Ransomware Turns Cobalt Strike Into an Attack Vector

This past summer, Skybox Security published a mid-year update to its 2020 Vulnerability and Threat Trends Report which analyzed the threats and vulnerabilities at work during the first half of the year and how they’ve been exacerbated by the COVID-19 pandemic. While the report offers valuable insight into several findings, this article intends to focus on one in particular. The key finding in question states, “Ransomware thrives during COVID-19 pandemic, with new samples increasing by 72 percent.” Ransomware continues to dominate the threat landscape, and the pandemic has only increased the severity of this threat. Every week we see a new company or organization fall victim to a ransomware attack such as Garmin, the University of Utah, and Cannon, just to name a few over the past month alone. Ransomware often uses trojans, embedded in email attachments, to infect networks and computers. For the last five quarters, ransomware has been a dominant cyberthreat, but now we're seeing it shift from using normal trojans such as emotet or trickbot to using a toolkit called Cobalt Strike.

What is Cobalt Strike

Cobalt Strike is a tool kit designed for penetration testing and threat emulation. While this tool is supposed to be used ethically for vulnerability detection and remediation processes, attackers have found a way to use it for just the opposite. Threat intelligence group Cisco Talos Incident Response (CTIR) explains that 66% of all ransomware attacks involved Cobalt Strike last quarter, suggesting that threat actors are turning to this tool more and more as they abandon their usual methods. The main features of this toolkit are reconnaissance, attack packages, spear phishing, collaboration, post-exploitation, covert communication, browser pivoting, and reporting, and logging. This software is giving threat actors the building blocks to allow them to focus on the more profitable parts of their attack.

Protecting from Ransomware

There are a few different things that a company or organization can do to better protect their network and users:

• Have strong email protection: Email is still the largest attack vector for many cyber threats because, unfortunately, phishing works. Phishing emails often contain links or attachments embedded with malware. Continuous email training will prevent users from clicking on suspicious links and attachments and gives them the knowledge to identify the signs of a phishing campaign.
• Use a policy of least privilege: Give users the least amount of privilege, which restricts a user’s rights in the network. This can reduce a user's ability to laterally move through the network since it can then disable features such as executing PowerShell scripts and running commands in the command prompts.
• Back up critical data: This is probably the most important step since human error is always a risk with the previous steps. Being proactive is the key to avoiding a disastrous ransomware situation. Having backups of your data handy in the event of a ransomware attack allows you to have the power and not be forced to pay the ransom. While reimaging any computer can be tedious, it will likely be much cheaper than paying the ransom.  
• Do not pay any ransom: This should be the ABSOLUTE last option. This will only encourage attackers to keep using ransomware if victims pay the ransom. This option seems hard to do if they took sensitive data, but even if you pay the ransom, there is no guarantee that they won’t sell the data anyway.