Israel Barak reports on some research by Cybereason that is not really surprising in its results, but is still a bit scary. The firm set up a honeypot to look like an electric company with operations in North America and Europe. Within days, attackers had found it and started attacking it. From their overview:
Cybereason identified multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victims network to compromise as many endpoints as possible. This includes critical assets like the domain controllers, which could take between several minutes to several hours to properly infiltrate.
Ransomware capabilities were deployed early on in the hacking operation, but it was not immediately detonated. The ransomware was designed to detonate only after preliminary stages of the attack finished across all compromised endpoints in order to achieve maximum impact on the victim.
Their findings are consistent with what I’ve been learning about in terms of how ransomware attacks have evolved. Whereas early attacks would just drop ransomware whenever an intended victim happened to click on a link (as one example), nowadays, attackers may be in your network for days or weeks, performing reconnaissance, gathering more credentials, escalating privileges, and expanding their ability to cripple more of your computers or systems. Then, when they are ready and at a time when you are probably least likely to be monitoring or to have staff ready to respond immediately, they pull the trigger and detonate the ransomware.
Read their full study here.