Keyword Searches During Ransomware Attacks
Ransomware actors historically conducted “smash and grab” operations, where they would take everything they could from the victim, lock their files and demand Bitcoin to restore access, said David Dufour, Webroot’s senior vice president of cybersecurity and engineering. But adversaries have increasingly turned to keyword searching and other reverse- engineering techniques to obtain crown jewels.
One of the first things threat actors will search for is the victim’s cyberinsurance policy to determine how large of a ransom they should ask for, according to Dufour. From there, Dufour said hackers will look to get their hands on records that are protected by regulations like HIPAA so that they can demand a larger ransom from the victims.
Adversaries have automated the process of scanning devices, servers and other areas of the victim’s environment for documents that contain certain keywords, according to Dufour. Files that contain data with the requested keyword are dumped into bins that can be manually inspected, analyzed and—if valuable—encrypted, Dufour said.