Next Gen Ransomware- Ryuk, DoppelPaymer, Parinacota and other ransomware groups are getting more sophisticated, Microsoft warns.
Researchers are warning that “human operated” ransomware campaigns are growing more sophisticated, adopting new infection tactics and lateral movement techniques that traditional defense teams aren’t equipped to handle.
Researchers said that “auto-spreading” ransomware – like WannaCry and NotPetya – are making headlines due to the crippling downtimes that these attacks cause. However, “human operated” ransomware – like REvil, Bitpaymer, and Ryuk – are adopting new techniques that are enabling them to operate unfettered in networks.
For instance, “human operated” ransomware attacks focus on compromising accounts with high privileges. They are exhibiting extensive knowledge of systems administration and common network security misconfigurations. Researchers said hey are also able to adapt once they’ve initially infected a system and establish a foothold on machines. That allows these next-gen ransomware attackers to continue unabated in infiltrating target environments, said researchers with Microsoft’s Threat Protection Intelligence Team.
“These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads,” said researchers on Thursday. “And while ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access and exfiltrate data from compromised networks.”
Microsoft said one trend it has observed is a “smash-and-grab monetization” technique, where attackers infiltrate a system via brute force, and proceed with deploying the ransomware, credential theft, and other attacks – all in less than an hour, decreasing the chances of affected victims to intervene.
Researchers tracked one popular ransomware group leveraging this method, which they call Parinacota (which deploy the ransomware also known as Dharma) for 18 months. Over time, the group has grown to now impact three to four organizations weekly; as well as evolved its tactics and goals to “use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks.”