Threat Intel
We’ve all been there haven’t we! We’ve pwn3d a network, pivoted and moved around for months and then accidentally got the wrong company name… oh wait.
Well, this story isn’t fiction, CLOP ransomware group have breached a water company and then written it up as the wrong organisation. Read more “CLOP Ransomware Group Breaches Water Company and then misattributes to THAMES WATER”
Defense
“Ransomware is a major issue!”
Hang on maybe we need to re-phrase that:
“Weak security postures are a major issue!”
or perhaps.. why not both!
I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.
Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.
Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1”
Defense
”The world is burning, the world is burning but then if you look around, it always has been…”
Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.
The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.
Read more “Ransomware Realities”
Defense
In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement”
Defense
We looked after about 3-3500 endpoint devices. We were running Windows servers/clients and we leveraged technologies such as:
Defense
We keep seeing organization get hit, in some kind of a sick way I think me and some of my friends in the industry are bored with the over dramatic responses of “sophisticated” “advanced” and “unpreventable” because most times the kill chains simply are not like this. But still the onslaught keeps coming. Well I know this much, whilst I would love to deploy with the team and harden everyone’s networks that simply isn’t possible. So what we thought we would do is write something to try and spread the knowledge a bit further and hopefully have some positive impact.
It’s not just that your data will be encrypted, it will likely be exfiltrated and sold. You will likely have access sold, data sold and be extorted. The Ransomware business model is adapting to defender responses. Even if you can restore from backup they will likely try and attempt to extort. This brings a key point in this equation, the best position is to NOT get pwn3d to start with. Ok that might sound silly to say but when we look at these kill chains you might start to see the world from my perspective a little. Read more “Ransomware Defence Checklist – Part 1 : Initial Access”
Breach
So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.
https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/ Read more “Following a Kill Chain – Defending against Babuk group’s TTPs”
Breach
Ransomware is not that new, I remember back during the msblaster incident I said to a friend, it is a good job whoever wrote this worm was not evil because they would have simply encrypted or deleted all the data post infection. Hell, I can barely remember when that was, I think it was late 2003. Ransomware has been around since the 1980s but not quite in its modern form (it started with the AIDS malware scam). Fast forward to the mid 2000’s and criminals were using encryption but that wasn’t a norm and things only really started to take a bad turn around 2012/2013 with Cryptolocker. The next major global events were WannaCry, NotPetya and Badrabbit. Read more “Extortion and Ransomware – A lethal Combination”