Secure and complete backups are the primary defense once a system gets infected with ransomware. If the cloud backups are not configured properly, they can be used against the victim. Security researcher Lawrence Abrams recently reached out to the DoppelPaymer Ransomware operators after they published admin credentials to cloud backups of non-paying victims to find out more information. The leaked credentials were meant to show that the attackers had full access to their backups and to scare them into paying the ransom. Once an attacker finds a cloud backup, they try to access it and download the information. After the attacker has access to all of the victim’s sensitive information, they can delete the backups before they spread the ransomware. Threat actors typically compromise an employee workstation through phishing email to deliver malware, then steal passwords from the computer’s memory, files containing passwords, or capturing keystrokes to find the administrator and cloud backup passwords.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased