Ransomware teams are troublesome to close down as a result of they’re continuously adapting their strategies to evade newer safety defenses and controls. On this Tech Speak, Brianna Leddy, director of research at Darktrace, says that simply because an assault group ceases operations doesn’t suggest they will not re-emerge in a unique kind.
For instance, researchers consider that the DarkSide group behind the ransomware assault towards Colonial Pipeline returned as Blackmatter, a ransomware-as-a-service group. DarkSide shut down its operations, presumably due to investigations by regulation enforcement and the US federal authorities clawing again the ransom funds.
This previous yr, a number of affiliate teams working with the group behind REvil ransomware have been arrested. Even so, the truth that a web site affiliated with REvil not too long ago began redirecting to a brand new web site looks as if an indicator that the group is again in operation.
“I do not suppose it is the final that we have heard of this title,” Leddy says.
Re-branding can even mirror a shift in ways, Leddy says. As extra organizations are scanning networks to search for malicious visitors, extra attackers are starting to “reside off the land,” Leddy says. Residing off the land refers to abusing respectable administrator instruments and companies to mix of their malicious actions amongst all different regular, day-to-day community visitors. Attackers are additionally more and more focusing on cloud companies and backup servers to make it tougher for organizations to get well their encrypted information from the assault group.
