Perpetual IT

Chinese “fast fashion” brand SHEIN is no stranger to controversy, not least because of a 2018 data breach that its then-parent company Zoetop failed to spot, let alone to stop, and then handled dishonestly.

As Letitia James, Attorney General of the State of New York, said in a statement at the end of 2022:

SHEIN and [sister brand] ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data. […]

[P]ersonal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft.

At the time of the New York court judgment, we expressed surprise at the apparently modest $1.9 million fine imposed, considering the reach of the business:

Frankly, we’re surprised that Zoetop (now SHEIN Distribution Corporation in the US) got off so lightly, considering the size, wealth and brand power of the company, its apparent lack of even basic precautions that could have prevented or reduced the danger posed by the breach, and its ongoing dishonesty in handling the breach after it became known.

Snoopy app code now revealed

What we didn’t know, even as this case was grinding through the New York judicial system, was that SHEIN was adding some curious (and dubious, if not actually malicious) code to its Android app that turned it into a basic sort of “marketing spyware tool”.

That news emerged earlier this week when Microsoft researchers published a retrospective analysis of version 7.9.2 of SHEIN’s Android app, from early 2022.

Although that version of the app has been updated many times since Microsoft reported its dubious behaviour, and although Google has now added some mitigations into Android (see below) to help you spot apps that try to get away with SHEIN’s sort of trickery…

…this story is a strong reminder that even apps that are “vetted and approved” into Google Play may operate in devious ways that undermine your privacy and security – as in the case of those rogue “Authenticator” apps we wrote about two weeks ago.

The Microsoft researchers didn’t say what piqued their interest in this particular SHEIN app.

For all we know, they may simply have picked a representative sample of apps with high download counts and searched their decompiled code automatically for intriguing or unexpected calls to system functions in order to create a short list of interesting targets.

In the researchers’ own words:

We first performed a static analysis of the app to identify the relevant code responsible for the behavior. We then performed a dynamic analysis by running the app in an instrumented environment to observe the code, including how it read the clipboard and sent its contents to a remote server.

SHEIN’s app is designated as having 100M+ downloads, which is a fair way below super-high-flying apps such as Facebook (5B+), Twitter (1B+) and TikTok (1B+), but up there with other well-known and widely-used apps such as Signal (100M+) and McDonald’s (100M+).

Digging into the code

The app itself is enormous, weighing in at 93 MBytes in APK form (an APK file, short for Android Package, is essentially a compressed ZIP archive) and 194 MBytes when unpacked and extracted.

It includes a sizeable chunk of library code in a set of packages with a top-level name of com.zzkko (ZZKKO was the original name of SHEIN), including a set of utility routines in a package called com.zzkko.base.util.

Those base utilities include a function called PhoneUtil.getClipboardTxt() that will grab the clipboard using standard Android coding tools imported from android.content.ClipboardManager:

Searching the SHEIN/ZZKKO code for calls to this utility function shows it’s used in just one place, a package intriguingly named com.zzkko.util.­MarketClipboardPhaseLinker:

As explained in Microsoft’s analysis, this code, when triggered, reads in whatever happens to be in the clipboard, and then tests to see if it contains both :// and $, as you might expect if you’d copied and pasted a search result involving someone else’s website and a price in dollars:

If the test succeeds, then the code calls a function compiled into the package with the unimaginative (and presumably auto-generated) name k(), sending it a copy of the snooped-on text as a parameter:

As you can see, even if you’re not a programmer, that uninteresting function k() packages the sniffed-out clipboard data into a POST request, which is a special sort of HTTP connection that tells the server, “This is not a traditional GET request where I’m asking you to send me something, but an upload request in which I’m sending data to you.”

The POST request in this case is uploaded to the URL https://api-service.shein.com/marketing/tinyurl/phrase, with HTTP content that would typically look something like this:

 POST //marketing/tinyurl/phrase Host: api-service.shein.com . . . Content-Type: application/x-www-form-urlencoded phrase=...encoded contents of the parameter passed to k()...

As Microsoft graciously noted in its report:

Although we’re not aware of any malicious intent by SHEIN, even seemingly benign behaviors in applications can be exploited with malicious intent. Threats targeting clipboards can put any copied and pasted information at risk of being stolen or modified by attackers, such as passwords, financial details, personal data, cryptocurrency wallet addresses, and other sensitive information.

Dollar signs in your clipboard don’t invariably denote price searches, not least because the majority of countries in the world have currencies that use diferent symbols, so a wide range of personal information could be siphoned off this way…

…but even if the data grabbed did indeed come from an innocent and unimportant search that you did elsewhere, it would still be no one else’s business but yours.

URL encoding is generally used when you want to transmit URLs as data, so they can’t be mixed up with “live” URLs that are supposed to be visited, and so that they won’t contain any illegal characters. For example, spaces aren’t allowed in URLs, so they’re converted in URL data into %20, where the percent sign means “special byte follows as two hexadecimal characters”, and 20 is the hexadecimal ASCII code for space (32 in decimal). Likewise, a special sequence such as :// will be translated into %3A%2F%2F, because a colon is ASCII 0x3A (58 in decimal) and a forward slash is 0x2F (47 in decimal). The dollar sign comes out as %24 (36 in decimal).

What to do?

According to Microsoft, Google’s response to this kind of behaviour in otherwise-trusted apps – what you might think of as “unintentional betrayal” – was to beef up Android’s clipboard handling code.

Presumably, making clipboard access permissions very much stricter and more restrictive would have been a better solution in theory, as would being more rigorous with Play Store app vetting, but we’re assuming that these response were considered too intrusive in practice.

Loosely speaking, the more recent the version of Android you have (or can upgrade to), the more restrictively the clipboard is managed.

Apparently, in Android 10 and later, an app can’t read the clipboard at all unless it’s running actively in the foreground.

Admittedly, this doesn’t help much, but it does stop apps you’ve left idle and perhaps even forgotten about from snooping on your copying-and-pasting all the time.

Android 12 and later will pop up a warning message to say “XYZ app pasted from your clipboard”, but apparently this warning only appears the first time it happens for any app (which might be when you expected it), not on subsequent clipboard grabs (when you didn’t).

And Android 13 automatically wipes out the clipboard every so often (we’re not sure how often that actually is) to stop data you might have forgotten about lying around indefinitely.

Given that Google apparently doesn’t intend to control clipboard access as strictly as you might hope, we’ll repeat Microsoft’s advice here, which runs along the lines of, “If you see something, say something… and vote with your feet, or at least your fingers”:

Consider removing applications with unexpected behaviors, such as clipboard access […] notifications, and report the behavior to the vendor or app store operator.

If you have a fleet of company mobile devices, and you haven’t yet adopted some form of mobile device management and anti-malware protection, why not take a look at what’s on offer now?

YOU MUST HAVE THIS CHIP! EVEN IF IT HAS BUGS!

Memories of Michelangelo (the virus, not the artist). Data leakage bugs in TPM 2.0. Ransomware bust, ransomware warning, and anti-ransomware advice.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

Even if you’re not entirely sure what a TPM is, you’ll probably know that if you want to run Windows 11, you need one.

More precisely, you need a TPM 2.0 (although there’s an official Microsoft workaround to get by with TPM 1.2, the previous, incompatible version of the technology).

TPM is short for trusted plaftorm module, a encryption-and-cybersecurity gizmo that was invented by an industry grouping known as the TCG, short for trusted computing group, whose controlling members, known as Promoters, are AMD, Cisco, Dell, Hewlett Packard Enterprise, HP, Huawei, IBM, Infineon, Intel, Juniper, Lenovo, Microsoft and Toyota.

TPMs are sometimes implemented as a miniature plug-in board (usually with 14 or 20 pins in two rows of 7 or 10) that plugs into a designated TPM socket on your computer’s motherboard.

Hardware TPMs of this sort contain a tiny, dedicated coprocessor with its own secure storage that provides a range of security-related functionality, including hardware random number generation, trusted creation of cryptographic keys, and secure digital signatures.

Other TPMs work by building the functionality into the regular firmware of your computer, or even by running a software-level emulator.

Obviously, a software TPM that runs as a Unix daemon or a Windows service under your regular operating system is handy when you want to run multiple VMs, or virtual machines, in order to simulate multiple computers on a single device. But a software TPM can only be activated once your operating system has loaded, so you can’t use this solution to install Windows 11 on a computer without a hardware-level or firmware-level TPM. Windows 11 insists that you have a TPM ready and active before Windows itself starts up.

It’s all about security (and other things)

One reason for forcing users to have a TPM is to secure the bootup process to stop attackers tampering with your BIOS or computer firmware and installing malware that loads before the operating system itself even gets going.

Another more controversial reason for requiring a TPM, especially in consumer laptops, is to use it for what’s known as DRM, or digital rights management.

DRM is accepted by many people as a reasonable solution to cut down on piracy, but opposed by others because it can provide a way for vendors to lock down or restrict your access to content of your choice.

Whether you welcome DRM or not (or simply don’t care), or whether you think a TPM gives you a potentially harder-to-hack Windows system than a computer without one…

…is largely irrelevant, because Microsoft insists that you have one to run Windows 11.

(There are hacks that claim to bypass this requirement, but we can’t recommend these tricks, and even in virtual machines, we’ve had unsatisfactory results when trying then out.)

Simple security can be complex

Unfortunately, and as you’ve probably guessed by now, the diminutive size of TPM hardware devices belies an extraordinary complexity that makes it hard for anyone, even the TCG itself, to create a compliant implementation that’s free from bugs.

The TPM Library 2.0 specifications alone, which form just a tiny part of the hundreds of different TCG specification documents, come in four parts, split into six documents – confusingly, there are two Part 3s and two Part 4s, one sub-part consisting of documentation alone, and the other consisting of interleaved code and explanation.

To give you an idea of the scale of TPM 2.0, the official specification files at the time of writing [2023-03-07] are:

Microsoft’s GitHub copy of the TCG “reference implementation” includes 5MBytes of source code totalling about 100,000 lines of C split into nearly 500 files.

On top of that, you need to import in a number of cryptographic algorithms from some other library and compile them into your TPM code.

You can’t rely on cryptographic functions supplied by your operating system, because a TPM chip is designed to operate independently of the rest of your computer, so it doesn’t depend on anything that could easily be replaced, subverted or left unpatched.

Microsoft’s source tree lets you pick by default from LibTomCrypt, OpenSSL and wolfSSL as your underlying code provider for symmetric encryption, hashing and big-number arithmetic. (Precise calculations involving numbers with hundreds or thousands of decimal digits are needed to implement public-key encryption algorithms such as RSA and Elliptic Curve cryptography.)

Beware lurking bugs

Amongst all this complexity, of course, lurks an unknown number of bugs, including two CVE-numbered vulnerabilities discovered in November 2022 by researchers at security spelunking company Quarkslab.

(We don’t know whether you pronounce that company name kwork slab or kworx lab; we suspect it’s the latter but secretly hope it’s the former.)

Quarkslab, admittedly with a dramatic flourish, announced the bugs as follows (their emphasis and capitalisation):

Two vulnerabilities found by Quarkslab in the TPM2.0 reference implementation and reported in November 2022 are now publicly revealed and could affect Billions of devices.

Who can be affected? Large Tech vendors[, and] organisations using Enterprise PCs, many servers and embedded systems that include a TPM.

In fact, the official TPM Library 2.0 “Errata” bulletin lists numerous other bugs along with these two, but as far as we know, the vulnerabilities reported by Quarkslab are the only two that received official CVE designation: CVE-2023-1017 and CVE-2023-1018.

Loosely speaking, these bugs are two sides of the same coding coin:

The reported vulnerabilities occur when handling malicious TPM 2.0 commands with encrypted parameters. Both vulnerabilities are in the CryptParameterDecryption function, which is defined in the Part 4: Supporting Routines – Code document. […]

One of the vulnerabilities is an out-of-bounds read identified as CVE-2023-1018. The second one is an out-of-bounds write identified as CVE-2023-1017. These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation.

Additional instances may be identified because of the TPM Work Group ongoing analysis and may result in a larger scope of potential vulnerabilities included in TCGVRT0007.

A “quick-fix” for these bugs was rapidly published for libtpms, a popular software-based TPM implementation that can be used to provide as many virtual TPMs as you like for multiple virtual machines:

The lines marked in green were added as patches against the flaws, and we’ll explain them quickly now.

The underlying problem with the unpatched code is that the function CryptParameterDecryption() receives redundant and potentially inconsistent information about how much data to process when decrypting the parameter buffer that’s sent in.

The function parameter bufferSize tells you how big the memory buffer is into which decrypted data will be written.

But the first two (or, depending on how the code is compiled, four) bytes of the buffer itself tell you how much space there is for decrypted data.

The original code therefore extracts those first bytes from the buffer and uses it as a counter to see how much actual data to decrypt…

…without bothering to check that there actually are two or four bytes available in buffer (as denoted by bufferSize) to start with.

This bug could result in a read overflow, with the code accessing bytes that it shouldn’t, which is why the updated code now includes a pre-flight check that the buffer has enough bytes to store the count value.

Even if the buffer does safely contain at least enough data for the length count, thus preventing a read buffer overflow, the original code consumes some of the bufferSize bytes in buffer, by extracting the bytes denoting the decryption length and advancing the buffer pointer accordingly.

But the code doesn’t decrease the value of bufferSize to match the fact that the buffer pointer has now been moved along in memory.

(If you “burn” the top two cards of a pack before starting to deal in a card game, you no longer have 52 cards left – you only have 50; if you’re dealing a poker hand, you’ll probably be OK, but if you’re dealing for a round of bridge, two of the players are going to end up short-handed.)

This bug could result in a write overflow, with decryption continuing past the end of the buffer and modifying two or four bytes that could belong to another process in the TPM’s memory.

More patches required

In fact, those patches alone are not enough, as the TCG’s bulletin warned above, and the libtpms code has already been updated again, though the additional patches have not yet made it into an official release:

This time, the similarly-defective “partner function” CryptParameterEncryption() has been updated, too.

As you can see above, the original version of the encryption function didn’t even have a bufferSize parameter, and always simply grabbed and computed the effective buffer length via the buffer pointer.

This means that the function prototype needed changing, which meant in turn that anywhere in the TPM code that called this function needed updating as well.

Fortunately, the code paths into the formerly buggy code are easy to trace backwards and retrofit with the additional security checks required.

What to do?

• Reference implementations aren’t always correct. If you have any hardware or software products of your own that rely on this TPM Library code, you’ll need to patch them. Sadly, the TCG hasn’t yet provided patches to its own code, but has merely described the sort of changes it thinks you should make. If you’re wondering where to start, the libtpms project is a handy place to look, because the developers have already started digging away at the danger-points. (Work your way through at least ExecCommand.c, SessionProcess.c and CryptUtil.c.)
• If in doubt, ask your hardware vendor for vulnerability information. Lenovo, for example, has already provided some information about products that include TPM code based on the reference implementation, and where to look for security bulletins to quantify your risk.
• Avoid letting untrusted callers tell you how to manage memory. If you’re passing buffer pointers and sizes into trusted code, make sure you check and sanitise them as much as possible, even if it comes with a performance cost (e.g. copying buffers in controlled ways into memory arranged to suit your own security needs), before processing the commands you’ve been asked to carry out.

You’ve almost certainly heard of the ransomware family known as DoppelPaymer, if only because the name itself is a reminder of the double-barrelled blackmail technique used by many contemporary ransomware gangs.

To increase the pressure on you to pay up, so-called double-extortionists not only scramble all your data files so your business stops running, but also steal copies of those files to use as extra leverage.

The idea is that if you pay up for the decryption key to unlock your files and get your business back on the road, the attackers will very generously also agree to delete the files they’ve stolen (or so they say), rather than leaking those files to the media, revealing them the regulator, or selling them on to other cybercriminals.

Crudely put, the blackmailers are inviting you to pay for them both for a positive action (handing over the decryption keys), and for a negative one (not leaking the stolen data).

Also, rather obviously, the crooks are hoping that even if you have reliable backups and could get your business moving again on your own, without paying for the decryption keys…

… then they may nevertheless be able to blackmail you into handing over their menaces-money anyway, by promising to keep their mouths shut about the fact that you suffered a data breach.

Usually, double-extortion attackers steal your files in their unencrypted form before garbling them. But they could just as well steal them during or after the scrambling process, given that they already know the decryption keys.

Naming-and-shaming

DoppelPaymer, along with many other cybergangs of this sort, ran their own online “name-and-shame” website, as noted in a recent press release from Europol:

The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims paid at least €40,000,000 between May 2019 and March 2021.

That’s the bad news.

The good news, if you can call it that, is the reason why Europol is writing about the DoppelPaymer ransomware right now.

A combined operation involving German, Ukrainian and US law enforcement has just resulted in the interrogation and arrest of suspects in Germany and Ukraine, and the seizure of electronic devices in Ukraine for forensic analysis.

Europol didn’t publish any pictures of the equipment seized in this case, but we’re assuming that laptops and mobile phones, perhaps along with vehicles (which are effectively multi-purpose online computing networks in their own right these days), were taken away for examination.

Servers may still be running

The press release didn’t mention whether the investigators were able to seize or shut down any servers connected with this ransomware gang.

These days, whether they’re operated by legitimate businesses or criminals, servers tend to run somewhere in the cloud, which quite literally means “on someone else’s computer”, which almost always also means “somewhere else, perhaps even in another country”.

Unfortunately, with careful use of dark web anonymity tools and cautious operational security, criminals can obscure the physical location of the servers they’re using.

Those servers could include the websites where they publish their name-and-shame data, the databases where they record the decryption keys of current victims and whether they’ve paid, or the “business network” servers where they sign up affiliates to help them mount their attacks.

So, even if the cops arrest some, many or all the members of a ransomware gang, that doesn’t always stop the ransomware activities, because their infrastructure remains, and can still be used by other gang members or taken over by rivals to continue the extortion activities.

Likewise, if the cops manage to take down and seize servers that are vital to a ransomware gang, the same dark web anonymity that makes it hard to trace forwards from arrested users to their servers…

…also makes it hard to trace backwards from seized servers to identify and arrest the users.

Unless the crooks have made technical or operational blunders, of course, such as once-in-a-while making direct connections to their servers by mistake instead of going through an anonymising service such as TOR (the Onion router), or relying on other operators in the cybercrime scene not to rat them out by accident or on purpose.

LEARN MORE ABOUT HOW DARK WEB CROOKS GET CAUGHT

We talk to renowned cybersecurity author Andy Greenberg about his excellent book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

What to do?

• Don’t dial back your protection. As welcome as these arrests are, and as useful as the seized devices are likely to be in helping the cops to identify yet more suspects, this bust on its own is unlikely to make a significant dent in the ransomware scene as a whole. Indeed, in this very case, Europol itself warns that “according to reports, DoppelPaymer has since rebranded [as a ransomware gang called] ‘Grief’.”
• Don’t fixate on ransomware alone. Remember that ransomware attacks are sometimes, perhaps often, the tail-end of an extended attack, or even multiple attacks, involving criminals roaming freely through your network. Crooks who can steal data from computers all over your business, and who can scramble almost any files they want on almost as many laptops and servers they like, can (and often do) carry out almost any other sort of sysadmin-level attack they want while they’re in. Unsurprisingly, this rogue “sysadmin” activity often includes quietly opening up holes to let the same crooks, or someone else, back in later.
• Don’t wait for threat alerts to drop into your dashboard. In double-extortion ransomware attacks, for example, the data-stealing stage, where the crooks are plundering your files before scrambling them, is a handy warning that an attack is actively under way. But with a good threat hunting team, whether in-house or brought in as a service, you can aim to detect signs of attack even earlier than that, ideally even before the attackers get their initial beachhead from which they hope to attack your whole network.
• Don’t pay up if you can possibly avoid it. We’ve always said, “We’re not going to judge you if you do,” because we’re not the ones whose business has just been derailed. But paying up not only funds the next wave of cybercrime, but also may not even work at all. Colonial Pipeline infamously spent over $4 million on a decryption tool that turned out to be useless, and the Dutch Police recently warned of a cyberextortion gang who allegedly made millions “selling their silence”, only for the stolen data to be leaked anyway.
  

  ---

  LEARN MORE ABOUT XDR AND MDR

  Short of time or expertise to take care of cybersecurity threat response?
  Worried that cybersecurity will end up distracting you from all the other things you need to do?

  Take a look at Sophos Managed Detection and Response:
  24/7 threat hunting, detection, and response  ▶

  ---

  LEARN MORE ABOUT ACTIVE ADVERSARIES

  Read our Active Adversary Playbook.
  This is a fascinating study of 144 real-life attacks by Sophos Field CTO John Shier.

  ---

The US Cybersecurity and Infrastructure Security Agency (CISA), which dubs itself “America’s Cyber Defense Agency”, has just put out a public service annoucement under its #StopRansomware banner.

This report is numbered AA23-061a, and if you’ve slipped into the habit of assuming that ransomware is yesterday’s threat, or that other specific cyberattacks should be at the top of your list in 2023, then it is well worth reading.

The risks you introduce by taking your eyes off the ransomware threat in 2023 to focus on the next, old-is-new-again shiny topic (ChatGPT? Cryptojacking? Keylogging? Source code theft? 2FA fraud?) are similar to the risks you would have faced if you started focusing exclusively on ransomware a few years ago, when it was the hot new fear of the day.

Firstly, you’ll often find that when one cyberthreat seems to be decreasing, the real reason is that other threats are increasing in relative terms, rather than that the one you think you’ve seen the back of is dying out in absolute terms.

In fact, the apparently increase of cybercrime X that goes along with an apparent drop in Y might simply be that more and more crooks who previously tended to specialise in Y are now doing X as well as, rather than instead of, Y.

Secondly, even when one particular cybercrime shows an absolute decline in prevalence, you’ll almost always find that there’s still plenty of it about, and that the danger remains undiminished if you do get hit.

As we like to say on Naked Security, “Those who cannot remember the past are condemned to repeat it.”

The Royal gang

The AA23-061a advisory focuses on a ransomware family known as Royal, but the key takeaways from CISA’s plain-speaking advisory are as follows:

• These crooks break in using tried-and-trusted methods. These include using phishing (2/3 of the attacks), searching out improperly-configured RDP servers (1/6 of them), looking for unpatched online services on your network, or simply by buying up access credentials from crooks who were in before them. Cybercriminals who sell credentials for a living, typically to data thieves and ransomware gangs, are known in the jargon as IABs, short for the self-descriptive term initial access brokers.
• Once in, the criminals try to avoid programs that might obviously show up as malware. They either look for existing administration tools, or bring their own, knowing that it’s easier to avoid suspicion in if you dress, talk and act like a local – in jargon terms, if you live off the land. Legitimate tools abused by the attackers include utilities often used for official remote access, for running administrative commands remotely, and for typical sysadmin tasks. Examples include: PsExec from Microsoft Sysinternals; the AnyDesk remote access tool; and Microsoft PowerShell, which comes preinstalled on every Windows computer.
• Before scrambling files, the attackers try to complicate your path to recovery. As you probably expect, they kill off volume shadow copies (live Windows “rollback” snapshots). They also add their own unofficial admin accounts so they can get back in if you kick them out, modify the settings of your security software to silence alarms, take control of files that they would otherwise not be able to scramble, and mess up your system logs to make it hard to figure out later what they changed.

To be clear, you need to build up your confidence in defending against all these TTPs (tools, techniques and procedures), whether or not any particular wave of attackers are aiming to blackmail you as part of their end-game.

Having said that, of course, this Royal gang are apparently very interested indeed in the technique identified by the US government’s MITRE ATT&CK framework by the unassuming tag T1486, which is labelled with the distressing name Data Encrypted for Impact.

Simply put, T1486 generally denotes attackers who plan to extort money out of you in return for unscambling your precious files, and who aim to squeeze you harder than ever by creating as much disruption as possible, and therefore giving themselves the biggest blackmail leverage they can.

Indeed, the AA23-061a bulletin warns that:

Royal [ransomware criminals] have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.

And, just to be clear, they typically steal (or, more precisely, take unauthorised copies of) as much of your data as they can before freezing up your files, for yet more extortion pressure:

After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.

What to do?

Crooks like the Royal gang are known in the jargon as active adversaries, because they don’t just fire malware at you and see if it sticks.

They use pre-programmed tools and scripts wherever they can (the criminals love automation as much as anyone), but they give individual attention to each attack.

This makes them not only more adaptable (they’ll change their TTPs at a moment’s notice if they spot a better way to do worse things), but also more stealthy (they’ll adapt their TTPs in real time as they figure out your defensive playbook).

• Learn more by reading our Active Aversary Playbook, a fascinating study of 144 real-life attacks by Sophos Field CTO John Shier.