{"id":7059,"date":"2023-09-19T09:28:59","date_gmt":"2023-09-19T09:28:59","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=7059"},"modified":"2023-12-20T11:33:39","modified_gmt":"2023-12-20T11:33:39","slug":"what-happens-during-a-ransomware-attack","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/featured\/what-happens-during-a-ransomware-attack\/","title":{"rendered":"What happens during a Ransomware Attack?"},"content":{"rendered":"\n<p>The <strong><em>Incident Response<\/em><\/strong> activities carried out by our Team in the last period confirm the <strong>growing trend<\/strong> in the <strong>number of cyber attacks<\/strong> against Italian companies. What should make us reflect (beyond the numbers and the damage caused) is the<strong> technical evolution<\/strong> and increase in <strong>complexity<\/strong> of the latter.<\/p>\n\n\n\n<p>In fact, we notice greater interaction of the attacker during the stages of compromising company systems. Ransomware and the resulting data encryption represents only the latest step taken by criminals within the affected company. Today we talk about &#8220;<strong>Human-operated ransomware<\/strong>&#8221; and &#8220;<strong>Big Game Hunting<\/strong>&#8220;.<\/p>\n\n\n\n<p>This type of cyber attack often begins with the compromise of an employee&#8217;s workstation (via email) and the use of <strong>Trojans<\/strong> and <strong>Spyware<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image is-style-default\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/03\/Rischi-postazione.png?fit=750%2C140&amp;ssl=1\" alt=\"\" class=\"wp-image-1225\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<p>In other cases, the first system to be affected is a <strong>perimeter server<\/strong> through the exploitation of vulnerabilities (often <strong>RDP<\/strong> and <strong>SMB<\/strong>).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-from-a-workstation-to-servers\">From a Workstation to Servers<\/h2>\n\n\n\n<p>The compromise of an employee&#8217;s workstation should not be underestimated. <strong><em>Threat actors<\/em><\/strong> are increasingly moving from the employee&#8217;s desk to the rest of the infrastructure and systems. The criminals&#8217; objective is represented by the compromise of the internal servers of the company network (typically the Domain Controllers, Web Servers and Mail Servers), an objective achieved through <strong><em>Lateral Movement<\/em><\/strong> and <strong><em>Privilege Escalation <\/em><\/strong>activities.<\/p>\n\n\n\n<p>Lateral movement consists of the series of steps performed by the attacker to access other systems in the same computer network.<\/p>\n\n\n\n<p><strong>Would you be able to identify behaviors and tolls of this kind?<\/strong><\/p>\n\n\n\n<p>Some offensive tools often used by criminals (and penetration testers):<\/p>\n\n\n\n<p><strong>Initial Compromise and Post-Exploitation Tools:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Meterpreter<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Powershell Empire<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Covenant<\/li>\n<\/ul>\n\n\n\n<p><strong>Lateral Movement (ID:\u00a0TA0008):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WMI<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Powershell<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PsExec<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SMB tunnels<\/li>\n<\/ul>\n\n\n\n<p><strong>Credential Dumping (ID: T1003)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mimikatz<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lazagne<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dump lsass<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/03\/compromissione-2.png?fit=750%2C453&amp;ssl=1\" alt=\"\" class=\"wp-image-1230\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Escalation and compromise of infrastructure servers<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How to defend? Cyber Defence Activities<\/h2>\n\n\n\n<p>It is essential to &#8220;respond&#8221; to this type of offensive maneuver with specialized defensive activities.<br>There are systems defense tools that allow, in addition to automatic protection, specialized analysts to carry out detection, analysis and response activities to IT incidents.<\/p>\n\n\n\n<p>Carrying out <strong>Cyber Defense<\/strong> activities means protecting and defending the infrastructure at 360\u00b0, carrying out activities of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security Monitoring<\/strong><\/li>\n\n\n\n<li><strong>Malware Analysis<\/strong><\/li>\n\n\n\n<li><strong>Threat Hunting<\/strong><\/li>\n\n\n\n<li><strong>Incident<\/strong> <strong>Response<\/strong><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"background-color: #ff9900\">Per maggiori dettagli:\u00a0<\/span>\ud83d\udc49<a href=\"https:\/\/fortgale.com\/it\/#contact\">CONTATTI<\/a><\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<a class=\"twitter-timeline\" data-width=\"500\" data-height=\"750\" data-dnt=\"true\" href=\"https:\/\/twitter.com\/Fortgale_Cyber?ref_src=twsrc%5Etfw\">Tweets by Fortgale_Cyber<\/a><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>According to a statement issued by the company, the total cost for dealing with the outbreak will land somewhere in the\u00a0<a href=\"https:\/\/phys.org\/news\/2017-08-moller-maersk-cyberattack-million.html\" target=\"_blank\" rel=\"noreferrer noopener\">$200 to $300 million range<\/a>. NotPetya-related costs contributed to a $264 million quarterly loss despite revenues rising from $8.7 billion to $9.6 billion year-over-year. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.forbes.com\/sites\/leemathews\/2017\/08\/16\/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200-million\/#6e27c2e4f9ae\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/03\/forbes.png\" alt=\"\" class=\"wp-image-1236\" loading=\"lazy\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The Incident Response activities carried out by our Team in the last period confirm the growing trend in the number of cyber attacks against Italian companies. What should make us reflect (beyond the numbers and the damage caused) is the technical evolution and increase in complexity of the latter. In fact, we notice greater interaction [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":5258,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2515],"tags":[3068,213],"class_list":["post-7059","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","tag-attention","tag-malware-analysis"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7059","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=7059"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7059\/revisions"}],"predecessor-version":[{"id":8661,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7059\/revisions\/8661"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/5258"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=7059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=7059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=7059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}