Skip to content

Threat Intel Report Q3 2020

A comprehensive approach

Anticipate threats


Proactively harden your directory infrastructure

Uncover vulnerabilities and weak configurations to maintain strong security boundaries

AD admins, blue teams, and auditors

Detect attacks


Detect attacks in real time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM and SOAR integrations

Enable your threat hunters with AD-native investigation capabilities

SOC analysts and threat hunters

Respond to breaches


Replay attacks and hunt for patients zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident responders

The features we are proud of

Cutting-edge security technology

Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory

True real-time
Live exposure visualization, immediate attack alerts

Step-by-step recommendations
A follow-the-guide approach for AD admins new to security

Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making
and prioritization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions

Top 5 attack trends

Q3 2020

Ransomware as a service (RaaS)

Attackers getting sloppy and caught

Maze ransomware cartel growing

Ransomware causing actual deaths

Ransomware negotiators

Ransomware as a service (RaaS)

  • Subscription-based malicious model enables even the novice cybercriminal to launch ransomware attacks without much difficulty
  • Commonly used by cybercriminals who don’t have much technical knowledge of how to create ransomware, this malicious model allows anyone to become an “affiliate” of an established RaaS package or service
  • This vicious model is so enticing to some cybercriminals that you can even see the RaaS providers’ advertisements on the dark web
  • You can find a number of RaaS operations in different forms and names on the dark web, including Cerber, Satan, Atom, Hostman, and Philadelphia

Attackers getting sloppy and caught

  • Kathryn Nguyen, together with an associate, hacked a 56-year-old person’s cryptocurrency account, transferred the XRP into a Chinese crypto exchange, traded it into Bitcoin, then transferred these coins into multiple wallet addresses… sentenced to 2 years and 3 months in prison
  • Tyler C. King was convicted of creating unauthorized admin accounts and giving them access to proprietary company info plus real-time access to executives’ email, personal files, and financial records…. sentenced to 57 months in prison
  • Andrew Miller, pleaded guilty to one count of conspiracy and two counts of computer fraud for actions committed between 2008 and 2011 when he was part of the Underground Intelligence Agency hacking group… sentenced to 18 months in prison
  • Joseph Sullivan, Uber’s former Chief Security Officer, was charged with leading an alleged attempt to cover up a 2016 hack that exposed the personal information of 57 million app users and drivers… charged with obstruction of justice and misprision of a felony

Maze ransomware
cartel growing

Ransomware causing actual deaths

  • June 2020: ransomware gangs teamed up to extort victims in a shared platform, as well as to share tactics and intel
  • August 2020: SunCrypt also joined the Maze cartel to go after big companies together
  • Today the Maze cartel includes at minimum: LockBit, Ragnar Locker, and SunCrypt
  • Before joining the cartel, SunCrypt had little communication or interaction with Maze, now they have a two-way communication channel
  • SunCrypt joined the cartel to help with the volume, stating, “They just can’t handle all the available field of operations. Our main specialization is ransomware attacks”
  • Like any cartel, the goal is to make money and gain control; SunCrypt clearly stated that they “share revenue from the successful operation”
  • IP address range, 91.218.114[.]31, has been tied to both Maze and SunCrypt
  • Interestingly, Maze has on many occasions denied that they are in any way related to SunCrypt
  • Dusseldorf University Clinic was hit by attackers in mid-September
  • Forensics found that the incident exploited a vulnerability in a “widely used commercial add-on software”, which was not mentioned specifically
  • Immediately after the attack, the IT systems at the hospital gradually “crashed”, preventing access to hospital data
  • This caused an immediate halt to all operations
  • A woman needing emergency attention was transported to a neighboring hospital in Wuppertal for treatment
  • The additional delay (60 minutes) was deadly, as the woman died due to the additional time to transport her 20 minutes to the neighboring hospital
  • Police used the contact details in the ransom message to inform the attackers of the death due to the attack
  • The attackers provided a digital decryption key, stopped the extort of funds, and have not responded since

Ransomware negotiators

  • Negotiators can help scale down financial demands, arrange tricky cryptocurrency payments, and assist with data restoration
  • Often negotiators are technical specialists or former law enforcement officers trained in the art of hostage and terrorist negotiations
  • One negotiator remembers a negotiation where the initial demand was $80 million, which was reduced to $45 million, and ultimately paid nothing; the hacker was inexperienced and most likely used RaaS
  • The city of Florence, Alabama, hired a ransomware negotiator and was able to reduce the ransom by 25%, as well as extend the payment deadline through the weekend
  • Steve Holt, Mayor of Florence, Alabama – “We have a million-dollar system, we have IT professionals in it. But [the hackers] didn’t come at us with brute force, they just found an opening and got in,” he said. “Anybody can unknowingly, unwittingly, open an email that they shouldn’t have opened.”

Ransomware trends

Non-compliant victim data is posted on the web

  • University Hospital, Newark, New Jersey
  • SunCrypt ransomware leaked 1.7GB of the 240GB of data stolen
  • Authorization forms, driver’s licenses, SSNs, DOBs, and records about the Board of Directors were posted online
  • LG and Xerox
  • Maze ransomware leaked 50.2GB of LG’s data and 25.8GB of Xerox’s data
  • Closed-source firmware for phones and laptops, and customer support operations data were leaked

“The U.K. National Cyber Security Centre (NCSC), has issued an alert about a surge in ransomware incidents targeting educational institutions, urging them to follow the recently updated recommendations for mitigating malware attacks.”

Universities targeted as students return

Many suggestions were made to ensure security, but at the top of the list was, “Effective vulnerability management and patching procedures”

Reasons for the increased attacks on education include: Volume of personal data – birthdates, SSN, direct deposit, etc. Data is kept a long time.

Hard stats

Cybercrime will cost
the world

$6 trillion by 2021

A ransomware attack
will succeed every

11 seconds by 2021

It takes 196 days, on average,
to identify a data breach

6.5+ months

52% of breaches
were due to


33% of breaches
were due to

phishing attacks

How many company’s folders
are properly protected


How many cybersecurity pros say
their team is understaffed


Chances of becoming a
victim of cyberattack


Attack examples

Our solutions

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally

A technical expertise recognized and awarded worldwide

Comments are closed.

Download pdf

Want more insights?

Contact us