For InfoSec teams across public and private sectors, ransomware continues to be among the most significant cybersecurity threats in 2021. Unsettling trends forming in the ransomware domain include:
Combined ransomware/data breach events: Threat actors no longer simply encrypt files and make them unavailable. Adversaries now also exfiltrate sensitive files before encrypting them, in case the victim refuses to pay and a Plan B is needed. For example,
some companies have a solid incident response plan, backup procedures and technical experts on their side to remediate the ransomware attack and resume operations quickly – without paying the ransom. In that case, the ransomware gang starts
to extort the company by threatening to publish sensitive information online about the victim and monetizing this information on the dark web.
Distributed denial of service (DDoS) as a motivational tool: Threat actors are constantly adding new methods to push their victims into paying the ransom. As DDoS attacks reduce in cost, they pose a very efficient motivational tool for adversaries. As
an example, an adversary group deploying the SunCrypt ransomware launched a DDoS attack on a victim’s website when ransom negotiations ceased. Ultimately, the victim resumed negotiations and paid the ransom.
Ransom DDoS (RDDoS) attacks: Threat of a large-scale (up to 2 TB/sec) DDoS attack alone can be used to extort companies into paying up. These attacks are called ransom DDoS (RDDoS) attacks and are usually combined with a data breach or regular ransomware
Decoy DDoS attacks: Smaller scale DDoS attacks are sometimes used as a decoy tactic and precursor to ransomware attacks. The purpose is to activate the incident response team to focus on dealing with the smaller attack while the adversaries quietly accomplish
their main goal of scanning the network for vulnerabilities and gaining a foothold in infrastructure and some persistence. Once inside the network, the attackers exfiltrate information, propagate across the network and try to avoid detection for as
long as is required to achieve their objectives. The ransomware is usually deployed at the end.
Attackers remaining present after remediation: After the ransomware incident is over and the affected systems are restored, some attackers remain within the victim’s infrastructure. Common sense would suggest attackers should quickly leave the network
after ransomware deployment to avoid being caught.
In cases involving operators of the Maze ransomware, however, ransomware operators stole data from their victims as a backup plan should the victims hesitate on payment. The Maze operators brought this to the next level, however, by exposing the victims’
internal reports of their ongoing ransomware attack investigation. This information demonstrated the ransomware operators were present in the victim networks while they were being investigated and contained. The attackers were even able to spy on
victim communications and monitor their incident response efforts. Given that operators of Ryuk, Maze and other ransomware strains can remain hidden in the network preparing for re-infection, re-deployment or data theft, even after successful containment
and eradication, there is a growing need to address ransomware threats on a deeper level after the ransomware incident is first detected.
Ransomware in healthcare: Despite several ransomware gangs promising not to target healthcare providers during the COVID-19 pandemic, the healthcare sector remains vulnerable. In fact, attackers targeted hospitals and healthcare providers at an increasing
rate amid the pandemic.
Ransomware commonly spreads through phishing emails. Other methods of spread can include, but are not limited to:
Once the dropper (a program designed to install malware to a target system) is executed on a system, the infection begins.
The main stages of infection and ransomware execution are:
Malware download: When the dropper is executed on the system, it kicks off a command-and-control (C2) communication channel to download the ransomware in a file and/or file-less format. The dropper then copies the malicious executable to a local directory,
or in some cases, it injects the malicious code into a running process.
Persistence: The ransomware then attempts to create persistence mechanisms to stay in the system as long as possible, to encrypt new files and infect additional drives. Ransomware can be very hard to remove and will usually stay in the system after reboot
and even after manual deletion. Some strains will reboot the system into safe mode where the most of security mechanisms are disabled. The most common of establishing persistence are:
Enumeration: Once the ransomware has established a persistence mechanism, it enumerates the local system and accessible network shares, searching for files to encrypt (usually defined by file extensions for documents, pictures, databases and so forth).
Lateral movement: The malware then tries to spread itself on the local network by capturing credentials and/or using known exploits (such as MS17-010, which was used by WannaCry).
Exfiltration: Once the ransomware spreads itself on the network, it will seek out sensitive information, secret product designs, proprietary information, PII and other types of data with the potential to hurt the victim most. This serves two purposes:
to provide stronger incentive for the victim to pay the ransom and/or to further profit by selling this information.
Encryption: At this stage, the ransomware begins to encrypt the enumerated files. It encrypts the file, copies the encrypted version to the original location, and then deletes the original file. The malware also deletes the volume shadow copy if present
in the system. After encryption, the attacker leaves a ransom note demanding payment.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 10, 2021
By IANS Faculty
Identify the key features to look for in a SOAR solution and the top use cases for information security teams to consider.
June 8, 2021
Identify key steps security teams should take, and pain points to watch, when returning to the office working environment.
June 3, 2021
Explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging.