Exploits & Vulnerabilities
Stop Ransomware Groups Who Weaponize Legitimate Tools
The ongoing game of cat and mouse – cybercriminals vs security teams – continues with the latest evolution in ransomware.
Today, advanced defense technologies are more prominent across business globally, which has forced attackers to shift their approach. The new approach is much more targeted and hidden, making modern ransomware more difficult than ever to spot and stop before it’s too late.
Trend Micro Vision One is the answer to this problem for customers, correlating suspicious activity across their environment to identify and stop lateral movement from attackers before ransomware is dropped.
One Big Change
Ransomware actors today use legitimate tools to hide their activities in a victim network. On their own, these tools are not malicious. They are actually intended to help security teams, but criminals have found ways to abuse them.
The tools are attractive for criminals for a few reasons:
- They might not be detected as malicious
- They are open source and easily accessible
- The same benefits that make the tools helpful for security teams can also help cybercriminals
Trend Micro Research recently published an in-depth look at some of the commonly abused legitimate tools, what ransomware groups are using them, and how they are used. These include: Cobalt Strike, PsExec, Mimikatz, Process Hacker, AdFind, and MegaSync.
How Trend Micro Vision One Helps
These tools can be used to gain initial access to a network, communicate back to the attacker, open backdoors, move laterally in a network, dump credentials or exfiltrate data. All these activities are key for criminals throughout the modern ransomware process:
Get in, Stay hidden, Move around, Find valuable data, Exfiltrate data, Encrypt data with ransomware.
The use of legitimate tools makes it harder for security teams to identify the malicious activity. In many SOC teams, different people are looking at event logs from different parts of the environment, making it hard for any person to see the big picture.
One analyst might see PsExec run in a seemingly innocuous way, while another analyst sees a network accessed under what appears to be normal circumstances. Each of these small event logs don’t have much meaning on their own. Without a way to connect all the dots from across the environment, it’s understandable that these attacks go unnoticed till it’s too late.
Trend Micro Vision One is key for flagging this activity as malicious. It connects the dots for your teams, noticing each suspicious activity and correlating that they might be an early indicator of attack.
By the time these criminals are exfiltrating data before they drop the encrypting ransomware, there is very little time left to stop them. They may spend weeks or months perusing your network to find the most valuable data, but exfiltrating data is more likely to raise some red flags. At that point, they know they must be fast to finish their attack.
The best way to stop modern ransomware is to find the attackers and completely clean up their footprint in the network before they get to that point. Stop the attack early with Trend Micro Vision One.