The
US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
which
dubs
itself
“America’s
Cyber
Defense
Agency”,
has
just
put
out
a
public
service
annoucement
under
its
#StopRansomware
banner.
This
report
is
numbered
AA23-061a,
and
if
you’ve
slipped
into
the
habit
of
assuming
that
ransomware
is
yesterday’s
threat,
or
that
other
specific
cyberattacks
should
be
at
the
top
of
your
list
in
2023,
then
it
is
well
worth
reading.
The
risks
you
introduce
by
taking
your
eyes
off
the
ransomware
threat
in
2023
to
focus
on
the
next,
old-is-new-again
shiny
topic
(ChatGPT?
Cryptojacking?
Keylogging?
Source
code
theft?
2FA
fraud?)
are
similar
to
the
risks
you
would
have
faced
if
you
started
focusing
exclusively
on
ransomware
a
few
years
ago,
when
it
was
the
hot
new
fear
of
the
day.
Firstly,
you’ll
often
find
that
when
one
cyberthreat
seems
to
be
decreasing,
the
real
reason
is
that
other
threats
are
increasing
in
relative
terms,
rather
than
that
the
one
you
think
you’ve
seen
the
back
of
is
dying
out
in
absolute
terms.
In
fact,
the
apparently
increase
of
cybercrime
X
that
goes
along
with
an
apparent
drop
in
Y
might
simply
be
that
more
and
more
crooks
who
previously
tended
to
specialise
in
Y
are
now
doing
X
as
well
as,
rather
than
instead
of,
Y.
Secondly,
even
when
one
particular
cybercrime
shows
an
absolute
decline
in
prevalence,
you’ll
almost
always
find
that
there’s
still
plenty
of
it
about,
and
that
the
danger
remains
undiminished
if
you
do
get
hit.
As
we
like
to
say
on
Naked
Security,
“Those
who
cannot
remember
the
past
are
condemned
to
repeat
it.”
The
Royal
gang
The
AA23-061a
advisory
focuses
on
a
ransomware
family
known
as
Royal,
but
the
key
takeaways
from
CISA’s
plain-speaking
advisory
are
as
follows:
-
These
crooks
break
in
using
tried-and-trusted
methods.
These
include
using
phishing
(2/3
of
the
attacks),
searching
out
improperly-configured
RDP
servers
(1/6
of
them),
looking
for
unpatched
online
services
on
your
network,
or
simply
by
buying
up
access
credentials
from
crooks
who
were
in
before
them.
Cybercriminals
who
sell
credentials
for
a
living,
typically
to
data
thieves
and
ransomware
gangs,
are
known
in
the
jargon
as
IABs,
short
for
the
self-descriptive
term
initial
access
brokers. -
Once
in,
the
criminals
try
to
avoid
programs
that
might
obviously
show
up
as
malware.
They
either
look
for
existing
administration
tools,
or
bring
their
own,
knowing
that
it’s
easier
to
avoid
suspicion
in
if
you
dress,
talk
and
act
like
a
local
–
in
jargon
terms,
if
you
live
off
the
land.
Legitimate
tools
abused
by
the
attackers
include
utilities
often
used
for
official
remote
access,
for
running
administrative
commands
remotely,
and
for
typical
sysadmin
tasks.
Examples
include:
PsExec
from
Microsoft
Sysinternals;
the
AnyDesk
remote
access
tool;
and
Microsoft
PowerShell
which
comes
preinstalled
on
every
Windows
computer. -
Before
scrambling
files,
the
attackers
try
to
complicate
your
path
to
recovery.
As
you
probably
expect,
they
kill
off
volume
shadow
copies
(live
Windows
“rollback”
snapshots).
They
also
add
their
own
unofficial
admin
accounts
so
they
can
get
back
in
if
you
kick
them
out,
modify
the
settings
of
your
security
software
to
silence
alarms,
take
control
of
files
that
they
would
otherwise
not
be
able
to
scramble,
and
mess
up
your
system
logs
to
make
it
hard
to
figure
out
later
what
they
changed.
To
be
clear,
you
need
to
build
up
your
confidence
in
defending
against
all
these
TTPs
(tools,
techniques
and
procedures),
whether
or
not
any
particular
wave
of
attackers
are
aiming
to
blackmail
you
as
part
of
their
end-game.
Having
said
that,
of
course,
this
Royal
gang
are
apparently
very
interested
indeed
in
the
technique
identified
by
the
US
government’s
MITRE
ATT&CK
framework
by
the
unassuming
tag
T1486,
which
is
labelled
with
the
distressing
name
Data
Encrypted
for
Impact.
Simply
put,
T1486
generally
denotes
attackers
who
plan
to
extort
money
out
of
you
in
return
for
unscambling
your
precious
files,
and
who
aim
to
squeeze
you
harder
than
ever
by
creating
as
much
disruption
as
possible,
and
therefore
giving
themselves
the
biggest
blackmail
leverage
they
can.
Indeed,
the
AA23-061a
bulletin
warns
that:
Royal
[ransomware
criminals]
have
made
ransom
demands
ranging
from
approximately
$1
million
to
$11
million
USD
in
Bitcoin.
And,
just
to
be
clear,
they
typically
steal
(or,
more
precisely,
take
unauthorised
copies
of)
as
much
of
your
data
as
they
can
before
freezing
up
your
files,
for
yet
more
extortion
pressure:
After
gaining
access
to
victims’
networks,
Royal
actors
disable
antivirus
software
and
exfiltrate
large
amounts
of
data
before
ultimately
deploying
the
ransomware
and
encrypting
the
systems.
What
to
do?
Crooks
like
the
Royal
gang
are
known
in
the
jargon
as
active
adversaries,
because
they
don’t
just
fire
malware
at
you
and
see
if
it
sticks.
They
use
pre-programmed
tools
and
scripts
wherever
they
can
(the
criminals
love
automation
as
much
as
anyone),
but
they
give
individual
attention
to
each
attack.
This
makes
them
not
only
more
adaptable
(they’ll
change
their
TTPs
at
a
moment’s
notice
if
they
spot
a
better
way
to
do
worse
things),
but
also
more
stealthy
(they’ll
adapt
their
TTPs
in
real
time
as
they
figure
out
your
defensive
playbook).
-
Learn
more
by
reading
our
Active
Aversary
Playbook,
a
fascinating
study
of
144
real-life
attacks
by
Sophos
Field
CTO
John
Shier.
About Author
