For InfoSec teams across public and private sectors, ransomware attacks are a costly and fast-growing cybersecurity threat. Unsettling trends forming in the ransomware domain include:
Combined ransomware/data breach events: Threat actors no longer simply encrypt files and make them unavailable. Adversaries now also exfiltrate sensitive files before encrypting them, in case the victim refuses to pay and a Plan B is
needed. For example, some companies have a solid incident response plan, backup procedures and technical experts on their side to remediate the ransomware attack and resume operations quickly – without paying the ransom. In that case, the ransomware
gang starts to extort the company by threatening to publish sensitive information online about the victim and monetizing this information on the dark web.
Distributed denial of service (DDoS) as a motivational tool: Threat actors are constantly adding new methods to push their victims into paying the ransom. As DDoS attacks reduce in cost, they pose a very efficient motivational tool for
adversaries. As an example, an adversary group deploying the SunCrypt ransomware launched a DDoS attack on a victim’s website when ransom negotiations ceased. Ultimately, the victim resumed negotiations and paid the ransom.
Ransom DDoS (RDDoS) attacks: Threat of a large-scale (up to 2 TB/sec) DDoS attack alone can be used to extort companies into paying up. These attacks are called ransom DDoS (RDDoS) attacks and are usually combined with a data breach or
regular ransomware attack.
Decoy DDoS attacks: Smaller scale DDoS attacks are sometimes used as a decoy tactic and precursor to ransomware attacks. The purpose is to activate the incident response team to focus on dealing with the smaller attack while the adversaries
quietly accomplish their main goal of scanning the network for vulnerabilities and gaining a foothold in infrastructure and some persistence. Once inside the network, the attackers exfiltrate information, propagate across the network and try to avoid
detection for as long as is required to achieve their objectives. The ransomware is usually deployed at the end.
Attackers remaining present after remediation: After the ransomware attack is over and the affected systems are restored, some attackers remain within the victim’s infrastructure. Common sense would suggest attackers should quickly
leave the network after ransomware deployment to avoid being caught.
In cases involving operators of the Maze ransomware, however, operators stole data from their victims as a backup plan should the victims hesitate on ransomware payment. The Maze operators brought this to the next level, however, by exposing the victims’
internal reports of their ongoing ransomware attack investigation. This information demonstrated the ransomware operators were present in the victim networks while they were being investigated and contained. The attackers were even able to spy on
victim communications and monitor their incident response efforts. Given that operators of Ryuk, Maze and other ransomware strains can remain hidden in the network preparing for re-infection, re-deployment or data theft, even after successful containment
and eradication, there is a growing need to address ransomware threats on a deeper level after the ransomware incident is first detected.
Ransomware in healthcare: Despite several ransomware gangs promising not to target healthcare providers during the COVID-19 pandemic, the healthcare sector remains vulnerable. In fact, attackers targeted hospitals and healthcare providers
at an increasing rate amid the pandemic.
How Ransomware Spreads
Ransomware commonly spreads through phishing emails.
Other methods of spread can include, but are not limited to:
- Spam emails
- Exploit kits
- Removable media
- Drive-by downloads
- Malware campaigns
- Lateral movement using SMB
- Web-based messaging applications
- Being deployed by another malware, such as Dridex, Trickbot or Emotet
Once the dropper (a program designed to install malware to a target system) is executed on a system, the infection begins.
Stages of Ransomware Infection
The main stages of infection and ransomware execution are:
Malware download: When the dropper is executed on the system, it kicks off a command-and-control (C2) communication channel to download the ransomware in a file and/or file-less format. The dropper then copies the malicious executable
to a local directory, or in some cases, it injects the malicious code into a running process.
Persistence: The ransomware then attempts to create persistence mechanisms to stay in the system as long as possible, to encrypt new files and infect additional drives. Ransomware can be very hard to remove and will usually stay in the
system after reboot and even after manual deletion. Some strains will reboot the system into safe mode where the most of security mechanisms are disabled. The most common of establishing persistence are:
- Creating Run and RunOnce registry keys (in the computer profile and/or various user profiles).
- Copying itself into %UserProfile%/Start Menu\Programs\Startup.
- Using Scheduled tasks.
Enumeration: Once the ransomware has established a persistence mechanism, it enumerates the local system and accessible network shares, searching for files to encrypt (usually defined by file extensions for documents, pictures, databases
and so forth).
Lateral movement: The malware then tries to spread itself on the local network by capturing credentials and/or using known exploits (such as MS17-010, which was used by WannaCry).
Exfiltration: Once the ransomware spreads itself on the network, it will seek out sensitive information, secret product designs, proprietary information, PII and other types of data with the potential to hurt the victim most. This serves
two purposes: to provide stronger incentive for the victim to pay the ransom and/or to further profit by selling this information.
Encryption: At this stage, the ransomware begins to encrypt the enumerated files. It encrypts the file, copies the encrypted version to the original location, and then deletes the original file. The malware also deletes the volume shadow
copy if present in the system. After encryption, the attacker leaves a ransom note demanding payment.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.