When a company is experiencing a ransomware attack, many believe that attackers quickly deploy and leave the ransomware, so they don’t get caught. Unfortunately, the reality is very different because the actors in the threat do not give up on a resource so fast that they have worked so hard to control it.
Instead, ransomware attacks run day-to-month over time, starting with the entry of a ransomware operator on a network.
This violation is due to exposed remote desktop services, vulnerabilities in the VPN software, or remote access by malware such as TrickBot, Dridex, and QakBot.
Once they have access, they use tools like Mimikatz, PowerShell Empire, PSExec, and others to collect connection information and spread it laterally across the network.
When they access computers on the network, they use this credential to steal unencrypted files from backup devices and servers before the ransomware attack happens.
After the attack took place, victims reported BleepingComputer that ransomware operators are not visible, but still, their network is at risk.
The belief is far from the truth, as evidenced by a recent attack by Maze Ransomware operators.
Maze continued to steal files after the ransomware attack
Maze Ransomware operators recently announced on their data leak site that they have hacked into the network of an ST Engineering subsidiary called VT San Antonio Aerospace (VT SAA). The scary thing about this leak is that Maze has released a document containing the victim’s IT department report on his ransomware attack.
The stolen document shows that Maze was still on his network and continued to spy on the company’s stolen files while the investigation of the attack continued. This continuous access is not uncommon for this type of attack. McAfee chief engineer and cyber investigation manager John Fokker
told BleepingComputer that some attackers read victims’ emails while ransomware negotiations were ongoing.
“We are aware of cases where ransomware players remained on a victim’s network after deploying their ransomware. In these cases, attackers encrypted the victim’s backups after the initial attack or during negotiations left behind. Of course, the attacker could still access it had and read the victim’s email.
After a ransomware attack is detected, a company must first shut down its network and the computers running on it. These actions prevent continuous data encryption and deny attackers access to the system.
Once this gets completed, the company should call a cybersecurity provider to do a thorough investigation of the attack and scanning of all internal and public devices.
This scan includes scanning the company’s devices to identify persistent infections, vulnerabilities, weak passwords, and malicious tools left behind by ransomware operators.
The victim’s cyber insurance covers most of the repairs and investigation in many of the cases.
Fokker and Vitali Kremez, Chairperson of Advanced Intel, also gave some additional tips and strategies to correct an attack.
“The most significant corporate ransomware attacks almost always involve a complete compromise of a victim’s network, from backup servers to domain controllers. With full control over a system, threat actors can easily disable defense and implement their ransomware.
“Incident Response (IR) Teams that are subject to such profound interference must assume that the attacker is still on the network until proven guilty. Mainly, this means choosing a different communication channel (not visible to the threat actor) to discuss ongoing IR efforts. ”
“It is important to note down that attackers have already scanned a victim’s Active Directory to remove any remaining backdoor accounts. They must do a full AD scan,” Fokker told BleepingComputer.
Kremez also proposed a separate secure communication channel and a closed storage channel where data related to the survey can be stored.
Treat ransomware attacks as data breaches, assuming attackers may still be on the network, so victims should work from the bottom up, try to obtain forensic evidence that confirms or invalidates the hypothesis. It often includes a full forensic analysis of the network infrastructure, with a focus on privileged accounts. Make sure you have a business continuity plan to have a separate secure storage and communication channel (different infrastructure) during the forensic evaluation, “said Kremez.
From the bottom up, try to obtain forensic evidence that confirms or invalidates the hypothesis. It often includes a full forensic analysis of the network infrastructure, with a focus on privileged accounts. Make sure you have a business continuity plan to have a separate secure storage and communication channel (different infrastructure) during the forensic evaluation, “said Kremez.
Kremez found that reimagining devices on a vulnerable network are recommended. Still, it may not be enough because attackers are likely to have full access to network credentials that can be used for another attack.
“Victims have the potential to reinstall machines and servers. However, you should be aware that the criminal may have already stolen the credentials. A simple reinstallation may not be enough. “Kremez continued.
Ultimately, it is essential to assume that attackers are likely to continue to monitor a victim’s movements even after an attack.
This eavesdropping could not only hinder the cleanup of a damaged network but could also affect negotiation tactics if attackers read a victim’s email and stay ahead.