Lessons Learned From Analysis of Ransomware Attacks
In a Threat Research report, Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents, FireEye takes a close look at MAZE ransomware. The report draws from FireEye Mandiant Threat Intelligence's experience responding to multiple incidents as well as "research into the MAZE ecosystem and operations."
The FireEye report provides insight into how the various Maze teams operate as well as indicators of compromise. The affiliate model of Maze distribution suggests the TTPs will continue to change over time. It is worth noting that the initial compromise is not just users falling for a phishing attack, but also may be via exposed vulnerable services such as RDP or VDI services using compromised accounts. The call to action is ransomware protection, which includes both user awareness and due diligence, particularly for the security of internet facing services. At a minimum, enable multi-factor authentication and limit account access so compromised credentials cannot be readily used for maleficence.
Several ransomware news items in this issue of NewsBites - the FireEye report around MAZE serves as a good summary of most ransomware incidents. Two major ways initial compromise was gained: (a) targeted phishing via email; and (b) exploitation of glaring lack of basic security hygiene in patching, server configuration and privilege management. The techniques used for lateral movement included sophisticated "living off the land" exploits but plenty of success from simple techniques like searching for files containing the text "password." SANS published a "2020 Threat Trends Report" with advice from SANS instructors Ed Skoudis, Heather Mahalik and Johannes Ullrich on this and related threat areas: https://www.sans.org/reading-room/whitepapers/threats/paper/38908
One interesting finding is that the attacks are a team effort, involving multiple skilled parties, using a black market to cooperate, collaborate, and coordinate.