As the pandemic continues, organizations around the world are working hard to adapt to the “new normal.” This article highlights the key trends that we will face in 2022 and beyond. Ransomware attacks more than doubled in 2021 compared to 2020, with healthcare and utilities the most commonly targeted sectors. Moreover, attacks are getting more expensive, with the average ransomware payment leaping from US$312,000 in 2020 to $570,000 in 2021.
The early stages of an intrusion usually include initial access, execution, persistence, and command-and-control (C2) beaconing. When structured threats use zero-days, these first two stages are often not detected. It can often be challenging and time-consuming to identify persistence mechanisms left by an advanced adversary as we saw in the 2020 SUNBURST supply chain compromise. Could we then have detected SUNBURST in the initial hours or days by finding its C2 beacon?
It was 11 PM on a Friday in November of 2019. WED2B IT systems administrator Jamie Jeeves started receiving a barrage of email alerts warning that antivirus (AV) clients were crashing in the company’s central office. All prospects for a relaxing weekend vanished when Jeeves logged into the remote system to investigate the AV shutdowns. While checking the network’s file share, Jeeves noticed they were in trouble. Mass encryption of data was underway.
The TellYouThePass ransomware family was recently reported as a post-exploitation malicious payload used in conjunction with a remote code execution vulnerability in Apache Log4j library, dubbed Log4Shell. TellYouThePass was first reported in early 2019 as a financially motivated ransomware designed to encrypt files and demand payment for restoring them. Targeting both Windows and Linux systems, TellYouThePass ransomware re-emerged in mid-December 2021 along with other ransomware like Khonsari.
Naming themselves Night Sky, a new ransomware family was spotted on the first day of 2022, by the MalwareHunterTeam. They appear to work in the RaaS (Ransomware-as-a-Service) model, similar to other ransomware groups like REvil, LockBit, and Hive, publishing stolen data exfiltrated throughout the attack in a deep web site if the ransom is not paid by the victim. Currently, there are two companies listed on their deep web site, where the group has published the victim’s allegedly stolen data.
With our recent 7.16 Elastic Security product release, we improved our existing Linux malware feature by adding memory protection. In this blog, brought to you by Elastic’s Engineering Security Team, we lean into this recent advancement to show how we are protecting the world’s data from attack.
Nowadays, malware used to have several stages before it fully compromised the targeted host or machine. The very well-known initial stager is the “phishing email” that contains a malicious macro code or malicious URL link that will download either the actual loader or the next stager to download the actual payload.
Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. Unfortunately, the cybercriminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale. The best way to ensure that your organization does not fall victim to a ransomware attack is to understand what happens when an attacker injects this type of malware into a system.
In the first half of 2021, average ransomware demands surged by 518%, while payments climbed by 82%. There has been a growing number of attacks in healthcare, with 560 healthcare facilities hit by ransomware last year in the U.S. alone. As new attacks generate headlines each week, we get real-world use cases for how ransomware proliferates in diverse ways, including social engineering attacks and exploitation of vulnerabilities.
