Skip to content

TEST DOC template

2020 is off to a rocky start for the world. Cybersecurity is no exception.

The Alsid Research Team is hard at work compiling the findings and forecasts you need for the year to come.

A comprehensive approach

Anticipate Threats

Proactively harden your directory infrastructure

Bring vulnerabilities and weak configurations to light and maintain strong security boundaries through time

AD admins, Blue Teams, & Auditors

Detect Attacks


Detect attacks in true real-time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM & SOAR integrations

Enable your Threat Hunters with AD-native investigation capabilities

SOC Analysts & Threat Hunters

Respond To Breaches


Replay attacks and hunt for patients zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident Responder

The features we are proud of

Cutting-edge security technology

Harden, protect, respond
All your practices extended to your most viral IT asset: AD

True real-time
Live exposure visualization, immediate attacks alerts

Step-by-step recommendations
A follow-the-guide approach for ad admins who are new to security

Intelligence-driven, ad-native
Beyond compliance, detect ad-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making and priorization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions

Top 5 attack trends

2019 Q4: Main five tendencies

Ransomware as a Service (RaaS)

Attackers Getting Sloppy and Caught

Maze Ransomware Cartel Grows

Ransomware Causing Actual Deaths

Ransomware Negotiators

Attacks from
China on the rise

  • Observation shows chinese non-state cybercriminals transform from small organizations into well-organized criminal groups targeting international organizations
  • Asia is the focys of attack, and advanced ransomware targeting Active Directory for fast movement is the main attack vector
  • 800+ million people have Internet access in China: as the number increases, more criminal groups are engaging in cybercriminal activities to increase revenues
  • The cybercriminal activities from China is growing at an annual rate of 30%
  • According to dark web marketplaces, stolen data provided by Chinese actors is growing at a rate of 23% every year
  • Chinese cybercriminal activity exceeds $15 billion USD. A recent Chinese study provided figures on the chinese cybercriminal underground:
  • An estimated 400,000 people are working for cybercriminal groups in China
  • Dark web marketplaes are not easily accessible for Chinese cybergroups because the government still blocks access to Tor and anonymous Internet access – so the dark web is only used to sell services (e.g malware customization) or stolen data
  • Many of the Chinese cybergroups are using « classic » forums (e.g Weibo or Baidu) and « language codes » to exchange information between groups :

Devices, computers,
or servers

Chicken meat: 鸡肉

Stolen accounts
or passwords

Letters/envelopes 字母 / 信封


Tracking material: 追踪材料

Stolen financial data
or credit cards

Fishing boxes: 钓鱼箱

Phishing tactics
using Coronavirus crisis

New cyberattacks exploit your fears with phishing emails designed to steal money, get personal information, and infect computers

This email is not from the CDC. It’s a phishing attack designed to harvest user names and passwords from people who click on the link. The link looks like it will take you to a websie about the coronavirus. It will not.

You land on a fake Microsoft Outlook login page, created to steal usernames and passwords. Criminals control this fake Outlook page.

Once they capture your login credentials, they can use them to access your email account and look for anything valuable.

An email will ask to open a document to explain about Coronavirus « care ». Another email will ask you for Bitcoin.

Ransomware attacks
impacts still escalating

  • Malware threat rate and numbers detection is in line with those of Q4 2019
  • Malware automation and industrialization are increasing (estimated to grow 13% over Q4 2019)
  • New Ransomware-as-a-service platforms are spreading: better service offers and more advanced technical capabilities

MacOS is now
a new attack vector

  • Adwares infection by OS for 2019 and Q1 2020:
    • Windows OS: 24 million
    • MacOS: 30 million
  • Average number of threats by OS for 2019 and Q1 2020:
    • Windows OS: 6 threats per endpoint
    • MacOS: 11 threats per endpoint
  • Rise of MacOS threats: increase of 400% in 2019 and Q1 2020 compared to 2018!

AD used for lateral
movement and privilege escalation

  • Threat sophistication increased, with many more attacks using exploits, credential stealing tools, or multi-step attacks
  • Mass infections targeting large organizations increased – AD usage is now a « by design » behavior: embedded Mimikatz increased by 42% during Q1 2020 compared to Q3/Q4 2019
  • Emotet & Trickbot trojans are still increasing: the top 5 infections during Q1 2020 were using Emotet or Trickbot
  • MacOS integrated in Active Directory appears to be a good new attack vector to infect whole organizations

The rise of

  • Definition: « ransomware-as-a-service is abbreviated as RaaS. This is a form of software-as-a-service (SaaS) used by underground vendors to threaten actors by providing them a ransomware platform tool. »
  • Ransomware-as-a-service (RaaS) borrows from the software-as-a-service (SaaS) model. This subscription-based model enables even the novice cybercriminal to launch ransomware attacks without much difficulty.

You can find various RaaS packages on the market that reduce the need to have much technical knowledge of how to create ransomware. This malicious model allows anyone to become an « affiliate » of an established RaaS package or service.

RaaS example: Sodinokibi.

Sodinokini attack methods include:

> Active exploitation of a vulnerability in Oracle WebLogic, officially named CVE-2019-2725
> Malicious spam or phishing campaigns with links or attachments
> Malvertising campaigns that lead to the RIG exploit kit, an avenue that GandCrab has used before
> Compomised or infiltrated managed service providers (MSPs) to push the ransomeware en masse. This is done by accessing networks via a remote desktop protocol (RDP) and then using the MSP console to deploy the ransomware 
> Evading detection through the "Heaven’s gate" technique used to execute 64-bit code on a 32-bit process, which allows malware to run

Sodinokibi ransomware
business detections 2019

Other examples:


RaaS business model


RaaS factory: creation of a RaaD offer and publication on dark web


Beginner will go to the RaaS platform and ask for a ransomeware kit


The RaaS factory will automatically create a ransomware code with an affiliate number + step-by-step information for how to launch a ransomware campaign, etc


Beginner will use the RaaS to deploy, infect organizations, and demande ransom


Once the organization pays the ransom, 50% of the money goes to the beginner, 50% of the money goes to the RaaS factory

Q1 2020:
Attack examples

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally

A technical expertise recognized worldwide and awarded by numerous prestigious prizes

Comments are closed.

Download pdf