How hackers use ransomware to hide data breaches and other attacks

Most ransomware is used simply to make money. However, it can also be used as part of an attacker’s exit strategy to wipe out forensic evidence of a more serious breach.

Although ransomware attacks are on the decline — Darktrace suggests infections have decreased by as much as 28 percent between 2017 and 2018 — the threat these extortion attacks pose is still very real and for reasons beyond disruption to operations. More sophisticated attackers are using ransomware to cover their tracks in  a more serious attack.

This gives ransomware victims another worry in addition to business disruption recovery costs: Was the attack really just to extort money or is it a cover for something more sinister? Answering that question requires ransomware victims to take due diligence steps after the attack.

When ransomware is being used to cover tracks

Similar to how threat actors use DDoS attacks as a distraction technique to hide more serious attacks going in the background, security researchers are finding that attackers are using ransomware as part of their exit strategy to help cover up and erase clues of a more serious incident. Though delivered through the same means as regular ransomware — usually a phishing email and then a link or attachment loaded with a malicious file — the goal is to both delete potential forensic breadcrumbs and hope organizations don’t investigate further after recovering from the ransomware infection.

“The typical use case for ransomware is a shotgun approach type distribution campaign of dropping ransomware on people's machines, and then you charge them for getting their data or services back,” says Israel Barak, CISO at Cybereason. “Another use case is for covering tracks. These tools have the façade of ransomware: They would encrypt data, they would post a ransom note, and they would ask for money. They will even give you details on how to pay, but they're used to remove things from the endpoint while throwing off defenders into believing that the reason why that data was lost was because of a random hit by ransomware.”

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!