The Czech incidents reflect just one corner of a worrying global trend of opportunistic ransomware activations."The attackers are definitely being what I’ll call rational economic actors, which unfortunately also means vicious," says Rob Lefferts, corporate vice president of Microsoft 365 security. "We see behavior where they will break into organizations and actually lie dormant, both because they’re doing reconnaissance but also because they are apparently estimating what is the moment in time when that organization will be most vulnerable and most likely to pay."
An initial attack might give hackers access to a victim's network. But they'll then wait weeks or months for a particularly opportune moment to actually infect the system with ransomware. Microsoft has been tracking such behavior from groups using a number of prominent strains of ransomware, like Robbinhood, Maze, and REvil. While some ransomware groups had pledged not to attack hospitals during the coronavirus crisis, in practice hackers are increasingly attempting to cash in.The Microsoft researchers often observed attackers getting their initial network access by exploiting unpatched vulnerabilities in victims' web infrastructure. They saw some hackers taking advantage of a widely publicized flaw in the Pulse Secure VPN and others exploiting flaws in remote management features like remote desktop systems. Attackers also targeted vulnerabilities and insecure configurations of Microsoft's own products. Attackers could guess passwords of organizations using Remote Desktop Protocol without multifactor authentication or exploit known bugs in Microsoft SharePoint and Microsoft Exchange servers that victims had neglected to patch.
Attackers even took advantage of tools used in security to proactively find and plug network holes, including the attack emulation platform Cobalt Strike and malicious techniques in Microsoft's remote management framework PowerShell. This activity often looks legitimate and can sneak past scanners, allowing attackers to lie in wait and do reconnaissance undetected on the network until they choose the moment to actually strike.
While attackers wait for the right conditions to release the ransomware, they often exfiltrate data from their victims' networks. The motive of this activity isn't always clear, though, Microsoft says. It can be difficult to tell the difference between attackers who have IP theft or other intelligence gathering as their main goal and those that just collect what they can as a secondary benefit of positioning themselves for ransomware attacks.
"That dwell time can vary between days, weeks or even months," says Jérôme Segura, head of threat intelligence at the monitoring firm Malwarebytes. "When the time has come for ransomware deployment, threat actors will typically choose weekends, and preferably the wee hours of Sunday morning. This made sense pre-pandemic as staff would typically return to work on Mondays to witness the damage. Now many businesses have their resources stretched far more than before and as a result may be in a tougher position to respond to a compromise."
What Is Credential Dumping?