Exposing What's Under the Hood of Ransomware Attacks

Ransomware is devastating to a company because it damages critical data. During an attack, ransomware scans for important files, encrypts them, and destroys backups. This can cripple an organization faster than other malicious applications. In this second part of a blog series about ransomware, we’ll discuss well-known cybercriminals and the harm they do.

The first article in this ransomware blog series, Hacker Procedure, described the three main phases of an attack. In this blog article we’ll examine these details of ransomware crime:

  • What industries are affected by ransomware?
  • Who are the criminals and how do they succeed?
  • What types of data are stolen?
  • How much is a typical ransom?

What industries are affected by ransomware?

Attackers tend to focus on managed service providers in particular. A managed service provider is a business that takes over a range of IT services for several of its customers, such as email, data storage, and software-as-a-service applications. These services are critical to their customers’ day-to-day operations.

Source: https://www.linkedin.com/posts/cyber-rescue-alliance_cybersecurity-activity-6922448424487329792-qLdZ

When hackers take over an IT service provider, they simultaneously gain access to the service provider's customers. This is an efficient and scalable way to work; through a single attack, the cybercriminals gain access to multiple victims. 

Managed service providers and their customers aren’t the sole targets of ransomware attacks. Almost all industry sectors, including health, manufacturing, finance, government, and automotive, are affected.

Who are the criminals holding systems for ransom?

We know ransomware attackers by the work that they do. Worldwide, there are about 62 ransomware groups that have successfully attacked a total of over 4400 companies. 

Source: https://twitter.com/darktracer_int/status/1492066263715430405/photo/1

The most successful ransomware groups are Conti, LockBit and Pysa. Two formerly effective groups are no longer operating: The Sodinokibi (Revil) group has been arrested and the Maze group has retired. 

The number of attacks doubles approximately every year. IT organizations should no longer wonder whether cybercriminals will seize and ransom their infrastructure—they should wonder when it will happen. 

A close look at one ransomware group

Some of the Conti ransomware group’s internal data has been published over time. Mostly written in Russian, the leaked documents contain the group's procedures. You can download the data here.

Warning: I recommend looking at Conti’s data in a separate virtual machine. The leaks contain some executables, which might contain a backdoor. As a general rule, don’t run exploits from just anyone—there’ve been enough examples in the past of files containing a backdoor.

You can view a translation of the Conti playbook here.

The Conti playbook starts when the group already has gained initial access. I described this in the previous article in this series as the solidify access phase. You’ll recall that, in this phase, the goal of the ransomware group is to gain the highest privileges in the organization.

The following points are covered in detail in the Conti Playbook:

  • Initial exploration:
    • What rights do the attackers have with the captured user?
    • Which local administrators exist?
    • Which domain administrators exist?
  • Privilege escalation techniques:
    • Kerberos attacks
    • Mimikatz tool to to capture credentials
    • Read passwords from the group policy object (GPO)
  • Lateral movement by exploiting vulnerabilities:
  • Anchoring (installation of backdoors)
  • Hunting administrators
    • How to search for administrators in a domain in order to take them over
  • Uploading data
    • How to steal company data
    • How to upload data to mega.io using rclone
  • Stage locking
    • How to encrypt all of a company’s data and applications with a few one-liners at the Windows and Hypervisor (VMWare) level

As you can see in the Conti playbook, most successful attacks are based on one or both of these system issues:

  • Software vulnerabilities that could have been addressed by updating versions
  • Systems without secure configuration (hardening)

What types of data are stolen?

Ransomware groups mainly target corporate data, such as financial reports, patented construction drawings, customer data, and credit card data. However, they do not shy away from private  individuals’ data, and sometimes publish private photos of company employees, for example. With this strategy, cybercriminals increase the pressure on their targets so that they are more willing to pay. 

What is the average ransom amount?

The average ransom amount in 2021 was half a million US dollars. This figure doubles every year.

Source: https://unit42.paloaltonetworks.com/2022-ransomware-threat-report-highlights/

The ransom itself isn’t the only cost of a ransomware incident, however. These factors also can have a financial impact:

  • Days of lost operations
  • Leaked proprietary data
  • Damage to customer trust

In my career as a pentester and incident response consultant, I’ve identified two main reasons why attackers are so successful in compromising companies:

  • The systems are not up to date with the latest patches
  • The systems do not have secure configurations

The next article in this ransomware blog series will show what it’s like to experience an attack and how to respond.

New call-to-action