Ransomware mishaps: adversaries have their off days too

Even the most carefully planned ransomware attacks don’t always go according to plan.

Take, for instance, an advanced, human-led ransomware attack where the intruders are often in the network for days, if not weeks before releasing the ransomware payload. During this time, they are moving through the network, compromising assets, installing new tools, deleting backups, and removing data, among other things. At any stage the attack could be detected and blocked by defenders.

This can put pressure on the hands-on-keyboard operators controlling the attack. They may have to change tactics mid-deployment or relaunch the ransomware for a second attempt, if the first one fails. Pressure can lead to oversights or errors.

“Ransomware adversaries can appear fearsome to defenders who are facing the direct impact of an attack,” said Peter Mackenzie, manager of Sophos Rapid Response. “Ransomware attackers don’t hesitate to exploit this, with threatening and aggressive behavior and ransom demands. But it helps to remember that adversaries are human too, and as capable of making mistakes as everyone else.”

Here are the top five ransomware adversary mishaps Sophos Rapid Response incident responders recently spotted during investigations.

1. The Avaddon ransomware attackers whose victim asked them to leak their stolen data because they were having trouble restoring some of the files. The attackers carried on making the standard threat to publish the data if the victim didn’t cooperate. The victim didn’t, the attackers leaked the data, and the victim got back the information they wanted as a result.
2. The Maze ransomware attackers who exfiltrated a stack of victim files only to discover they were unreadable because they’d been encrypted by DoppelPaymer ransomware a week earlier.
3. The Conti ransomware attackers who encrypted their own newly installed backdoor. The attackers had installed AnyDesk on an infected machine to provide remote access and then launched ransomware that encrypted everything on the machine, including AnyDesk.
4. The Mount Locker ransomware attackers who couldn’t understand why a victim refused to pay up after they leaked a sample of their information, not realizing they’d published information belonging to another, unknown company.
5. The attackers who left behind the configuration files for the FTP server they were using for data exfiltration, allowing the victim to log in and delete all the stolen data.

“The adversary mishaps we spotted are evidence of how crowded and commoditized the ransomware landscape has become,” said Mackenzie. “As a result of these trends, you can find several attackers targeting the same potential victim. If you add in defensive pressure from security software and incident responders, it’s understandable that adversaries will make mistakes.

“Everything an attacker needs to put together and deploy a ransomware attack is probably available as a paid service somewhere on the dark web, from Initial Access Brokers selling access to verified targets to Ransomware-as-a-Service (RaaS) offerings that rent out ransomware executables and infrastructure. Even high-profile ransomware families looking to make millions of dollars in ransom payments use access brokers for victim access. And access to the most valuable targets or those organizations that have shown a willingness to pay the ransom, may well be resold several times over, leading to multiple threat actors attempting to breach the same network.

“There is also a tendency for ransomware families to appear and then reportedly disappear. In 2021 alone, we have allegedly lost REvil and Avaddon, among others, with the operators behind them likely joining other groups or relaunching under a new ‘brand,’ possibly taking their collection of compromised creds with them.”

What defenders can do

Knowing that ransomware adversaries make mistakes doesn’t mean defenders should relax best practices. In some ways cybersecurity is even more critical because in some ways cybersecurity is even more critical because certain errors can increase risk, for example poor encryption coding can lead to decryption keys that don’t work.

Below are proactive steps to take to enhance IT security for the future, including:

• Monitor network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch
• Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If users need access to RDP, put it behind a VPN or zero-trust network access connection and enforce the use of Multi-Factor Authentication (MFA)
• Educate employees on what to look out for in terms of phishing and malicious spam and introduce robust security policies
• Keep regular backups of the most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline, and test the ability to perform a restore
• Prevent attackers from getting access to and disabling security: choose a solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights
• Remember, there is no single silver bullet for protection, and a layered, defense-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data
• Have an effective incident response plan in place and update it as needed. Turn to external experts to monitor threats or to respond to emergency incidents for additional help, if needed

Further information on attacker behaviors, real-world incident reports and advice for security operations professionals is available on Sophos News SecOps.

Tactics, techniques and procedures (TTPs), and more, for different types of ransomware are available on SophosLab Uncut, the home of Sophos’ latest threat intelligence.