra uses EternalBlue and EternalRomance NSA tools on unpatched computers as well as accessing the credentials from memory using the Mimikatz tool.
This form of attack makes a large percentage of companies vulnerable. A majority of networks are not prepared to handle a complete takeover of their network as they are not diligent about consistent backups. It’s no longer sufficient to have a single and complete backup, but now requires staggered multiple backups on various cloud systems. This assists in ensuring that at least one copy will not be infected. The cost for cloud backups has come down in price to such a degree that many companies are investing in in-house cloud storage. For ultimate protection, these storage areas must be segregated from the network so that only the IT Departments can connect.
“Da Vinci Forensics maintains a constant and vigilant educational level to monitor the ever-changing world of cybersecurity for our clients. Cyber criminals will continue to make alterations to their program to achieve their goals and through our programs we offer guidance and information to assist in keeping your data safe. The cost to a company in an attack can be high enough to take a corporation down and destroy a reputation. We work to educate and enlighten so that you can focus on running your business.”
Da Vinci Forensics