Ransomware has seen a stunning rise in popularity over the last few years, leading cybersecurity firm Sophos to describe it as “a black hole” drawing in the entire cybercrime ecosystem. Both profiteers and nation-state backed hacking groups have turned to ransomware to achieve their goals, leading to what may be the largest wave of cybercrime in history.
This has serious implications for the cybersecurity sector; there’s an arms race going on, and at the moment, the cybersecurity community is losing. To rise to this challenge, investment in cybersecurity is being ramped up, but there’s a serious shortage of personnel. Confronting ransomware will require major increases in both the number of cybersecurity experts and the effectiveness of countermeasures.
Increasing overall effectiveness requires a deep understanding of the methods hackers use to deliver ransomware, and how it propagates through a network.
Initial Access
The most common method of gaining network access is phishing. When ransomware first started to gain popularity, many hackers used tools like Phishing Frenzy to manage spam email campaigns. With time, however, ransomware gangs are opting for more sophisticated, targeted attacks that often involve impersonating internal email accounts of a company.
In the case of more sophisticated phishing attacks, attackers have usually already gained access to the network, but need to complete additional tasks to escalate their privilege. The most common method of gaining access without an initial phishing attack is exploiting RDPs. This often involves simple brute force attacks.
Hackers first use a tool like ns.exe to scan for open ports, and when they find them, NLBrute or similar cracking tools are used to attempt brute force attacks. A growing number of VPN exploits have also gained popularity as an alternative as RDP security tightens.
Reconnaissance
Once a ransomware hacker gains access to a system, they need to gather data about the network to plan their next move. This is critical to the success of the attack, because how much of a network they are able to shut down will determine how big of a ransom they can demand. Paying a ransom is usually a purely economic decision for victims— if they will lose more money by not paying the ransom than by paying it, it just makes economic sense to pay.
This phase is also critical for cybersecurity professionals, because it’s the best opportunity to detect threat actors and stop them before they can do any damage.
Cobalt Strike is one of the most popular tools in multiple stages of the ransomware process, and reconnaissance in particular. Big ransomware names like Conti, Egregor, Clop, Ryuk, and Sodinokibi have all been detected using Cobalt Strike.
Another popular tool for this phase is AdFind, a command line tool used to gather information about networks. AdFind has been used by ransomware gangs like Maze and Sodinokibi in the past, and allows querying active directories for information about users, hosts, servers, and other information which can be used to escalate privileges and spread through the network.
Lateral Spreading
The effectiveness of a ransomware attack is directly linked to how much of a network it can infect, so lateral spreading through a network is a top priority for ransomware threat actors. In particular, accessing and compromising any backups is essential to maximizing pressure on the victim.
To escalate privileges usually requires obtaining credentials in some way. Mimikatz is very widely used for this purpose, as well as LaZagne. While LaZagne is effective for gathering passwords stored on a local system, Mimikatz can actually bypass passwords by using hashes or Kerberos tickets.
Bypassing Security
Process Hacker is a tool that allows monitoring all processes currently running on a system. It is most typically used to detect anti-malware software and disable it. Disabled antivirus software is often one of the first signs that a ransomware attack is underway.
Data Exfiltration
Early ransomware attacks focused mainly on freezing file systems, effectively locking victims out of their networks until they paid the ransom. This can be countered by robust backup procedures, so as security practices have improved, ransomware hackers are turning more and more to data exfiltration to extort money from victims.
Data exfiltration attacks usually target companies or organizations that have sensitive data. Hackers download the data, and threaten to publish the data on the web if they are not paid. Given that the average cost of a data breach has reached $8.64 million in the US, it’s easy to see why victims are willing to pay.
MegaSync is one tool used for uploading data during the course of a ransomware attack. It can make a copy of the entire file system, which hackers can then hold hostage.
Ransomware Execution
Ransomware hackers prefer to execute ransomware remotely, because any local presence of the ransomware can trigger alarm bells in antivirus software. PSExec is one preferred tool for executing code remotely.
