New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Nemty Ransomware Tactics Change

Traditional ransomware encrypts a victim’s data and demands a ransom payment to decrypt it. Companies are able to defend against traditional ransomware by maintaining an up-to-date secure backup so that files can be restored without paying criminals.  The attackers behind the Maze ransomware and Sodinokibi (REvil) ransomware have changed tactics by first stealing a copy of the victim’s data before encrypting it. If the victim refuses to pay the ransom, the attackers leak the stolen data little by little, hoping to force ransom payments. Now another criminal group has indicated they will adopt the same approach.  Nemty ransomware has outlined plans to create a blog where the stolen data would be leaked. The theory is that a victim might be more apt to pay the ransomware than face possible fines, loss of business, tarnishing the brand image, breach notifications costs and protentional lawsuits if the data is leaked.

Analyst Notes

The primary method of defending from these attacks is to not be infected in the first place. Even if the ransom payments are made, there is still a possibility that the attackers will begin leaking the stolen data to elicit additional payments in the future. Having robust anti-virus/anti-malware software that is updated routinely is a good first step but is not sufficient on its own, because targeted attacks can easily evade anti-virus file signatures. Email scanning for threats is another important layer of defense because many ransomware incidents start with a phishing email containing an attachment or link to a malicious document. It is critically important to place any remote access (such as Remote Desktop Protocol) behind a VPN instead of exposing it directly to the Internet. The best approach to defend workstations and servers is to employ services such as Binary Defense that can detect and defend endpoints from malicious software and attackers abusing built-in tools 24 hours a day, 7 days a week. Stealing a large number of files requires that attackers maintain access for an extended period of time. Quick detection and response can stop an attack before it has the opportunity to do damage.

To read more: