Sprite spider weaves its web among ransomware operators netrk travellingall com
Kworld Trend / Sprite spider weaves its web among ransomware operators netrk travellingall com, At the recent SANS Cyber Threat Intelligence Summit , two CrowdStrike cybersecurity leaders, Senior Security Researcher Sergey Frankov and Senior Intelligence Analyst Eric Lowe, detailed an emerging ransomware actor they dub Sprite Spider. Like many other ransomware attackers , the gang behind the Sprite Spider attacks has grown rapidly in sophistication and damage capacity since 2015. (CrowdStrike’s research was echoed in a lengthy report from Palo Alto Network’s Unit 42 in November 2020).
Sprite spider weaves its web among ransomware operators netrk travellingall com
Today, Sprite Spider is poised to become one of the largest ransomware threat actors of 2021 and has a threat profile on par with what APT actors had five or ten years ago. The rise of the Sprite Spider as a complex threat is not surprising given that, like many other organized ransomware gangs, it is riddled with hackers who are often paid hires by actors threatening the nation-state.
Sprite Spider evolution
Sprite Spider started using a banking Trojan called Shifu in 2015, adding a malware loader called Vatet around 2017. In 2018, the gang published a remote access Trojan called PyXie. In 2019, the group developed to the point where it published DEFRAY777 ransomware.
[Learn the 8 flaws that undermine the success of a security program and 12 tips for effectively delivering cybersecurity to the boardroom. | Subscribe to CSO newsletters. ]
At this point, CrowdStrike researchers have linked Shifu, Vatet, and PyXie to the DEFRAY777 ransomware attacks. They realized that all of the activity from these components was linked to a single threat actor, which was flying under the radar. Sprite spider weaves its web among ransomware operators netrk travellingall com
What can you do to protect yourself from ransomware?
Implementing a Security Awareness Training Program Someone wiser than he told me, “You can’t stop or avoid what you’re not prepared to handle.” This applies to ransomware attacks.
Most ransomware attacks are requested through social engineering campaigns and initiated by the end user (i.e. you, a co-worker, or an employee). A good security awareness training program can help educate people and stop a ransomware attack before it can get a foothold in your IoT system.
Email box security is essential – As mentioned above, ransomware attack is usually initiated by the end user. how? Usually via a malicious file or link embedded in an email. An attacker will trick his unsuspecting victim into clicking through with, well, it all goes downhill from there.
By implementing things like DMARC or DKIM, or subscribing to a service like Cyren’s Office 365 Inbox Security platform, you can stop some of these attacks before human error becomes part of the problem.
Next-generation endpoint protection – Traditional endpoint protection products rely on legacy detection methods (such as looking for specific signatures). Sprite spider weaves its web among ransomware operators netrk travellingall com
continued
Newer products such as Blackberry Protect (formerly Cylance) use machine learning and artificial intelligence to determine if software trying to run on your device is dangerous.
Back up your critical endpoints and data – a no-brainer. Even with the risk of a ransomware attack, you should back up your important data. A ransomware attack is only deadly to an organization if it doesn’t have backups.
Ransomware attacks encrypt your endpoints and demand a ransom (duh) from the victim to get the decryption key. If you have regular backups, there is no need to pay. You simply restore your ecosystem to a period before infection.
Just make sure your backups are in a safe place, not connected to your network, and password protected.
How does Sprite Spider Ransomware work?
The gang can often escape detection primarily because their code looks bland, hiding in open source projects like Notepad++. The only thing Sprite Spider writes to disk is a Vatet, which makes it difficult for analysts to track them while responding to incidents.
Despite its stealth and its many components, Sprite Spider displays some otherworldly characteristics. DEFRAY777 isn’t a complex ransomware, but it gets the job done. Sprite Spider is also somewhat late to the dedicated leak site game, waiting until late November 2020 to launch its own site to communicate with victims, months after other ransomware actors began launching such sites.
The real threat from the Sprite Spider escalated in July 2020 when it began targeting ESXi hosts, which are typically deployed by large organizations that use VMware-developed Metal Hypervisor technology to manage multiple virtual machines. DEFRAY777 deployed on ESXi hosts uses stolen credentials to authenticate to vCenter, the web interface for managing multiple ESXi machines, and websites hosted on those machines.
Nominations are open for the 2024 Best Places to Work in Information Technology
Next, the attackers log in, enable SSH, change SSH keys or root passwords, kill running processes, launch other tasks that trigger binary execution in the TMP directory, and encrypt all virtual machines and their hosts. Soon after Sprite Spider started targeting ESXi hosts, another threat group called Carbon Spider also started targeting ESXi hardware independently.
By targeting EXSi devices, Sprite Spider does not have to spread ransomware throughout the entire organizational environment – it must only target a few servers to encrypt a wide range of virtualized IT infrastructure. “This is emblematic of a larger trend in the crime ecosystem, as some of ecrime’s largest adversaries have shifted their operations away from bank fraud to these targeted ransomware operations,” said CrowdStrike’s Lowe.
Allowlist and block known bad things – Have a good idea of what people in your organization should be looking at while they’re working, what software they’re using, or what devices they can talk to online. Take the time to allowlist approved apps and processes.
Commodity malware infection is a precursor to ransomware attacks
Malware that was initially used as a banking Trojan turned into a primary access tool. Wizard Spider uses TrickBot as a first access tool to spread Ryuk and Conti ransomware. Indrik Spider uses Dridex for BitPaymer or WastedLocker, and Carbon Spider uses Sekur/Anunak for REvil or Darkside,” Lowe said. “ I want to assure those of you who deal with CISOs or C-suite directly, that infections caused by so-called commodity tools Trojans or downloaders can lead to major ransomware attacks. If you have a problem with Emotet, you probably have a problem with Trickbot. If you have a problem with Trickbot, you will have a problem with Ryuk or Conti.”
Time is of the essence after discovering commodity tools. “If you can’t detect, respond and treat within an hour, there’s no way you can catch up,” Lowe said. “So you have to treat those potentially dangerous infections even if they are called commodity tools.”
If you have a problem with Emotet, you probably have a problem with Trickbot. If you have a problem with Trickbot, you will have a problem with Ryuk or Conti. Sprite spider weaves its web among ransomware operators netrk travellingall com
Sprite Spider’s killing streak could be compared to the nation-states of ten years ago
The sprite spider’s killing spree and some other emerging major ransomware groups look like the early days of how nation-state actors should behave. “It’s actually almost identical to the same chain-killing threat that we were dealing with ten years ago with advanced persistent threat groups,” Frankoff said. “It’s the same steps taken, but the end goal is different.”
“I think we’ve seen a number of nation-states engage in these types of attacks to generate revenue, specifically North Korea,” Adam Myers, CrowdStrike’s senior vice president of intelligence, told CSO. He says Iran and China are also getting into the ransomware game. “It’s not necessarily the nation-state that does the attack, but [cybercriminals] are using the skills they learned [working with nation-state attackers] to make a little extra money on the side. Individuals involved with the nation-state are doing ransomware attacks in the changing moonlight.” Sprite spider weaves its web among ransomware operators netrk travellingall com
The increasing sophistication of ransomware requires strong defenses
Whatever the case, ransomware attackers are getting more sophisticated and powerful all the time. “In 2020, it was clear that the development and targeted use of ransomware in some sectors. Which was common practice by threat actors,” Mark Ostrowski. Check Point Software’s head of eastern engineering, told CSO. Education networks and entities. In 2021, we can expect that to continue, and based on initial reports, groups like Sprite Spider and others may specifically target the interests that generate the most revenue. “
CrowdStrike’s Meyers has five recommendations for how organizations can best defend. Themselves against the most destructive of ransomware. First, “you need to prepare for the defense. You have to do basic table stakes type things, things like tinkering,” he says.
Secondly, follow the rule of one sixty-ten. “You should be able to identify things in about a minute. Investigate them in ten minutes, and respond to them in about an hour. If you can do that, you may be in a position to prevent those reps from moving through your organization.”
Third, to deal with the evolving nature of ransomware, use next-generation protection because antivirus software does not protect against these types of new threats. Next-generation protection uses something called machine learning or artificial intelligence. Machine learning really allows you to identify malware or files without ever seeing them,” says Myers.
Fourth, practice is essential. “I always coach boards and CEOs to follow routine drills to the table.”
Last
Finally, know who the enemies are. “If you understand who your menacing attackers are. And how they operate, you are in a better position to defend against them going forward.”
Mark Weatherford, chief strategy officer at the National Center for Cybersecurity. And a former DHS cybersecurity official in the Obama administration. Believes it will take an international effort to tackle the growing ransomware scourge.
“Until there is more discussion about international politics, I think we will see these things grow”. He told CSO. “What we need is a joint international effort from countries around the world. To say this is no longer acceptable.” The multinational collaboration last week that removed the Emotet infrastructure. Which used to deliver the ransomware indicates that this is now happening. Sprite spider weaves its web among ransomware operators netrk travellingall com
