There have recently been several high-profile ransomware campaigns utilizing Maze and Snake malware. From critical medical supply companies, to large logistics firms, many businesses of all sizes have fallen victim to this cybercrime wave.
When an organization falls victim to a ransomware attack, it is only the final stage in an otherwise lengthy compromise process on the adversary’s part. The public often only sees the outcome that makes the news headlines without realizing the adversary usually spends considerable resources initially compromising the victim, performing reconnaissance, stealing credentials and evading network defenses.
Based on Cisco Talos Incident Response engagements, a Maze ransomware incident timeline might look like this:
Day 0 - 6: Initial compromise, Cobalt Strike artifacts are deployed, and internal administrative accounts are compromised.
Day 7 - 13: Additional active reconnaissance, data is typically stolen and uploaded to adversaries infrastructure.
Day 14 - 21: Utilizing stolen credentials, Psexec or WMIC is executed on the victim’s domain controllers. Maze ransomware spreads, taking down the network, creating havoc for the company to deal with.
Recovery: Talos Incident Response is deployed on site. While there’s no set amount of time it takes from initial compromise to actual ransomware attack, there is some good news — victims have opportunities to detect and respond to these attacks. Every action listed generates noise in the form of a log or an alert that defenders can detect and respond to. For larger enterprises, that can be a lot of noise ..
Support the originator by clicking the read the rest link below.
