They say the cover-up is worse than the crime. When a ransomware attack destroys your network, it’s hard to say which is worse because you may not have known you were breached beforehand – and that’s the point, according to Microsoft Certified Master, Sean Metcalf, in this TEC (The Experts Conference) Talk video on AD breaches.
In my 4th 2020 prediction (see all 7 predictions here) , we’ll see ransomware move from being just a blunt instrument for quick cash to a surgical tool as part of a bigger cyber-attack strategy to hide the trail of a breach.
How ransomware will evolve to become even more annihilating
Ransomware first emerged as a spray and pray attack method. Hackers put the malware out there in the wild hoping it’ll hit some folks desperate enough to pay the ransom. However, the method of encrypting data and valuable operations systems, even delete them as some nasty malware strains have shown, with the intent of disrupting operations is the last step in the cyber security kill chain. Once a bad actor has achieved their goal and taken action, the next stop is to cover their tracks. Which is more powerful than a ransomware bomb because most people will assume ransomware was the attack when, in actuality, the attack happened long before.
It’s a smoke screen for other attacks/breaches.
As we’ve seen with various ransomware strains, it evolves, learning lessons from other malware attacks.
It won’t be long until we see a malware strain target Active Directory by deleting the on-premises objects and waiting long enough for that to replicate up to Azure AD before encrypting or deleting the entire directory. A scenario like this would have wiped out Norsk Hydro’s Azure AD instance, preventing communication during their cyberattack via Exchange Online. This is a much more sinister approach to ransomware that, if not out there now, is just on the horizon.
How to prevent total annihilation
Defending your IT infrastructure against a ransomware attack has never been a simple task. But things have taken a decidedly ugly turn of late: More and more attacks are simply seeking the total annihilation of your infrastructure. Any organization can be a target – or simply collateral damage from an attack targeting someone else.
Organizations will begin to audit the endpoints more and shift their thinking that ransomware is a replicating virus out in the wild but is instead the result of a timed payload to obfuscate a breach.
Sadly, many organizations are simply unprepared, and as a result, they sustain staggering damage or even fold completely. Don’t let your organization suffer the same fate. Take a look at the tech brief entitled Preparing for attacks that seek total annihilation to learn about many of the most destructive recent attacks, including their speed, scope, motives and methodologies, and the key strategies for defending your organization against this increasingly common threat.