Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns.
勒索软件组越来越多地转向远程加密进行攻击,标志着受财务驱动的行为者采取新策略确保其活动成功的新升级。
"Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," Mark Loman, vice president of threat research at Sophos, said.
Sophos的威胁研究副总裁Mark Loman表示:“公司可能有数千台连接到其网络的计算机,而使用远程勒索软件,只需一个防护不力的设备就可以 compromised整个网络。”
"Attackers know this, so they hunt for that one' weak spot' — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders."
“攻击者知道这一点,所以他们寻找‘软肋’,而大多数公司至少有一个这样的软肋。对于防御者来说,远程加密将是一个长期性的问题。”
Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network.
远程加密(又称远程勒索软件),顾名思义,是指在使用受损的终端点加密同一网络中其他设备上的数据时发生的情况。
In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all compromises originating from unmanaged devices.
2023年10月,微软披露大约60%的勒索软件攻击现在涉及恶意的远程加密,以尽量减少其足迹,其中超过80%的所有破坏源自未受管理的设备。
"Ransomware families known to support remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal, and it's a technique that's been around for some time – as far back as 2013, CryptoLocker was targeting network shares," Sophos said.
支持远程加密的勒索软件家族包括Akira、ALPHV/BlackCat、BlackMatter、LockBit和Royal,这是一种由来已久的技术—早在2013年,CryptoLocker就在针对网络共享进行攻击。
A significant advantage to this approach is that it renders process-based remediation measures ineffective and the managed machines cannot detect the malicious activity since it is only present in an unmanaged device.
这种方法的一个重要优势是它使基于进程的补救措施无效,托管的机器无法检测到恶意活动,因为它仅存在于未受管理的设备中。
The development comes amid broader shifts in the ransomware landscape, with the threat actors adopting atypical programming languages, targeting beyond Windows systems, auctioning stolen data, and launching attacks after business hours and at weekends to thwart detection and incident response efforts.
这种发展发生在勒索软件格局的
Sophos, in a report published last week, highlighted the "symbiotic – but often uneasy – relationship" between ransomware gangs and the media, as a way to not only attract attention, but also to control the narrative and dispute what they view as inaccurate coverage.
Sophos在上周发表的一份报告中,强调了勒索软件团伙与媒体之间的“共生—但常常紧张—关系”,这旨在吸引注意,同时也控制叙述,并驳斥他们认为不准确的报道。
This also extends to publishing FAQs and press releases on their data leak sites, even including direct quotes from the operators, and correcting mistakes made by journalists. Another tactic is the use of catchy names and slick graphics, indicating an evolution of the professionalization of cyber crime.
这也延伸到在其数据泄露网站上发布常见问题和新闻稿,甚至包括操作者的直接引用,并纠正记者的错误。另一种策略是使用引人注目的名称和华丽的图形,表明了
"The RansomHouse group, for example, has a message on its leak site specifically aimed at journalists, in which it offers to share information on a 'PR Telegram channel' before it is officially published," Sophos noted.
例如,RansomHouse团队在其泄露网站上专门针对记者发布了一条消息,在该消息中,它提供在“PR Telegram channel”上分享信息的机会,然后才正式发布。
While ransomware groups like Conti and Pysa are known for adopting an organizational hierarchy comprising senior executives, system admins, developers, recruiters, HR, and legal teams, there is evidence to suggest that some have advertised opportunities for English writers and speakers on criminal forums.
尽管像Conti和Pysa这样的勒索软件团伙以采用包括高管在内的组织层次结构而闻名,其中包括系统管理员、开发人员、招聘人员、人力资源和法律团队,但有证据表明,有些团伙已在犯罪论坛上公开招聘英文作家和说话者的机会。
"Media engagement provides ransomware gangs with both tactical and strategic advantages; it allows them to apply pressure to their victims, while also enabling them to shape the narrative, inflate their own notoriety and egos, and further 'mythologize' themselves," the company said.
“媒体参与为勒索软件团伙提供了战术和战略上的优势;它使他们能够向受害者施加压力,同时也能够塑造叙述,增加其自己的恶名和自负,并进一步‘神话化’自己。”该公司表示。
原文始发于微信公众号(知机安全):远程加密攻击激增:一个脆弱设备可能带来的灾难
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论