By David Liebenberg and Kendall McKay.
While many Cisco Talos Incident Response (CTIR) engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive data along with data encryption as new levers to compel victims to pay.
Targeting
A wide variety of verticals were once again targeted, including media, government, healthcare, and manufacturing, with the latter representing the top vertical targeted. The number of engagements closed out was around the same as the previous quarter.
Threats
Although we observed some new trends this quarter — including an uptick in web application exploits, a website defacement incident, and some new evasive tactics — this quarter demonstrated the continued threat posed by Trickbot, especially when it is leveraged as a dropper for ransomware such as Ryuk. The top threats for fall 2019 remained Trickbot and Ryuk. In a typical engagement, the target would receive a phishing email with a malicious link or document attached that would lead to the victim downloading Trickbot. The adversaries would use Trickbot and open-source tools such as PowerShell, Empire, or Bloodhound to profile the victim, eventually dropping Ryuk after some dwell time (in one engagement, this lasted up to nearly a year) and demanding a ransom.
We also observed an instance of threat actors using an unusual method to deploy Ryuk. Following a Trikbot infection, the adversaries deployed Ryuk throughout the Active Directory environment as a g ..
Support the originator by clicking the read the rest link below.
