Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them ssn dob for sale, buy uk cvv

Ransomware actors have been a persistent threat for years, but they are still evolving. The wide adoption of advanced cybersecurity technologies and improved ransomware response processes has limited the success of traditional ransomware attacks. Upgraded security has forced these cybercriminals to evolve their strategies, and has paved the way for what we now call modern ransomware attacks.
Modern ransomware actors identify and target valuable data, often exfiltrating it from a victim’s network organization rather than simply encrypting it. This gives them another avenue for extortion: if a victim does not pay the ransom, the attacker can threaten to publicize the private data. For enterprises holding intellectual property data, proprietary information, private employee data, and customer data, this is a serious concern. Any data leak will come with regulatory penalties, lawsuits, and reputational damage.
Another significant feature of modern ransomware is that the actors are more precise and involved in the attack. They take over networks in multiple human-supervised stages, veering away from click-on-the-link automatic events. They also spend significant time conquering different parts of the victim’s network (a process that may take weeks or months) before they execute the ransomware payload, making such attacks look more like nation-state advanced persistent threat (APT) attacks instead of traditional ransomware incidents.
This report discusses the differences between modern ransomware and traditional attacks, and also offers a look into the new ransomware business model using the Nefilim ransomware as a case study.
The tools, tactics, and procedures (TTPs) that make up the ransomware business model have changed significantly, primarily to take advantage of new technologies that advance the attackers’ capabilities.
A decade ago, ransomware actors demanded ransom payment through a premium-rate SMS number . The emergence of cryptocurrency drastically changed the game in 2014 when merchants started using bitcoin as a form of payment , and that trend has continued until now. Another shift is in the method of collaboration and communication between underground actors. There are different platforms being used : forums, messengers, and sometimes even social media. New security and anonymization features of these platforms improved the capability of these actors to covertly collaborate online .
One example of cybercriminal collaboration is ransomware as a service (RaaS), which helped actors find affiliates to carry out ransomware attacks. Instead of just one ransomware group doing all of the work, several collaborators split roles and profits . For example, actors who had access to compromised assets (meaning they had avenues into a victim’s network) collaborated with actors who had developed ransomware. The evolution of these affiliate programs allowed for more effective monetization of compromised assets, which was profitable for all parties involved.
When ransomware actors used automated tools, the ransom amount was either fixed or set by the attacker during negotiation with the victim. In more modern attacks, the actor has a substantial amount of information about the victim, allowing for more tailored ransom pricing.
The whole attack chain often involves two or more groups who are responsible for the different attack stages. The attack typically involves the actor who owns the ransomware, and another actor who controls the compromised infrastructure and distributes malware over a network.  Since it is normal for this market to have a ransom for big organizations in the seven-digit range , attackers may be able to afford more expensive tools like zero-day local privilege escalation (LPE) and remote code execution (RCE) exploits.
Multiple cybercriminal groups now often operate together, sharing access and following parallel monetization lifecycles. This can be very confusing for the defender who may not be aware that they are looking at traces coming from several groups, which can be related to many parallel — and even unrelated — incidents. The prevalence of these sophisticated ransomware attacks means a shorter reaction time and a much higher potential impact. For threat hunting, incident mitigations and attack investigations, it is critical to have XDR solutions that offer complete and central visibility over every critical component, whether it be an organization’s endpoints, network, the cloud, or other devices.
The evolution to targeted attacks or APT-like ransomware monetization schemes is necessary because of organizations’ improved defensive capabilities. However, new technologies are also available for cybercriminals to add to their arsenal. Also, vulnerabilities in much-used devices and platforms on the network perimeter are big risks for enterprises — many threats use these weaknesses as entry points into a network.
This shift toward a more targeted criminal monetization scheme is due to several key factors, including:
This shift means deep victim profiling has been performed before an attack is initiated, followed by a collaboration among multiple groups who are sharing accesses and using optimized monetization strategies.
To gain initial access into victim’s networks, Nefilim actors use exposed RDP services and publicly available exploits. They exploited a vulnerability in the Citrix Application Delivery Controller ( CVE-2019-19781 ), and a Windows Component Object Model (COM) elevation of privilege (EoP) vulnerability that Google Project Zero discovered, which was then fixed by Microsoft in May 2017.
After gaining initial access, Nefilim attackers start by downloading additional tools on a web browser. One significant download is a Cobalt Strike beacon that is used to establish a remote connection to the environment and execute commands. (Cobalt Strike is a versatile post-exploitation penetration tool that allows security testers to attack the network, control the compromised system, and exfiltrate interesting data. Unfortunately, its capabilities can be misused by attackers.) Other downloaded files are: the Process Hacker tool, which is used to terminate endpoint security agents ; and Mimikatz , which is used to dump credentials.
Attackers move laterally once they gain a foothold into the network, meaning they will use a compromised system to find other areas they can access. To avoid detection, attackers will often weaponize tools that are built-in or are commonly used by administrators, a tactic that called “ living off the land .”
Attackers can use Mimikatz to dump hashes, tickets, or plain text passwords.
Attackers can deploy tools within systems to aid in lateral movement. This includes tools such as PsExec, Bloodhound, and AdFind.
Cybercriminals can abuse tools like AdFind to collect Active Directory information and map out the infrastructure to find more targets.
Attackers can exploit known vulnerabilities to elevate privileges and perform administrative actions or actions requiring elevated privileges.
As discussed in the previous section, the commercially available software Cobalt Strike is run on the victim’s system. The beacon will connect back to a Cobalt Strike C&C server that the attackers control. We have seen Nefilim-related Cobalt Strike C&C servers being hosted in different clusters on the internet. The actors have a preference for hosting companies in various countries including Bulgaria, the UK, the US, and the Netherlands. Other Nefilim-related Cobalt Strike C&C servers are hosted through small bulletproof web hosting services created by various shell companies. Some of the shell companies seem to be set up almost exclusively for hosting Cobalt Strike beacon C&Cs , large scale internet scanning (including the scanning of Citrix servers and in one case, the clear-web back end for a Tor-hidden website where Nefilim actors post stolen data from their victims.
We observed Nefilim actors making use of at least three different kinds of bulletproof hosting services: a Tor-hidden server that is used to leak stolen information, small IP ranges belonging to small shell companies, and fast flux hosting (hosting where the frontend regularly changes its IP address).
Nefilim is a post-compromise ransomware, which means it is launched manually by actors or affiliates after they determine that they have adequate control over the victim’s infrastructure. Once it is running, the execution flow is very straightforward.
First, Nefilim creates a mutual exclusion (mutex) object to prevent more than one thread of the same process. Then, it will decrypt the ransom note using a fixed RC4 key. Figure 2 shows an example of the ransom note, which includes three email addresses that victims can use to contact the Nefilim actors about the ransom payment.
It then generates a random AES key for each file that it queues for encryption. To enable file decryption in case the victim pays the ransom amount, the malware encrypts the AES key with a fixed RSA public key and appends it to the encrypted file. 
If launched without any problems, the Nefilim executable prepares to encrypt. Before starting, it checks an exclusion list of files and directory names. This prevents Nefilim from encrypting files that the operating system needs, and it allows common applications such as browsers and e-mail clients to continue working properly. Then, it encrypts the files that are not on the exclusion list — the encryption function is largest function in the Nefilim code. 
After its first version was spotted in the wild, we have continued to monitor Nefilim’s activities and its evolution. To date, we have observed 18 different variants among an estimated 65 different samples.
Based on the information we have gathered, Nefilim samples follow a consistent pattern. This suggests that:
The following table lists the tactics and techniques used in the Nefilim ransomware samples we observed.
The profile of a Nefilim victim is relatively broad in terms of location and industry, but the targets tend to be companies with a revenue of over US$1 billion. The majority of the targets are located in North and South America, but we have also seen targets throughout Europe, Asia, and Oceania. 
Our data showed a steady and substantial growth in the amount of sensitive information that has been leaked by Nefilim actors. Nefilim has been able to keep websites with victim’s data up-and-running for more than a year. The group has also been known to post their victims’ sensitive data over several weeks and even months, with the goal of scaring future victims into paying ransom.  
We think that the primary reason ransomware actors leak sensitive data is to issue a clear warning to future victims: ransomware actors will try to cause further harm when the ransom amount is not paid. For example, the infamous REvil actors boldly started an “auction” on their website in the dark web for the stolen data of a victim organization that refused to pay their ransom.
We researched the RaaS sites of 16 ransomware actors and found significant differences in how these actors extort money from their victims. Most actors claim that they will keep stolen data publicly available for several months. Some actors such as Nefilim and Cl0p manage to keep terabytes of stolen data online for over a year and threaten to leak increasing amounts of data over time. As mentioned above, some websites are on Tor-hidden servers while others are hosted using bulletproof hosting. We noted that RaaS actors upload stolen files on commercially available and free file-sharing platforms, or even host files on their websites on the clear web.
Over the years, we have been monitoring malicious ransomware activities, including the actors behind the Nefilim and Nemty ransomware. Specifically, we tracked the group behind these ransomware families under the intrusion set “Water Roc.” Currently, we associate the underground actors jsworm and Jingo with Water Roc activity, and both actors have actively sold and supported Nemty in the past. Based on their activities online, both are believed to be Russian-speaking. Nemty’s code also contained lyrics from several Russian songs and artists. While we can’t state with full confidence that either of these two actors are still actively involved in Nefilim’s operations, we do believe that they were involved in Nefilim’s early development at the very least.
jsworm posts on the Exploit forum for the first time; JSWorm and RazvRAT go on sale
jsworm posts that RazvRAT is no longer for sale
Jingo advertised the Nemty ransomware on a verified Tor website
Nemty ransomware version 1.6 is released
Nemty ransomware version 2.3 is released
Corporate links website launches the Nemty ransomware blog
jsworm mentions starting a separate project
Nephilim ransomware variant is compiled
Nemty Revenue 3.1 is released on the Exploit forum
Nemty ransomware starts using Trickbot
Sigareta ransomware variant is compiled
Telegram ransomware variant is compiled
Merin ransomware variant is compiled
Fusion ransomware variant is compiled
Milihpen ransomware variant is compiled
Gangbang ransomware variant is compiled
Mansory ransomware variant is compiled
The breakdown of Nefilim’s tools, tactics, and processes reveals significant features regarding the modus operandi of modern ransomware:
Nefilim’s way into the network often involves the use of weak credentials on exposed or externally facing services, and in some cases on critical vulnerabilities.  
Once inside the victim environment, attackers find important systems in the victim network, which are more likely to contain sensitive data to steal and encrypt. They also use important systems as jump-off points to keep finding more critical data. 
The attackers set up a call-home system using the Cobalt Strike software. 
Once the attackers find interesting data worth stealing, they proceed to exfiltrate it. The exfiltrated data can be published on websites hidden behind Tor services and fast flux networks. 
Once the attacker is ready, they launch the ransomware payload manually. This encrypts the data so that the attacker can seek ransom payment. 
Nefilim actors target high-profile, multi-billion dollar companies located worldwide.
Corporations and network guardians have to stay ahead of the curve and be prepared for APT-level ransomware attacks, especially given the amount and value of data that many businesses have stored in their systems. Security investigators have a difficult task as well — they have to piece together actions from multiple groups: the intruders who first breach the network and the group that will try to move laterally and monetize the attack. The full kill chain becomes more complex because of the various groups that are involved.
Although there are challenges and complexities in shielding organizations from these threats, recent events show that even the most advanced malware families can be brought down. Cybersecurity is also evolving constantly, and always finds new ways to defend against these persistent threats.
To read more about modern ransomware, read our full report .
Like it? Add this infographic to your site:1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report
The upheavals of 2020 challenged the limits of organizations and users, and provided openings for malicious actors. A robust cybersecurity posture can help equip enterprises and individuals amid a continuously changing threat landscape. View the 2020 Annual Cybersecurity Report
ssn dob for sale buy uk cvv