Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
209531 TECHREPUBLIC 2021-6-8:
3 things you might not know about modern ransomware and how Nefilim makes money
1.000 Find similar Compare side-by-side
209420 ZDNET 2021-6-9:
This new ransomware group claims to have breached over 30 organisations so far
0.397 0.575 Find similar Compare side-by-side
209253 TECHREPUBLIC 2021-6-4:
Ransomware: A cheat sheet for professionals
0.548 Find similar Compare side-by-side
209658 ZDNET 2021-6-8:
A deep dive into Nefilim, a ransomware group with an eye for $1bn+ revenue companies
0.968 0.537 Find similar Compare side-by-side
209615 ZDNET 2021-6-4:
FBI, DOJ to treat ransomware attacks with similar priority as terrorism
0.514 Find similar Compare side-by-side
209673 ZDNET 2021-6-10:
Ransomware: Meat firm JBS says it paid out $11m after attack
0.032 0.506 Find similar Compare side-by-side
209624 ZDNET 2021-6-7:
The cost of ransomware attacks worldwide will go beyond $265 billion in the next decade
0.720 0.501 Find similar Compare side-by-side
209589 TECHREPUBLIC 2021-6-8:
Feds recover $2.3 million in cryptocurrency paid by Colonial Pipeline in ransomware attack
0.519 0.493 Find similar Compare side-by-side
209627 ZDNET 2021-6-7:
Ransomware warning: There's been another spike in attacks on schools and universities
0.430 0.492 Find similar Compare side-by-side
209236 ZDNET 2021-6-4:
Ransomware: Ireland's health service remains 'significantly' disrupted weeks after attack
0.459 Find similar Compare side-by-side
209803 TECHREPUBLIC 2021-6-10:
Microsoft Exchange Server vulnerabilities, ransomware lead spring 2021 cyberattack trends
0.013 0.433 Find similar Compare side-by-side
209642 ZDNET 2021-6-7:
After DOJ arrest of Latvian Trickbot coder, experts highlight public-private efforts to tackle cybercrime
0.032 0.420 Find similar Compare side-by-side
209836 ZDNET 2021-6-8:
Constituent platform used by Congress hit with ransomware as NYC faces legal department hack
0.096 0.413 Find similar Compare side-by-side
209596 ZDNET 2021-6-7:
‘Majority’ of ransom paid by Colonial Pipeline seized and returned by DOJ
0.020 0.400 Find similar Compare side-by-side
209273 ARSTECHNICA 2021-6-4:
Ransomware will now get priority treatment at the Justice Department
0.395 Find similar Compare side-by-side
209264 ZDNET 2021-6-4:
Hackers use Colonial pipeline ransomware news for phishing attack
0.394 Find similar Compare side-by-side
209949 ARSTECHNICA 2021-6-11:
CD Projekt Red does an about-face, says ransomware crooks are leaking data
0.369 Find similar Compare side-by-side
209378 ARSTECHNICA 2021-6-9:
Hackers can mess with HTTPS connections by sending data to your email server
0.366 Find similar Compare side-by-side
209430 ARSTECHNICA 2021-6-7:
US seizes $2.3 million Colonial Pipeline paid to ransomware attackers
0.363 Find similar Compare side-by-side
209834 ZDNET 2021-6-10:
This new hacking group has a nasty surprise for African, Middle East diplomats
0.362 Find similar Compare side-by-side
210081 TECHREPUBLIC 2021-6-11:
McDonald's suffers cyberattack in US, South Korea and Taiwan
0.361 Find similar Compare side-by-side
209769 ZDNET 2021-6-11:
DOJ charges cybersecurity official for attack on Georgia hospital
0.341 Find similar Compare side-by-side
209559 VENTUREBEAT 2021-6-6:
Machine learning security needs new perspectives and incentives
0.334 Find similar Compare side-by-side
209272 VENTUREBEAT 2021-6-4:
Industrial systems under siege from ransomware
0.331 Find similar Compare side-by-side
209608 ZDNET 2021-6-7:
US Justice Department accuses Latvian national of deploying Trickbot malware
0.315 Find similar Compare side-by-side

1

ID: 209531

URL: https://www.techrepublic.com/article/3-things-you-might-not-know-about-modern-ransomware-and-how-nefilim-makes-money/

Date: 2021-06-08

3 things you might not know about modern ransomware and how Nefilim makes money

Ransomware attacks are now a team effort that include professional pen testers with malicious intent, access-as-a-service brokers and the ransomware owners who do the negotiation. Bad actors have modernized the business model to design attacks based on a specific company and a ransom fee based on how successful the target is, according to new research from Trend Micro. The company's new report, " Modern Ransomware's Double Extortion Tactics and How to Protect Enterprises Against Them," explains the modern ransomware attack and Nefilim, a type of malware that illustrates this evolution. Nefilim attacks multibillion-dollar companies and leaked 1,752 gigabytes of data in January, according to the report. Trend Micro Research published the report, which was written by Mayra Fuentes, Feike Hacquebord, Stephen Hilt, Ian Kenefick, Vladimir Kropotov, Robert McArdle, Fernando Mercês and David Sancho. Identity theft protection policy (TechRepublic Premium). According to the report, ransomware monetization schemes have changed for two reasons. First, organizations are getting better at cyber defense, which lowers the number of easy targets and requires attackers to use a more targeted approach. Second, criminals are using new technologies to create more powerful and sophisticated attacks, including: Here are three characteristics of modern ransomware attacks from the report as well as a recap of Trend Micro's analysis of Nefilim, a malware family that has all of those characteristics.  Now that the "spraying and praying" tactic is less useful, bad actors are personalizing attacks. This means deep victim profiling and victim-specific ransom pricing. Criminals now have the ability to infiltrate a network and spend as much time as necessary to search for and identify the highest value assets. The attacker now knows much more about the target, including the number of employees, revenue numbers and the industry. This personalization also allows the attackers to estimate possible ransom amounts for each victim. The modern ransomware process has several additional steps that allow for these personalized attacks. The process starts with an asset takeover and proceeds to asset categorization and then infrastructure takeover. According to Trend Micro's research, ransomware gangs use these steps to personalize the attack : "Pre-modern ransomware" attacks, as the report describes them, would then encrypt the data and extort companies based on the encryption. The modern ransomware process adds two new steps: Extorting companies based on exposing the data and then actually exposing the data. Trend Micro researchers found that modern ransomware attacks are not a job for one hacker group alone; collaboration is the new trend. The whole attack chain often involves two or more groups that are responsible for the different attack stages.   According to the report, one group owns the ransomware and another controls the compromised infrastructure and distributes the malware. The two groups usually agree to a 20/80 or 30/70 split of the profit: ".....the smaller cut goes to the group that provides the ransomware and negotiates with a victim while the majority of the profit goes to the group that handles network access and implements the active phase of the attack. Most of the profits go to the affiliate actor responsible for obtaining network access and deploying the ransomware payload." Sometimes there are even sub-contractors involved in the process who specialize in "privilege escalation, lateral movement, and complete takeover of the victim infrastructure. " These access specialists charge fees based on how much access an attacker wants ranging from "tens of dollars for a random victim asset, to several hundreds or even thousands of dollars for a categorized asset; access to the infrastructure of a large organization can cost five to six figures. " The report authors also note that the affiliate groups are not investigated as meticulously as their ransomware partners, which helps these collaborations survive. Another element of this team approach to cybercrime is that there are often "parallel monetization life cycles" in a single attack, according to Trend Micro. This makes it even harder to spot the trouble and recover from an attack. It's another reason to understand criminal business models clearly to be able to "attribute TTPs to separate simultaneous attacks or a signal attack performed with close collaboration between actors who share access and join forces."  Before closing a ticket on an attack, Trend Micro researchers recommend that security teams consider the entire kill chain to make sure all malware is gone. Varonis describes the eight steps in the cyber kill chain: Trend Micro recommends that security teams read security research to see where a particular piece of malware fits in the kill chain. If it is often used early in the chain, defenders should assume that later stages may have been deployed and must be investigated. The Trend Micro report describes this ransomware family as an example of modern ransomware. Attackers first establish a foothold in the network, then identify the most valuable data and then trigger the ransomware payload. Trend Micro first identified Nefilim in March 2020.  Nefilim has attacked companies in North and South America, Europe, Asia and Oceania, according to Trend Micro's research, and appears to target multibillion-dollar companies more often than other ransomware groups. The group seems to have better control over its website and is "particularly vicious" about leaking sensitive data over long periods of time. Trend Micro researchers found that Nefilim uses exposed RDP services and a vulnerability in the Cigrix Application Delivery Controller to gain initial access. At that point, the attackers use a variety of tools to establish a presence in the compromised network, including: Once the attackers have found the data they want, they use three kinds of bulletproof hosting services and fast flux hosting to upload and leak stolen information, according to the report. Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays