Emerging ransomware attack behaviour

Written By Brad Freeman

How criminal groups are moving towards targeted and sophisticated attacks.

 
senseon-ransomare-attacks-blog.jpg

Most information security professionals will no doubt be aware of the devastating effects that ransomware attacks can have on organisations. Although the first ever ransomware virus was created in 1989, it is only relatively recently, with attacks such as WannaCry in 2017, that the term has entered public consciousness.

In this blog and corresponding eBook (download here) we will explore the key themes around the evolution of ransomware attacks, including more advanced campaigns that see data exfiltrated before it is encrypted; the rise of ransomware-as-a-service as attackers seek new ways to monetise their cyber operations; and how attackers are using targeted intrusion techniques rather than the scattergun methods of old. Finally, the secondary effect of the increasing regulatory environment on the decision making process will also be discussed.

Ransomware as a business

Ransomware is, at its core, a means by which malicious cyber actors can seek to monetise their cyber operations; at its most basic level it is a business model, not too dissimilar from those that traditional enterprises follow. Just as conventional businesses look to optimise their operations, find new gaps in the market and ultimately increase profit margins, so too do ransomware groups adapt and evolve their own nefarious models in order to compete.

An evolving business model

Even in the short space of time since 2017, ransomware groups have grown in confidence, evolved their operations to explore new and differing approaches and have significantly increased in sophistication. WannaCry took an almost scattergun approach to spreading ransomware: it was indiscriminate and spread within seconds.

Fast-forward to today’s attacks and one of the most obvious comparisons to be made is the highly targeted nature of the campaigns. This is highly significant for large enterprises because as ransomware threat actors study fresh potential victims to assess for vulnerabilities, their sole aim  is to design attacks that they can leverage to demand much larger sums of money than they have previously. For example, with WannaCry, the average ransom was over $1,000 per victim. The 2019 Travelex breach saw the attackers demand $6 million in ransom.

We’ve also seen the development of more alarming techniques such as ransomware groups egressing the data before encrypting it and then threatening to auction it on the dark web to the highest bidder. This is a move to directly mitigate against those organisations who have either backed up their data or have some form of rollback technology to restore their systems to a pre-attack state.

Emerging ransomware attack path

Senseon-eBook-Emerging-Ransomware-Steps-Diagram.jpg
 

So, what exactly does a highly sophisticated ransomware attack look like? We expand on these in more detail in our ransomware eBook, but for now, here are the processes that ransomware groups go through, step by step.

1. Identify an attractive target

Much like a conventional business has a target market or Ideal Customer Profile, so too will cyber criminals build profiles of potential target organisations, asking questions like;

  • Can this organisation afford to pay an attractive ransom?

  • Is this organisation likely to have tools that will block or detect the attack?

  • Do they hold sensitive information?

  • Is the organisation likely to want to avoid embarrassment?

  • Does the organisation have to adhere to strict regulations?

  • Do they hold valuable intellectual property worth protecting?

From these questions, it is relatively easy to single out the characteristics of organisations that are likely to be considered prime targets. Western, mid-market/small enterprise, financial and legal service firms would fit the bill, for example.

2. Gain initial access

Some of the most common attack vectors for ransomware groups are through exploit kits and malicious email attachments and links.

Cyber criminals have learnt to ‘live off the land,’ making use of tools and programs that many of us have on our computers and use every day, such as word documents and spreadsheets, which can then be delivered to victims through phishing or spear phishing campaigns.

Not only does this save them time and money that doesn’t have to be spent developing new tools, it also makes attacks extremely hard to detect through email filtering and traditional signature-based detection methods, such as Anti-Virus.

Once an attacker has gained initial access, they may then use an advanced exploitation tool such as Mimikatz, or a keylogger, to harvest credentials. If a compromised user doesn’t have permission to log into other systems, an attacker may attempt to escalate their privileges using a local privilege escalation technique.

3. Deliver payload

Once a macros-enabled document is opened, or a malicious link in a phishing email is clicked, a chain of events is set into motion.

One of the most sophisticated attacker techniques is fileless ransomware, whereby malicious code is either embedded in a native script or written straight into memory using legitimate administrative tools such as Powershell. Macros can start a command line, which in turn runs Powershell straight into memory, which then downloads additional scripts and the encryption key.

This is incredibly challenging to detect using traditional signature-based detection methods such as AV. One of the best ways to mitigate against the risk of fileless ransomware comes down to knowing exactly programs the devices on your network are running and where they are connecting out to.

Learn more about what you can do to protect your organisation here.

4. Egress valuable data

First seen in 2019, this alarming trend is designed to leverage against even those organisations who have either backed up their files or invested in some form of roll back technology to restore their systems to their pre-attack state.

Ransomware groups have now begun exfiltrating sensitive or valuable data whilst deploying their ransomware. They are then able to threaten to publish or even sell the data should their victim decide not to pay their ransom.

5. Encrypt devices

Once the group has exfiltrated enough valuable data from their victim’s network to threaten to leak or auction off the data, they will then follow the expected measure of encrypting devices.

Depending on the sophistication of the ransomware’s authors, they may make use of a number of encryption methods, a hybrid approach being one of the most sophisticated techniques.

Once encrypted through this method, the only way for the victim to decrypt their data and get back control of their devices is to obtain the key from the ransomware group.

6. Demand ransom

Typically blasted across all encrypted devices, splash screens such as the one here will create a sense of dread in anyone unfortunate enough to see them first-hand. Commonly, they will inform the victim of how much the ransom is and provide instructions for payment.

7. Leak some of the data

Either as a tease, or to prove they actually have the data they claim to, attackers who have exfiltrated data before encrypting it will often release a few documents, mostly on the Tor network.

In a further effort to expedite payment, some ransomware groups have also taken to emailing the customers, employees and partners of their victims, informing them that their data is compromised and inducing them to encourage the compromised organisation to pay the ransom.

8. Auction the data

If the victim is not forthcoming with the ransom, in a move introduced by the Sodinokibi ransomware group, the criminals may then auction off the data they stole before encrypting devices to the highest bidder. Depending on the data and documents available, the bidding can start anywhere between $50-100 thousand.

These auction sites vary from simple designs to far more complex infrastructure. Security leaders predict these will be developed further if they prove to be an effective means of monetising operations for attackers.

 
 

If you are concerned about the impact of ransomware attacks on your business, download our eBook today.

This must have guide provides IT and security leaders with:

  • Insight into the evolution of ransomware

  • An overview of adapting and changing attacker behaviour

  • Practical advice on the steps you can take to mitigate against the threat of ransomware to your organisation.

 
 

About the author

senseon-brad-freeman.jpg

Brad Freeman, Head of Threat Analysis, Senseon

Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at Senseon, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure. Senseon.

 
 
Brad Freeman

With over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Brad has led the threat hunting and research teams at global organisations such as BT, managed Security Operations and EE and performed incident response offshore on Oil and Gas platforms.

Brad now leads the threat analysis team at Senseon, applying machine learning and AI to detect and investigate cyber adversaries. Brad specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure.

Brad holds CISSP & CISM

Previous

The vSOC every CISO needs
Next

Cyber security process automation.