Through the combined efforts between Dinsmore’s cybersecurity team and Armada Growth Partners (AGP), new intelligence on the Techniques, Tactics, and Procedures (TTP) for the Nitrogen ransomware group has been identified. This new TTP involves Nitrogen effectively blocking IP addresses associated with previously failed negotiation attempts.
For years, major ransomware groups have targeted companies in an attempt to extort millions of dollars. To combat these criminals, law enforcement agencies, including the FBI, collect data on TTPs specific to each threat actor group. This new TTP discovery for the Nitrogen ransomware group provides actionable intelligence for future negotiations and strengthens the ability to anticipate adversary behavior.
The introduction of this countermeasure signals a deliberate push by threat actor groups to undermine established best practices for ransomware response. By disrupting communication flows, attackers attempt to eliminate the impact of skilled negotiators who can often:
- lower ransom amounts;
- extend payment deadlines; and
- stall long enough for remediation and recovery operations to succeed.
THREAT ACTOR COMMUNICATIONS IN RANSOMWARE INCIDENTS
For victims of a ransomware attack, communicating with a threat actor can be an integral part of the incident response. It is extremely dangerous for a victim to communicate directly with threat actors. Best practice is to work through your legal counsel to engage a skilled negotiation firm that can handle any interactions with a threat actor on your behalf. A skilled negotiator has the requisite understanding of the dark web and the tools necessary to safely conduct a successful negotiation.
If Nitrogen blocks a negotiator’s access to communication channels and/or leak sites, there are options to attempt to restore access:
- Adjust your VPN location.
Nitrogen can block an IP address associated with use of a VPN connection. By changing the VPN location, the traffic may appear to come from a different public IP address incidentally bypassing an IP-based block.
- Release and renew your IP address.
Most networks use dynamic IP addresses assigned by an internet service provider. By releasing and renewing your IP address, the internet service provider gets a new request from the router, which then assigns a different public IP address.
SECURITY BEGINS WITH PREPARATION
The adoption of new negotiation-disruption countermeasures underscores a critical reality that ransomware groups continue to evolve as quickly as defenders adapt. Organizations must treat ransomware readiness as an ongoing process and continuously identify and patch vulnerabilities where they are able.
Pre-breach planning through development of comprehensive and tailored cybersecurity programs and data privacy policies is an essential step to combat ransomware. Dinsmore’s Cybersecurity and Data Privacy Team is well positioned to assist with pre-breach planning; and in the unfortunate and increasingly common event of a ransomware incident, has established partnerships with industry leading forensics, remediation and recovery, and negotiation experts who are familiar with these types of threat actor groups. Should you have any questions, please do not hesitate to contact one of our Cybersecurity and Data Privacy attorneys.