Even AFTER a Ransomware Attack, Hackers Continue to Lurk on the Networks: Another Big Reason to Detect and Block This Activity BEFORE It Happens!

Ransomware continues to be a thorn in everybody’s side, with hackers continuing their unrelenting attacks despite the world being in the midst of a pandemic.  An interesting article from bleeping computer brought to light some interesting information that many organizations are not aware of even after they feel they’ve dealt properly with a ransomware attack.  The popular thought is that after a ransomware attack occurs, the attackers leave so that they won’t get caught.  “Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.”

What actually happens is that a ransomware attack often occurs over an extended period of time, starting with the hacker breaching and accessing a network.  Often, once a network is accessed, other tools are then implemented to gather login credentials and other valuable information.  These credentials are then used to exfiltrate unencrypted files prior to deploying ransomware software.  Once the ransomware is out in the open, even though victims may feel that the hackers have now left their system, the reality is that the hackers are possibly still stealing files AFTER the attack.  The new mode of operation is that, instead of the hackers demanding ransom and running for the hills, they will demand the ransom and then continue lurking around on the network to ensure that they get a more positive outcome to their demands.

In the example provided by bleeping computer, a recent Maze ransomware attack on a San Antonio Aerospace company showed that the hackers were still operating within the company’s network after the fact when they leaked a document from the company’s IT department reporting on the ransomware attack that had just been perpetrated!  Often, hackers are reading their victim’s emails on how they are dealing with the ransomware attack; even as ransomware negotiations are taking place.

The advice that is provided by the experts is that after detecting a ransomware attack, the company should first shut down their network and all computer systems running on it in order to prevent further encryption of data as well as to deny attackers access to systems.  Once this is done, the company should look to a 3rd party cyber security company to perform a full investigation; with the expectation that this audit will provide information on corporate devices that may have persistent infections, other vulnerabilities, as well as detect any malicious software left behind by the hackers.  The victim should be take on the assumption that their network was completely compromised and that even backup servers may have been infected.  They should also look to a different method of communication, not tied to their network, just in case the hackers are still accessing the victim’s regular communication channels.  Victims should also be mindful that even though they may need to completely wipe and rebuild there machines and servers, the hackers may have stolen their credentials so they should ensure that all of the previous credentials are changed in order to mitigate additional access by the hackers.

Unfortunately, the above is still all a result of the prevalent “Detect, Quarantine and Remediate” approach to network security.  Wedge customers would not have to deal with the above case since they subscribe to the “Detect and Block” approach; stopping malware and ransomware in its tracks BEFORE they can enter the network.  As well, Wedge’s solution goes one step further and is able to further guard your gateway by scanning for both incoming AND outgoing threats; thus would be able to detect malicious outbound communications from hackers should the threat already be present within the network.  The big thing about the Detect, Quarantine, Remediate way of doing things is that it tries to solve the problem of malware after the fact.  Once a network has been infected, in order to ensure that malware has been eradicated, the long process of a wipe and rebuild has to occur.  Wedge’s solution is proactive in detecting and blocking attacks but also provides protection by scanning outbound content for malware should the threat be coming from within the network.

There is such a stark difference between a remediation approach and a prevention approach.  Wedge Absolute Real-time Protection (WedgeARP) utilizes a proactive, rather than reactive way of dealing with malware; providing real-time threat protection through the use of patented Deep Content Inspection, along with orchestrated threat management with multiple layers of protection.  WedgeARP is the first and only platform that can apply deep learning / machine learning based threat detection to the network content.  It can detect and block in real-time sophisticated and growing numbers of new, previously unknown and customized or targeted malware variants.  If you feel that a Detect and Block approach may be what your organization is looking to move to instead of continually dealing with remediation activities, contact our team at: info@wedgenetworks.com.  Once you’ve experienced the difference in approaches, you’ll wonder why organizations are still stuck on the Detect and Remediate approach.