Press "Enter" to skip to content

SMB ransomware and API data tracks together, while a playbook leaks

From BlackHat last week, researchers are warning of an increase in double extortion attacks against companies.     At the event, Acronis released their new Cyberthreats report for mid year 2021, warning  that small and medium-sized businesses (SMBs) are at particular risk based on the attack trends seen during the first six months of the year.  The report cites a 33% jump in ransomware payments, which smaller companies would struggle to absorb.   Palo Alto Networks Unit 42, which is the threat intelligence team, released a report to understand why ransom prices have risen.     One trigger – the quadruple extortion tactic:  Encrypt the data, vow to release the data, launch denial of service attacks, and harass customers, partners, employees and the news media to embarrass the victim.  The strategy is to put as much pressure as possible on the victim.     Acronis’s data supported this idea – a 70% increase in the number of victims whose data was publicly released.  

The Biden administration has explained why they decided not to ban ransomware payments – they were concerned about driving the activity further underground.   The “the state of resilience is inadequate.”

Salt Security’s State of API Security Q3 2021 cites Only 11% of people surveyed are greatly concerned about the security risks of shadow or unknown APIs. In contrast, 42% are greatly worried about zombie APIs, which were assumed to be turned off but can be targeted for an account takeover.   Compared to when the study was first conducted six months ago, the percentage of respondents that are at least somewhat confident their API inventory is complete increased from 53% to 62%.

Google announced an Unattended Project Reminder feature now in public preview, designed to address security by identifiying old cloud computing projects that are not being used.      Microsoft announced their Azure Sentinel cloud SIEM can now detect potential ransomware activity, using the Fusion machine learning model.  

A Conti Ransomware gang playbook leaked.    A disgruntled affiliate released the group’s training materials.    The training materials include manuals on deployment of the ransomware, hacking tools, and as reported by Channel E2E, mentions of RMM provider Atera.   Quoting that article.   Based on the leaked playbook, ethical hacker Vitali Kremez tweeted a warning for network administrators looking for Conti activity to “scan for unauthorized Atera Agent installations and Any Desk persistence,” ThreatPost reports.    Atera commented to Channel E2E that the product has not been compromised. 

And in security features you can use.  Windows 10 admins can now selectively block USB devices in a layered Group Policy. 

Why do we care?

There are a couple of approaches here I wanted to highlight.

First, it’s the understanding of quadruple extortion.     It’s the answer to “I don’t have anything of value to steal.”  Yes, yes you do.

Second, it’s the quote about the state of resilience.   That’s a failure of the technology industry.  

Finally, it’s the actions required – the API data shows the industry is just continuing its existing practices of not even watching the basics.     That tells IT providers where they can focus – getting the basics right, which are not necessarily easy, goes a very long way… and we still have a long way to go.