Honeypot Identified Multistage Ransomware Attacks

Researchers from Cybereason built a “honeypot” designed to look like an electricity company with operations across Europe and North America. The honeypot network was designed to analyze the tactics, techniques, and procedures used by state-sponsored groups and cybercrime actors targeting critical infrastructure providers. The research identified multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victim’s network to compromise as many endpoints as possible.

This research shows a change over the past two years, as attackers move towards multistage ransomware attacks as part of hacking operations. Ransomware threats to critical infrastructure providers should be a top concern for security teams. 

Asked to provide insight into this research, Javvad Malik, Security Awareness Advocate, KnowBe4said, “This finding is consistent with what we have been seeing about ransomware in particular. It is no longer a case that criminals will want to infect every machine as soon as possible. Rather ransomware, once broken in, will dial-home so the best strategy can be determined. This includes what to encrypt, the ability of the victim to pay, corrupting backups, and exfiltrating data and credentials. 

In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell on data they have exfiltrated. Sometimes they will use the stolen information to attack partners or try to extort customers. 

It paints a grim picture where even having reliable and up to date backups won’t help. This is why preventing criminals from gaining a foothold is of utmost importance. The top three controls [that] organizations can deploy would include security awareness training so that users can identify and respond to phishing attacks, MFA to prevent credential compromise, and patching external-facing systems.”

An in-depth review with screenshots of this vital honeypot research can be read on a fascinating blog post by Cybereason’s Israel Barak (https://www.cybereason.com/blog/cybereason-honeypot-multistage-ransomware). 

In the Cybereason blog, Israel outlines four stages of the attack. He talks about how the attackers gained entry, established persistence, moved laterally on the network, and finally detonated the ransomware. 

In his post, Israel concludes, “One of the trends that we are seeing in the ICS space and in general, is fewer new strains of ransomware in 2020, yet the existing strains rakes more gains. Hackers do this by better targeting and making more money from each target. We can expect to see an increase in multistage ransomware embedded into hacking operations in the foreseeable future.” 

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.