Summer of Cybercrime Continues: What To Do VP, Threat Intelligence

Update as of July 9, 2021 4:15 p.m EDT: Identifying Kaseya VSA Indicator of Compromise using Trend Micro Vision One

We recently coined this as the Summer of Cybercrime. Major ransomware attacks continue to hit companies globally. The attacks can cause significant damage, from a financial, reputation and productivity standpoint. 

In most cases, these attacks could be stopped with a concerted effort on cybersecurity hygiene. That is the key to stopping this growing trend of successful modern ransomware attacks. 

Modern Ransomware Attacks

Modern ransomware leverages a wide range of tools and tactics to navigate corporate infrastructure and find the company’s crown jewels. Often, the initial point of entry is known vulnerabilities that have not been patched. 

In the latest instance against Kaseya, previously unknown, or zero-day, vulnerabilities were leveraged. While this is increasingly uncommon, attacks that use new bugs can still be stopped. 

Regardless of how attackers get in, there are several places where they can be spotted and stopped before they get to the point of encrypting data and demanding a ransom. 

These are the possible extortion outcomes in today’s ransomware attacks:

• Ransomware: Encrypt files and then drop the ransom note … wait for the payment in bitcoin.
• Double extortion: Ransomware + data exfiltration that is threatened to be released if payment is not received. Maze was the first documented to do this and the other threat actor groups followed suit – recently seen in the attack on Colonial Pipeline.
• Triple extortion. Double Extortion + threaten a DDoS attack. Avaddon was the first documented to do this.
• Quadruple extortion. ransomware + (possibly Data Exfiltration or DDoS) + directly emailing affected victim’s customer base. Cl0p was first documented doing this, as written by Brian Krebs

Stop Attacks With Security Hygiene Efforts

Multi-extortion, debilitating attacks can often be stopped by leveraging  security functions that are designed to stop threats like ransomware. For many companies, that is a daily struggle, but it could be solved by having a security partner manage your security stack.

Here are some quick things that should be turned on as part of your organization’s security best practices to mitigate the risk posed by these attacks:

1. Enable Behavior Monitoring and Machine Learning with recommended configurations. This keeps customers from needing updates or new detections when a major industry event is discovered, like the Kaseya attack.  
2. Maintain a strong patch management plan. This protects against known vulnerabilities by applying available vendor updates. Virtual patching can also cover the gap until the official patch is available or applied.
3. Utilize multi-factor or 2-factor authentication with your critical administrative accounts, especially on your public facing systems. This makes it more difficult for attackers to abuse compromised credentials to gain system access.
4. Practice the 3-2-1 backup rule. If a successful ransomware attack occurs, it is critical to maintain at least three copies of company data in two different formats, with one air-gapped copy located off-site. This ensures you can restore functionality without needing to pay the ransom to decrypt files.

These are not the only security activities that help keep companies secure, but they are ones that will prevent the most common points of entry for ransomware attacks today. 

Having the full power of a security solution turned on and optimized for your environment boards up the cracks and gaps to stop attackers before they can start. 

Trend Micro’s Machine Learning and Behavioral monitoring capabilities identified the ransomware component of the Kaseya incident. That means customers were protected before the attack was widely known about based on our highly effective technology. And for customers who don’t have the resources to maintain their security stack themselves, we can manage that for them to ensure the highest level of protection available is in place. 

Here are more specific details on how Trend Micro protected against the Kaseya event.

Read More HERE