Microsoft: Some Ransomware Attacks Take Less Than 45 Minutes (zdnet.com) 17
Catalin Cimpanu, writing for ZDNet: For many years, the Microsoft Security Intelligence Report has been the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape. While Microsoft unceremoniously retired the old SIR reports back in 2018, the OS maker appears to have realized its mistake, and has brought it back today, rebranded as the new Microsoft Digital Defense Report. Just like the previous SIR reports, Microsoft has yet again delivered. Taking advantage of its vantage points over vast swaths of the desktop, server, enterprise, and cloud ecosystems, Microsoft has summarized the biggest threats companies deal with today in the face of cybercrime and nation-state attackers. The report is 88 pages long, includes data from July 2019 and June 2020, and some users might not have the time to go through it in its entirety. Below is a summary of the main talking points, Microsoft's main findings, and general threat landscape trends.
[...] But, by far, the most disruptive cybercrime threat of the past year have been ransomware gangs. Microsoft said that ransomware infections had been the most common reason behind the company's incident response (IR) engagements from October 2019 through July 2020. And of all ransomware gangs, it's the groups known as "big game hunters" and "human-operated ransomware" that have given Microsoft the most headaches. These are groups that specifically target select networks belonging to large corporations or government organizations, knowing they stand to receive larger ransom payments. Most of these groups operate either by using malware infrastructure provided by other cybercrime groups or by mass-scanning the internet for newly-disclosed vulnerabilities. In most cases, groups gain access to a system and maintain a foothold until they're ready to launch their attacks. However, Microsoft says that this year, these ransomware gangs have been particularly active and have reduced the time they need to launch attacks, and especially during the COVID-19 pandemic. "Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim's system â" compromising, exfiltrating data and, in some cases, ransoming quickly â" apparently believing that there would be an increased willingness to pay as a result of the outbreak," Microsoft said today. "In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes."
[...] But, by far, the most disruptive cybercrime threat of the past year have been ransomware gangs. Microsoft said that ransomware infections had been the most common reason behind the company's incident response (IR) engagements from October 2019 through July 2020. And of all ransomware gangs, it's the groups known as "big game hunters" and "human-operated ransomware" that have given Microsoft the most headaches. These are groups that specifically target select networks belonging to large corporations or government organizations, knowing they stand to receive larger ransom payments. Most of these groups operate either by using malware infrastructure provided by other cybercrime groups or by mass-scanning the internet for newly-disclosed vulnerabilities. In most cases, groups gain access to a system and maintain a foothold until they're ready to launch their attacks. However, Microsoft says that this year, these ransomware gangs have been particularly active and have reduced the time they need to launch attacks, and especially during the COVID-19 pandemic. "Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim's system â" compromising, exfiltrating data and, in some cases, ransoming quickly â" apparently believing that there would be an increased willingness to pay as a result of the outbreak," Microsoft said today. "In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes."
Is this really scary or bad? Seems not. (Score:3)
Hey they're doing you a favor if they activate 45 minutes after they get into the network. At least yesterday's backup won't be infected.
Re: Is this really scary or bad? Seems not. (Score:3)
Except the guy whose job it is to pull those daily backups was one of the first people cut back (or cut out) because we've never needed those backups before and with Covid we have to cut every possible cost we can so the C suite can keep their bonuses.
Re: (Score:2)
Unless they are push backups (Score:3)
If the main server writes its backup to a share, the ransomware will typically wipe that out. The bad guys have admin in the server, so they destroy anything admin can.
If the backups are PULLED by the backup server, using a read-only account, and that backup machine is off-domain so the DA can't wreck it, you're pretty safe.
Then you just need to protect against fire, earthquake, lightning, and other physical events by having off-site backup. Plus make sure your backups are encrypted with public key, where
Re: (Score:2)
Don't forget to take the Nigtlies home in your trunk.
Re: Unless they are push backups (Score:2)
Re: (Score:2)
Your backup / storage server could be running GEMSOS or INTEGRITY-178B and it doesn't matter if you give the Windows machines the ability to write their backups, which means they can overwrite their backups.
And yes - Windows is not the best choice for a secure server.
Re: (Score:2)
Assuming their back up is not online during the attacks. ;)
The good old days are now (Score:3)
Do you want it quick or effective? (Score:1)
Vulnerability exists in non-computer network part (Score:3)
At that level of attack there is no way to really protect against it. The only viable solution is to have independent compartments so that one compromised system does not bring down the entire infrastructure, strong backups well tested, switching to a completely different network and computers and keep the operations going abandoning compromised systems completely.
Re: (Score:2)
"At that level, you can imagine bribing employees, blackmailing them, threatening them, to get access."
Criminals have done that since before the Greek Republic.
Re: (Score:2)
Funny I read it this way (Score:2)
Not too surprising; but depressing. (Score:3)
What's depressing about the 'under 45 minutes' stat is mostly what it says about how readily useful credentials are acquired; either because valuable credentials are left scattered around, common credentials are reused often enough to be valuable, or privilege escalation exploits exist that can be exploited with something that's already off the shelf.
When tricking someone into using the wrong account number on a wire transfer can be worth serious money you can't underestimate even attacks that never even make it to the level of user-level privilege escalation; but falling to ransomware in under 45 minutes means some very damning things about how your environment is designed; either in that something alarmingly high level that never should have been left open was, or in that there isn't sufficient segmentation to keep an unfortunate, but hard to 100% avoid, low-privilege endpoint breach being privilege escalated into enough access to trash stuff that matters.