Some new tactics from ransomware gangs. The data extortion gang Industrial Spy is now publicly hacking corporate websites to display their ransom notes. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid. The public defacement of the website is the new twist.
Other groups are now also giving more time to victims – the initial phases of the breach being less exposed to the public, showing their targets a more extended opportunity to negotiate the ransom payment in secrecy while still maintaining a level of pressure in the form of a future data leak.
And data from cybersecurity firm KELA in its Ransomware victims and network access sales report suggests another approach. A few ransomware gangs, including Midas and Lorenz, are also switching up their tactics. A new victim intimidation method detected by the cybersecurity firm is for the group to publish a victim on a leak site as a “new company.” If the business refuses to pay, the post is edited to include the brand. And some of the gangs at the top of the list have been observed attacking each other or, at the very least, laying claim to the same victims.
Evil Corp has switched their tools, moving to the LockBit ransomware to evade detection.
They’re all getting good at this, too — The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019—that from IBM’s X-Force team.
US agencies gave insights this week on how Chinese state actors hit ISPs and telcos. Quoting the Record, The latest advisory details how hackers rely on compromised servers, or “hop points,” from China-based IP addresses to register and eventually gain access to email accounts, host command and control domains and otherwise interface with victimized networks. After they have distanced themselves, state-linked actors go on to exploit infrastructure in internet providers and telecoms, as well as a small home office and business routers manufactured by key industry providers, giving them the ability to target and attack at scale.
The RSA Conference is going on this week in San Francisco, and Protocol’s coverage of the event highlighted the continued spending on cybersecurity, even with the potential slowdown of the economy more broadly. Of note – they even talked with managed IT services providers.
Why do we care?
No honor among thieves. Plus, I’m amused to find them switching tools the same way an MSP might switch theirs.
Onto the meat of the stories – new tactics. Note how some groups are swinging to more bold tactics by making the hacks more public, while others are focused on customer service.. giving victims more time to pay. I’m constantly amazed at the business savvy nature of these enterprises.
As those on defense, we are continually learning to keep up.