Network defenders often think that after an attacker successfully deploys a ransomware attack, they leave the infected system to avoid getting caught. Unfortunately, attackers do not want to give up control of what they’ve worked so hard to penetrate. Instead, advanced ransomware attacks are conducted over an extended period of time, anywhere from days to months after the attackers first breach a network. Once they gain access to a network, tools such as Mimikatz, PowerShell Empire, PSExec and others are used to gain login credentials for administrator accounts and spread throughout the network. A recent disclosure from the Maze Ransomware operators confirmed that they try to stay in the network after the infection is complete. In one case, the Maze operators gained access to the VT San Antonio Aerospace (VT SAA), a subsidiary of ST Engineering and using their data leak site, leaked a memo that was distributed internally about the ransomware attack. This shows that the Maze operators stayed in the infected network and continued to monitor traffic during the incident response and investigation phases.
The fact that ransomware operators typically spend a long time gaining control of computers on a network means that there are many opportunities to detect the attacks before files are encrypted if defenders are monitoring workstations and servers. After detecting a ransomware attack, the first step a company should take is to quickly investigate to discover the scope of the intrusion, collect and preserve digital forensic artifacts for incident response, and then isolate affected computers from the network to prevent the spread of the infection. An external incident response service consulting firm can be a great asset in these situations because the incident responders have dealt with many other ransomware incidents and understand how attackers operate. It can also be helpful to notify law enforcement during the incident response phase so that evidence can be preserved and to increase the chances that the ransomware operators will eventually be brought to justice. To be able to quickly detect intrusions and respond in the earliest stages before ransomware is deployed, it is advisable to use a security monitoring service, such as the Binary Defense Security Operations Center, that has the capability to monitor, defend and contain threats 24/7/365.
To read more: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/