Security Market Segment LS
Wednesday, 18 March 2020 11:49

Windows ransomware comes like a thief at dawn or at night: FireEye Featured

Windows ransomware comes like a thief at dawn or at night: FireEye Pixabay

More than three-quarters of the Windows ransomware cases across the 2017 to 2019 period studied by Mandiant Intelligence, a division of security firm FireEye, occurred after working hours.

A blog post from FireEye's Kelli Vanderlee said apart from this common characteristic, in most cases which were examined, at least three days elapsed between the first indication of malicious activity and the ransomware being deployed.

The most common methods for gaining entry to a Windows system was through the remote desktop protocol which the operating system support. Else, some attacks gained access through phishing or drive-by downloads.

Vanderlee wrote that in 2018 and 2019, post-compromise and interactive ransomware deployment increased, allowing attackers to identify key systems so that their attacks could be more effective.

The aim of ransomware is to make money and towards this end, the people behind such attacks created a sense of urgency by increasing the quantum of a ransom demand after a specified time. Else, they offered a lower ransom in exchange for decrypting part of the files that had been encrypted.

Another point noted was that ransomware attackers used other means like data theft and extortion to increase their chances of success.

Taking aim at high-availability organisations like hospitals, government organisations or industrial environments was a tactic used to increase the chances of having a ransom paid.

Vanderlee noted that the use of RDP had been more common in 2017, and had fallen away to some extent in the two following years. In some cases, the credentials to gain entry through RDP were brute-forced; at others, the ransomware actor purchased access credentials from another person in the same game.

While phishing is all too common, Mandiant also observed several cases where a user was tricked into visiting a website where his/her Windows machine was infected with malware that would facilitate the entry of ransomware.

"In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8am or after 6pm on a weekday, using the time zone and customary work week of the victim organisation," Vanderlee noted. "This observation underscores that threat actors continue working even when most employees may not be."

Vanderlee said that in the midst of the woes caused by ransomware attacks, there was some light. "The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment," she said.

"If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments