Black Hat , Events , Fraud Management & Cybercrime

Exploiting Unpatched Systems: Latest in Ransomware Trends

Michael Sikorski of Palo Alto Networks on Evolving Ransomware Strategies
Michael Sikorski, vice president of threat intelligence and CTO, Unit 42, Palo Alto Networks

Ransomware attackers are increasingly shifting their initial access strategy from phishing to exploiting external vulnerabilities. With Russian hackers leading the charge, attackers target vulnerabilities in systems including VPNs, firewalls and remote desktop solutions, which are "hard to just unplug, patch and replug," said Michael Sikorski, vice president of threat intelligence and CTO, Unit 42, Palo Alto Networks.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

Attackers exploit the gaps between vulnerability disclosure and patching, using recycled techniques to maximize efficiency. Sikorski cited the continued use of a Microsoft Outlook vulnerability by Russian hackers for over 20 months as an example.

"Attackers will use what works," he said. "If it's something that's been out a long time, something that's easy for them to build, that's the best thing for them to use because then they could save their fancy capabilities, the zero-day attacks, for high-value targets. One thing we'll see is they'll recycle and reuse those things over and over again."

In this video interview with Information Security Media Group at Black Hat 2024, Sikorski also discussed:

  • Using AI to automate phishing, lateral movement and malware creation;
  • How defenders are integrating AI into their red-teaming efforts to simulate an adversarial activity;
  • How Russian hackers exploit persistent vulnerabilities to maximize attacks.

Sikorski is an industry expert in reverse engineering. He has more than 20 years of experience working on high-profile incidents and leading R&D teams and previously worked at Mandiant and the NSA.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.