Motivated by profit, hackers are changing the way they target companies with ransomware, suggests a recent report from FireEye. While earlier methods were defined by the scattergun methodology, newer tactics are far more shrewd.
The scattergun approach is quite simple. Hackers cast a wide net, hoping to infect as many individual machines as possible, and then extort the victims for an average of $500-$1,000.
However, recent campaigns targeting entire industrial and critical infrastructure organisations have shifted to a more "operationally complex post-compromise approach".
Once a machine is infected, hackers now perform internal reconnaissance, moving laterally across the target network before actually deploying ransomware. By first scouting out the landscape, they’re able to better identify key data and devices, block most critical assets and then negotiate from a privileged position.
Financial hackers were also said to be capable of “pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations”.
FireEye believes mature hackers will “gradually broaden” their selection from only IT and business processes into OT asset monitoring and controlling physical processes.
The company says the move is “apparent” in ransomware families like SNAKEHOSE, which is designed to execute its payload only after stopping a series of processes that include industrial software.
Further investigation revealed SNAKEHOSE is capable of killing more than 1,000 processes.