Site icon Sophos News

Ransomware mishaps: adversaries have their off days too

Even the most carefully planned ransomware attacks don’t always go according to plan.

Take, for instance, an advanced, human-led ransomware attack where the intruders are often in the network for days, if not weeks before releasing the ransomware payload. During this time, they are moving through the network, compromising assets, installing new tools, deleting backups, and removing data, among other things. At any stage the attack could be detected and blocked by defenders.

This can put pressure on the hands-on-keyboard operators controlling the attack. They may have to change tactics mid-deployment or relaunch the ransomware for a second attempt, if the first one fails. Pressure can lead to oversights or errors.

“Ransomware adversaries can appear fearsome to defenders who are facing the direct impact of an attack,” said Peter Mackenzie, manager of Sophos Rapid Response. “Ransomware attackers don’t hesitate to exploit this, with threatening and aggressive behavior and ransom demands. But it helps to remember that adversaries are human too, and as capable of making mistakes as everyone else.”

Here are the top five ransomware adversary mishaps Sophos Rapid Response incident responders recently spotted during investigations.

  1. The Avaddon ransomware attackers whose victim asked them to leak their stolen data because they were having trouble restoring some of the files. The attackers carried on making the standard threat to publish the data if the victim didn’t cooperate. The victim didn’t, the attackers leaked the data, and the victim got back the information they wanted as a result.
  2. The Maze ransomware attackers who exfiltrated a stack of victim files only to discover they were unreadable because they’d been encrypted by DoppelPaymer ransomware a week earlier.
  3. The Conti ransomware attackers who encrypted their own newly installed backdoor. The attackers had installed AnyDesk on an infected machine to provide remote access and then launched ransomware that encrypted everything on the machine, including AnyDesk.
  4. The Mount Locker ransomware attackers who couldn’t understand why a victim refused to pay up after they leaked a sample of their information, not realizing they’d published information belonging to another, unknown company.
  5. The attackers who left behind the configuration files for the FTP server they were using for data exfiltration, allowing the victim to log in and delete all the stolen data.

“The adversary mishaps we spotted are evidence of how crowded and commoditized the ransomware landscape has become,” said Mackenzie. “As a result of these trends, you can find several attackers targeting the same potential victim. If you add in defensive pressure from security software and incident responders, it’s understandable that adversaries will make mistakes.

“Everything an attacker needs to put together and deploy a ransomware attack is probably available as a paid service somewhere on the dark web, from Initial Access Brokers selling access to verified targets to Ransomware-as-a-Service (RaaS) offerings that rent out ransomware executables and infrastructure. Even high-profile ransomware families looking to make millions of dollars in ransom payments use access brokers for victim access. And access to the most valuable targets or those organizations that have shown a willingness to pay the ransom, may well be resold several times over, leading to multiple threat actors attempting to breach the same network.

“There is also a tendency for ransomware families to appear and then reportedly disappear. In 2021 alone, we have allegedly lost REvil and Avaddon, among others, with the operators behind them likely joining other groups or relaunching under a new ‘brand,’ possibly taking their collection of compromised creds with them.”

What defenders can do

Knowing that ransomware adversaries make mistakes doesn’t mean defenders should relax best practices. In some ways cybersecurity is even more critical because in some ways cybersecurity is even more critical because certain errors can increase risk, for example poor encryption coding can lead to decryption keys that don’t work.

Below are proactive steps to take to enhance IT security for the future, including:

Further information on attacker behaviors, real-world incident reports and advice for security operations professionals is available on Sophos News SecOps.

Tactics, techniques and procedures (TTPs), and more, for different types of ransomware are available on SophosLab Uncut, the home of Sophos’ latest threat intelligence.

 

 

 

 

Exit mobile version