1300 292 946
Cyber Security

The latest on ransomware: Same old gang, new bag of tricks

Frank Santucci Headshot

Frank Santucci
Co-Founder and CTO at ParaFlare.
September 16, 2021
3 min read.

When it comes to Ransomware attacks, Phishing is not always to blame. A recent attack on a mining company revealed the new ways Ransomware gangs are targeting Australia, and it’s not what you’d expect.  

Ransomware gangs have evolved to add new methods to trick users into downloading their malicious files. In this circumstance the gangs are planting targeted packages on the internet disguised as sensitive documents inadvertently made public by your organisation.  

Can you imagine a circumstance when one of your employees is googling for information such as ‘my company enterprise agreement’, ‘my company pay scales’, or ‘my company contracts’?

Well, this is exactly what happened in a global mining operation where the Malware was able to circumvent all the protection mechanisms put in place including AntiVirus, Unified Threat Managers (UTMs), and Inbound and Outbound Proxy. 

Thanks to the pro-active Australian Cyber Security Centre (ACSC) intelligence alerting and our quick reacting Managed Detection and Response (MDR) operation, ParaFlare halted the Ransomware in its tracks for our global mining customer.  

What made the difference here was active cyber defence, or MDR. In other words, the human who was alerted to the potential threat and intervened quickly to prevent serious damage to this company.  

The back story 

ParaFlare closely follows the ACSC. In April 2021, the ACSC alerted the cyber community to an increase in reporting of malicious actors targeting Australian networks with Gootkit Loaders. ACSC open-source reporting confirms that Gootkit JS Loaders are a precursor to several malware families traditionally used for cybercrime, notably, Gootkit, REvil ransomware, Kronos, or CobaltStrike. The ACSC was swift in providing this information to enable organisations to undertake their own risk assessments and take appropriate actions to secure their systems and networks.  

Many in the community had previously shared reporting regarding this malicious actors’ groups, however, targeting previously looked to be contained to Europe, what was different this time was the focus on Australia specifically.  

In early September, detection analytics alerted the ParaFlare MDR and Incident Response team to Initial Access, Defensive Evasion and Command and Control activity taking place on the network of a global mining company. Within minutes, we observed Gootkit and other malicious actions that all pointed toward a troubling conclusion: the mining company was probably a few hours away from a full-blown ransomware outbreak. Our senior incident responders were able to halt the attack, threat hunt the environment for further activity and ultimately contain the breach. 

Mitigation 

Many community experts have provided mitigation advice, including the ACSC, however many organisations we talk to say its simply not possible or unrealistic to enact such controls in their environment. The ACSC as one example offers the following mitigation techniques: Application Control should be implemented to prevent execution of unapproved/malicious programs, including .exe, DLL, scripts (Windows Script Host, PowerShell and HTA) and installers. 

MDR is likely the best remedy in most organisations as processes such as the ones listed above can run on user devices and when they exhibit unusual activity, there must be a system in place to alert a SOC and be triaged to isolate the activity swiftly.  

If you have a cyber security concern, or think you’ve been breached, call us on 1300 292 946.


Have a comment? Join the conversation on LinkedIn