Ransomware is still an ongoing nightmare and customers are being hit with it daily. Not all attacks will be high-profile but there will be countless attacks per week (successful attacks). As an example, I will put data as of 5/27/2024 below –
United States – 47 attacks
France – 6 attacks
UK – 6 attacks
There are more but you can see the most focused on country for ransom attacks is the United States. This has been the norm since ransomware became extremely prevalent in the 2013/2014 time with Crytolocker (then Cryptowall/Cryptowall V2, etc.) One of the reasons the US is attacked so frequently is the prevalence of the mindset “I am not big enough to be attacked”. That mindset is being proven incorrect as the SMB market is one of the most attacked, partially attributed to the mindset but also to poor cyber hygiene and the inability to monitor the security stack 24/7/365 without burnout.
What about these new versions of ransomware/RaaS? Are they truly doing anything different? Why are people not able to prevent them!? We will be discussing Black Basta who has been making a name for themselves since 2022 with many takedowns to their credit (many more happening daily). Note – BLOKWORX has been shutting down Black Basta (and other variants) before they could conceptualize an attack. This includes other major players like LockBit, Ransom House, Vice Society, etc.
Let’s start with a breakdown of how they attack your environment then how you can prevent said attacks.
Gaining Access –
Something important to understand is without some level of access the bad actors will not be able infiltrate your environment. How they get access is going to vary and could be as simple as buying access from one of the many marketplaces on the dark web catering to environment access. Black Basta likes to leverage spearphishing to gain access, but it should be noted Black Basta is RaaS (Ransomware as a Service) and thus their affiliates might have different methods. Leveraging something like Qakbot (or other RAT) to gain access and then propagate to other machines.
Lateral Movement –
The threat actors having access to your environment is one thing but ultimately, they need an account with the right level of access, generally to a machine with a far reach (domain controller, active directory server, etc.) to ensure the impact of the ransomware is far reaching enough to disrupt your business. To complete this part of their process the threat actors will use a scanner (netscan, advanced IP scanner, nmap) to identify other machines within the environment. These scanning tools combined with items like PsExec/RDP will help facilitate the movement within the environment. We will discuss how to shore up this weak point in a bit. Black Basta is not creative in how they elevated their credentials and tend to utilize tools like Mimikatz however they also could leverage one of any unpatched vulnerabilities within an SMB environment due to lack of staffing or trying to utilize resources where they are not the best fit.
The endgame of the attack is the ransom and extrication of data from the environment (used to ensure payment but also as “proof of life” in a sense). Threat actors are constantly increasing the level/complexity of the encryption algorithm being utilized, some using RSA-4096, some leverage AES-256 (you cannot brute force this) and then “just for fun” some will use AES-512. Long and short, once they encrypt the files you will require restoring from backup.
I have EDR in place, shouldn’t that stop these attacks?
Not necessarily. EDR by nature is “Detection” and “Response”, some attempt to add in “Remediation” with automated runtimes but the file is already on the machine. Couple this with many environments permitting things like Cobalt Strike and PsExec within the environment and you could easily circumvent many EDR solutions. Also of note should be many EDR solutions do not have a self-protection feature which means their running processes can be killed off remotely (PsExec gives you the ability to remotely terminate) or could be done on the machine if leveraging RDP or a screen sharing utility (TeamViewer is commonly abused, occasionally Splashtop is leveraged).
There are ways you can shore up your security and make the attack surface less desirable to threat actors –
- Turn off RDP – This should not be accessible from the outside world, no exceptions at all. If there is a reason to leverage RDP it should be required to access over VPN.
- Stop allowing dual-use programs in the environment (Cobalt Strike, PsExec, etc.)
- Limit PowerShell usage within the environment (commonly used to build payloads in-memory to evade AV solutions)
- Focus on prevention! If an item cannot access your environment, then it cannot be detonated!
You should also ensure you have the right people in the right seats, this will help ensure you are not overutilizing someone or having them operate outside their skillset! Many SMBs will not have a dedicated person over cyber and someone will be “voluntold” into being the cyber guy. Having a team helping oversee the alerts you have will help greatly but a team with experience that can differentiate noise from credible threat is infinitely valuable. The right technology being in place will also make life easier for you! Your security solution should be validated and proven to have a low rate of false-positive events and preferably should have the efficacy validated by a third party.
The easiest solution to preventing ransomware attacks would be to contact BLOKWORX as we have the strongest security stack available with a proven track record of shutting down the latest threats. With a 24/7 SOC based in the USA and decades of security experience to help shape your policies in your environment it’s the augmentation that truly pays dividends in your environment!
