Modern ransomware operators are adopting techniques similar to those of advanced nation-state actors, researchers report. Their attacks are quieter and more long-term as they sit on target networks and search for the exact information they need to bring down their victims.
Sophos researchers today published a series of reports detailing the evolution of ransomware and how attackers are finding new ways to extort more money from large enterprise victims. While the range of ransomware still spans low-level to high-level attacks, their analysis mainly focuses on advanced threats like WastedLocker and Maze ransomware.
"In the old days, everybody was hitting desktops for $400, and there were successful groups doing that and nonsuccessful groups doing that," says Sophos principal research scientist Chet Wisniewski. "Now the successful people aren't bothering with that — they've moved on to more targeted, specific [attacks], either extortion or just incredibly sophisticated enterprise ransomware."
Sophos focused on WastedLocker. In a report, director of engineering Mark Loman and principal threat researcher Anand Ajjan explain how it uses Windows Cache Manager via memory-mapped I/O to evade monitoring by behavior-based tools. This allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. Tools used to monitor disk writes may not notice the malware is accessing a cached document.
"The cleverness, the creativity, and the intimate knowledge of these very, very miniscule technical details to craft a bypass like that is almost unseen in criminal malware," says Wisniewski. "It's the kind of thing we expect to ..
Support the originator by clicking the read the rest link below.
