These tools were intended for use in security research and other authorized purposes. However, cybercriminals have found a way to exploit them for ransomware campaigns. What are some of these tools and how exactly are they weaponized?
Cobalt Strike, PsExec, Mimikatz, Process Hacker, AdFind, and MegaSync.
As ransomware operators continue to equip themselves with more weapons in their arsenal, the stakes are getting even higher for targeted organizations that can suffer from grave consequences brought about by these attacks. Organizations that are affected by ransomware attacks typically incur losses in financial damages worth millions, alongside experiencing inaccessibility and even exposure of sensitive data.
Most of the recent ransomware campaigns have adopted double extortion techniques where threat actors both encrypt a company’s files and leak their data to the public. As for its evolution, we foresaw in our security predictions that ransomware in 2021 will become an even more sinister threat as it becomes more targeted and new families (such as Egregor) emerge. This year, cybercriminals will also continue to abuse legitimate tools to facilitate ransomware attacks.
On their own, these tools are not inherently malicious. Rather, they are intended to help security research or enhance the efficiency of programs. However, like many other technologies, cybercriminals have found a way to exploit them. Eventually, these tools became a typical component of ransomware campaigns and at times, even other cyberattacks. The UK’s National Cyber Security Centre (NCSC) has published a list of such tools in a report.
There are several reasons that the use of legitimate tools for ransomware campaigns is such an attractive option for cybercriminals. For one, since these tools are not malicious per se, they might evade detection. It also does not hurt that most of these tools are open-source and therefore can be accessed and used by the public for free. Finally, the usefulness of the tools’ features — the same ones that security researchers benefit from — makes them advantageous for cybercriminals, thereby turning these platforms into unintended, double-edged swords.