Christopher Romano

How most ransomware incidents actually work 🔻 Access brokers sell access to compromised networks to ransomware-as-a-service affiliates, who conduct the intrusions. Ransomware-as-a-service affiliates prioritize targets based on intended impact or perceived profit Intrusion operators take advantage of preferred security weaknesses they are able to find, so intrusion techniques vary between affiliates. Adversaries often conduct data theft in support of extortion during this phase. If deployed, an affiliate-chosen ransomware payload is the culmination of a chain of malicious activity & criminal relationships. ------- 📄 excerpt from our 2022 blog @ https://t.co/7ivUdsb58l "As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers. Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders."

SCATTERED SPIDER / 0ktapus / UNC3944 is alive and well. Don’t make it easy for them: ◦ MFA everywhere ◦ Disable MFA push; use number-matching, OTP, or hardware token ◦ Disable external IP and unsupervised MFA self-enrollment or self-reset ◦ Allow only one trusted MFA device per user https://t.co/SaZUjXT4xK https://t.co/VcVidg9dZ2 https://t.co/2Hyes6RHGI https://t.co/54Jtn5bxWZ