Ransomware Groups and APT Actors Focus on Financial Services

Trellix released a report examining the behavior and activity of cybercriminals related to cyber threats in the third quarter (Q3) of 2021. Among its findings, the research reports that despite a community that plans to ban ransomware activity on online forums , hacker groups have used alt personas to continue to proliferate ransomware use against a growing range of industries – most commonly hitting the finance, utilities and retail sectors, accounting for nearly 60 % of ransomware detections.

“While we ended 2021 focusing on a resurgent pandemic and the revelations around the Log4j vulnerability, our Q3 deep dive into cyber threat activity found some notable new tools and tactics among ransomware groups and threat actors. advanced global threat actors,” said Chief Scientist Raj Samani. and Fellow at Trellix.

Reappearance of ransomware groups

In Q3 2021, there was a resurgence of the DarkSide ransomware group under the name BlackMatter, despite the group’s claim that it has ceased to function. Using many of the same modus operandi DarkSide used in the Colonial Pipeline attack, BlackMatter continued to leverage the double extortion approach, threatening to reveal victim data unless a ransom was paid. .

While claiming responsibility for the Kaseya VSA ransomware attack that shut down hundreds of supermarkets for several days, the quarter saw the REvil/Sodinokibi ransomware family continue to dominate in their ubiquity as they had in the second quarter, accounting for nearly half of Trellix’s ransomware detections.

As the impact of ransomware on systems critical to our daily lives – fuel, grain, food supply and beyond – intensifies, the US government has made strides in advancing its cyber agenda and reducing the impact through the launch of StopRansomware.gov which aims to identify and locate actors involved in cyber activities against critical US infrastructure.

Maturation of advanced patronage techniques

Through the identification of indicators of compromise to reveal the tools used to execute attacks, Trellix has observed the maturation of techniques that groups of highly skilled APT adversaries use to circumvent security controls and perform their operations. In Q3 2021, security operations tools like Cobalt Strike were abused by state actors to gain access to their victims’ network.

Cobalt Strike is an adversary simulation tool commonly used by ethical hackers to study attack methods and improve incident response, and has been detected in more than a third of APT campaigns tracked. Mimikatz, a post-exploitation tool to gain more access to a victim’s network or elevate user rights to perform tasks once an actor gains access to a victim’s device, has also been detected in more than a quarter of the campaigns.

APT activity in Q3 2021:

  • In Q3 2021, threat activities believed to originate from Russian and Chinese nation-state-backed groups were responsible for 46% of all observed APT threat activity. This assessment is based on the analysis of available technical indicators.
  • The financial sector was targeted in nearly 40% of observed APT activities tracked, followed by utilities, retail and government

Living off the land spreads

The third quarter of 2021 saw a wave of malicious actors using software already on a target system to carry out attacks. This use of software and functions native to the target’s system – Living off the Land (LotL) – is often used by state actors and large criminal organizations to circumvent the development of advanced in-house tools.

Trellix observed PowerShell used in 42% and Windows Command Shell (CMD) in 40% of LotL detections to execute commands and gain access. Other commonly used native operating tools include Rundll32, WMIC, and Excel, as well as remote administrative services tools like AnyDesk, ConnectWise Control, RDP, and WinSCP.

Q3 2021 Cyber ​​Threats

Ransomware pays. REvil/Sodinokibi claimed responsibility for successfully infecting over one million people and then demanding $70 million, making it the highest ransom amount known to the public to date.

Techniques APT MITER ATT&CK. Spear phishing attachments, obfuscated files or information, and PowerShell were the most prevalent APT MITER ATT&CK techniques, accounting for nearly half of those detected in Q3 2021.

Sector activity. Financial services leads all industries in publicly reported cyber incidents with a 21% increase in the third quarter. The critical economic sector also leads all industries in terms of ransomware samples detected and APT group activity.

Malware families. Formbook, Remcos RAT and LokiBot accounted for nearly 80% of malware detections in Q3 2021, with Formbook being detected in over a third. While malware was the most frequently used technique in reported incidents in Q3 2021, reported malware incidents decreased by 24% compared to Q2 2021.

Regions. The quarter was marked by fluctuations in priority areas, with Russia recording a 79% decrease in detected incidents, while France recorded a 400% increase. The United States had the most reported incidents in Q3 2021, but incidents were down 9% from Q2 2021.

Stephen V. Lee