Ransomware defense is a perpetual cat and mouse game between incident responders and attackers who are continuously evolving their tactics, tools, and strategy. With Ransomware attacks on the rise and costing the US a whopping $7.5 billion in 2019, SOCs and threat hunters must maintain full situational awareness to protect their organization and customers' data—and avoid massive material loss. However, ransomware defense is no easy task and requires a 360-degree view of your organization's attack surface.
A Ransomware' Perfect Storm' is Brewing
Ransomware adversaries are a unique breed of threat actor with hyperspecialized tradecraft. Today, these professional cybercriminals form threat ecosystems of malware operators, fraud specialists, and black markets that enable best-of-breed intrusions. More professional criminals are joining the ransomware industry every day, bringing with them a focus on malware R & D and optimizing tactics. The result is a faster payout for actors, meaning increased frequency and volume of attacks.
These cybercriminals are also now capitalizing on COVID-19 to up the success rate of their attacks. The remote workforce has presented security challenges for organizations, and the deluge of information and disinformation around the outbreak has provided ample bait to make intrusions easier.
WannaCry is Already Obsolete
Ransomware continues to significantly impact business operations, even the world's largest companies, with its cost and impact ranging from a disruption of operations to a business shuttering its doors forever.
However, there have been significant advances in ransomware attacks in the past couple of years. Today, human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors.
Pinchy Spider: When Backups Aren't Enough
No ransomware group embodies the leaps and bounds made by ransomware in the past decade like Pinchy Spider (REvil/Sodnikibi). This group has taken professionalism and tradecraft in crimeware to new heights, establishing a Ransomware Empire, that's amassing more than $2B from victims.
Pinchy Spider is the developer of the infamous GandCrab ransomware and is comprised of a network of highly skilled affiliates that share in tools, tactics, and revenue. The group is professional, organized, and would put many nation-state actors to shame with their extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.
Pinchy Spider has quickly evolved to compromise organizations via multiple methods, including the digital supply chain, which enables their infection, data gathering, encryption of systems, and extortion without the victim even having to click on a link or open an attachment.
Spot Ransomware with Situational Awareness
Prevent with OSINT
Open-source intelligence is key to understanding threat groups and how they could target your organization. Keeping up-to-date on Ransomware IOC's is essential, as is continuously chaining threat infrastructure to uncover the digital footprints of critical threats to your organization.
The Threat Intelligence Portal in RiskIQ PassiveTotal is updated daily with the latest intelligence and indicators from open-source and RiskIQ Labs. Analysts can pivot across intelligently correlated data sets built from RiskIQ's massive internet data collection to link infrastructure to known ransomware attacks and prevent attacks on your organization.
Know With Attack Surface Visibility
Ransomware doesn't just come from email anymore. Groups like Pinchy Spider have evolved to be able to leverage multiple avenues of attacks. Knowing where your organization is vulnerable, such as its misconfigured remote access and perimeter devices deployed to enable a remote workforce is a key to keeping your organization safe.
RiskIQ's Enterprise Digital Footprint uses RiskIQ's deep knowledge of the internet to link these devices and all other digital assets to an organization. By creating a running inventory of what it owns, organizations know what to protect and what's vulnerable.
Respond with 360-degree Awareness
If your organization is under attack by an advanced threat actor like Pinchy Spider, you must respond immediately. Whether they've attacked via an internal or external avenue, you must have visibility into the attack and understand its full impact.
The RiskIQ Illuminate app for CrowdStrike enriches CrowdStrike Falcon detections with our internet-wide telemetry, enhancing internal alerts with external context. When automatically correlated with CrowdStrike Intelligence, RiskIQ's internet data sets boost incident response by enabling researchers to quickly search across an organization's endpoints for indicators of compromise or find activity related to suspicious indicators they observe on an endpoint.
During an investigation, the RiskIQ app automatically identifies impacted endpoints so analysts can understand all the related infrastructure belonging to a given threat actor. This way, companies can stay a step ahead of their adversaries and optimize their attack surface management.
Watch the Webinar
In our latest webinar, CrowdStrike and RiskIQ discussed the evolution of both ransomware attacks and the Pinchy Spider actor group. The session provided attendees with an understanding of the group's current Tactics, Techniques, and Procedures (TTPs). Our experts then highlighted how organizations could use the combined visibility of both CrowdStrike Falcon Intelligence and RiskIQ's global internet collection to derive new actionable intelligence and better defend the enterprise. Watch it here.
Also, be sure to visit RiskIQ's Threat Intelligence Portal to see for yourself how Pinchy Spider fits into an extensive underground ransomware economy that saps billions of dollars from organizations worldwide. You can see the connected infrastructure and pivot across indicators of compromise (IoCs) that link Pinchy Spider infrastructure to a dark web marketplace here. Sign up for RiskIQ Community for a month of free enterprise access.