Organizations today already have an overwhelming number of dangers and threats to look out for, from spam to phishing attempts to new infiltration and ransomware tactics. There is no chance to rest, since attack groups are constantly looking for more effective means of infiltrating and infecting systems.
Today, there are hundreds of groups devoted to infiltrating almost every industry, constantly devising more sophisticated methods to attack organizations.
It's even more troubling to note that some groups have started to collaborate, creating complex and stealthy tactics that leave even the best security teams scrambling to respond. Such is the case noted by XDR Provider Cynet, as the company observes in its newest Research Webinar (register here).
Cynet's research team noted that two of the most infamous attack groups – Lunar Spider and Wizard Spider – have started working together to infect organizations with ransomware.
The development is certainly troubling, and the report shows why security teams and professionals must constantly be looking at the whole picture, not just the result of an attack.
Combining attacks for greater impact
Cynet's researchers first noticed something was amiss as they were studying IcedID malware, developed by Lunar Spider. Originally observed in the wild in 2017, IcedID is a banking Trojan that has targeted the financial sectors in both the US and Europe. After it was initially revealed, Lunar Spider shifted IcedID's modus operandi to enable it to deploy additional payloads, such as Cobalt Strike.
The researchers also studied the CONTI ransomware, a relatively new attack approach developed by Wizard Spider that's already in the FBI's crosshairs. This "ransomware-as-a-service" (RaaS) has been spotted in the US and Europe and has already wreaked havoc on many organizations and networks.
Cynet first suspected the connection between the two organizations as it was exploring a case of CONTI ransomware that used many familiar tactics, though not ones traditionally deployed by the Wizard Spider group.
During the investigation, the team discovered that CONTI was being deployed through malware campaigns that used IcedID as an initial point of attack. After establishing persistence on targets' devices, IcedID deployed a CONTI ransomware variant to lock the network.
Understanding the risks
The new Cynet Research Webinar will dive deeper into the anatomy of this collaboration to explain why it's so troubling, but also how it can be detected and combatted. The webinar will discuss:
- The background of the attack groups. Both Lunar Spider and Wizard Spider are well known and highly dangerous. Their existing malware and other tools are widely popular and present in many notable breaches and attacks. Before exploring their tools, the webinar will break down each group.
- The increasing popularity of ransomware attacks. These tactics have become widespread and are expected to cost organizations hundreds of billions of dollars in the next decade. To truly comprehend how to combat this new attack tactic, it's worth establishing how ransomware works, and some common tactics.
- The anatomy of a combined IcedID and CONTI attack. The webinar will break down a case study of this new attack tactic. Unlike some other ransomware attacks, this new method uses techniques from both to create persistence, avoid detection, and lock systems before organizations can react. Moreover, they're increasingly using "double extortion" methods, which both lock data and threaten leaks if payment isn't received.
You can register to the webinar here.