This is how Nefilim works, the 'ransomware' that attacks the rich

2 years ago Admin



The attacks of 'ransomware'are one of the most damaging threats to organizations, in both operational, economic and reputational terms, and in recent years their strategies have evolved to obtain greater benefits, as is the case with Nephilim, one of the most successful modern families, mainly due to target organizations with a turnover of more than $ 1 billion.

Ransomware is a type of cyber threat that infects a computer or network to encrypt it and steal the information it contains, and for their release they demand a payment in exchange, usually in a cryptocurrency. But modern attacks are selective, adaptive, and stealthy, using approaches that have already been tested and refined by advanced persistent threat groups (APTs), as warned from Trend Micro.

Thus, the actors of modern 'ransomware', such as those behind Nephilim, carry out lateral movements like the APT actors to try to find important systems on the victim's network, which are more likely to contain sensitive data to steal and encrypt.

And they put into practice the so-called double extortion, by which threaten to leak sensitive data that has been stolen before deploying 'ransomware' in its compromised networks, as reported by Trend Micro in the results of its study of modern 'ransomware', the techniques they use and the type of organizations they target.

The company highlights the existence of different groups of cybercriminals that are in charge of the different phases of the attacks. "This is the by-product of a recent evolution in cybercriminals' business operations: hackers are now partnering with 'ransomware' actors to monetize hacking-related breaches," they explain.

They also turn to legitimate tools like AdFind, Cobalt Strike, Mimikatz, Process Hacker, PsExec, and MegaSync to achieve their end goal while remaining hidden. As pointed out by Trend Micro, this can make it difficult for security operations center (SOC) analysts, who examine event logs from different parts of the environment, to get an overview of the big picture and detect attacks.

Modern malware

The study deals in total with 16 groups of modern 'malware', analyzed between March 2020 and January 2021, of which Conti, Doppelpaymer, Egregor and REvil led the number of exposed victims, and Cl0p had the highest amount of stolen data hosted 'online', with 5 TB.

Nefilim is one of the most lucrative ransomware groups; With its focus on organizations with more than $ 1 billion in turnover, it has the highest median revenue. And it published about 2 TB of data last year.

Trend Micro analysts link Nefilim with Nemty, both because of the similarity of the first versions of its code and because its business model, such as 'Ransomware as a Service', also resembles that of Nemty.

The actors behind Nefilim take advantage of exposed remote desktop services and publicly available 'exploits' to access corporate networks, where they begin to download some tools, among which is the Cobalt Strike emulator, which implants beacons with which they can establish a remote connection and run commands. They also use Process Hacker, which replaces the Windows task manager to control computer processes and disable security systems such as antivirus, and Mimikatz, to steal credentials.

To run some tools as an administrator, actors took advantage of a vulnerability in Component Object Model with Elevation of Privilege (CVE-2017-0213), which had already been discovered and patched in 2017, but which had not been fixed on affected machines. Nephilim.

Protection

The security company stresses the importance of installing security updates and patches, which are presented as a containment barrier for organizations' systems against known and unknown vulnerabilities, but also point out virtual private network (VPN) services that are exposed to unreliable networks as a risk.

Intrusion prevention systems also establish an additional layer of access security in a computer network, which protects from potential vulnerabilities and saves time until a patch is available.

Trend Micro recommends that organizations conduct periodic scans of systems, hardware, and programs, which can help uncover potential network access. And implement lower-privilege administrative models and robust authentication systems such as those that employ multiple factors.

.



Source link

Tags: , , , ,

More Stories

Unexpected appearance of ElRubius in a popular television program

Unexpected appearance of ElRubius in a popular television program

5 days ago Admin
5 Devices that interfere with the router

5 Devices that interfere with the router

6 days ago Admin
The radical change that will affect credit cards and dataphones

The radical change that will affect credit cards and dataphones

1 week ago Admin
The new restrictions they want to impose on ChatGPT

The new restrictions they want to impose on ChatGPT

1 week ago Admin
The revolutionary computers without screen arrive

The revolutionary computers without screen arrive

1 week ago Admin
The problem of voice assistants as home assistants

The problem of voice assistants as home assistants

2 weeks ago Admin

You may have missed

The Civil Guard, on the trail to clarify a forced disappearance in Ciudad Real in 2019

The Civil Guard, on the trail to clarify a forced disappearance in Ciudad Real in 2019

9 hours ago Admin
8,800 dead pigs to fly from Paris to New York

8,800 dead pigs to fly from Paris to New York

9 hours ago digitateam
Canceled the launch of the Miura 1 due to gusts of wind

Canceled the launch of the Miura 1 due to gusts of wind

11 hours ago Admin
They take 55 occupants of a pneumatic where 8 minors were to Lanzarote

They take 55 occupants of a pneumatic where 8 minors were to Lanzarote

11 hours ago Admin
Scorsese announces that he is preparing a film about Jesus after accepting the "commission" of the Pope

Scorsese announces that he is preparing a film about Jesus after accepting the "commission" of the Pope

12 hours ago Admin