Ransomware attackers often follow very similar patterns or sequences when they ransom an organization’s IT infrastructure. Only those who know the attack patterns can effectively protect themselves against them. In this first part of a blog series about ransomware, we’ll explore typical approaches to holding IT operations hostage.
The threat of ransomware incidents grows as attackers become more experienced and strategic. A recent, independent survey of 1100 global IT and cyber security professionals found that:
- 80% were victims of ransomware attacks in 2021.
- More than 60% of those who were attacked paid the ransom. (Forbes)
Across the globe, attackers are increasingly successful at penetrating IT environments and shutting down operations. Shielding your infrastructure from these sophisticated criminals requires an understanding of how they work. Fortunately, most ransomware attackers follow similar patterns or sequences. By studying these patterns, we’re better able to protect organizations from these devastating and costly incidents.
A successful ransomware attack can be divided into three phases.
- First access phase—The attackers gain initial access to the corporate network.
- Solidify access phase—The attackers spread throughout the corporate network. They install multiple backdoors to gain access to the corporate network through other ways and at any time.
- Potential damage phase—The attackers steal data and encrypt the entire corporate network at different levels. (For example, they might encrypt on the Windows level and the hypervisor level.) They destroy the backup so that the company has no choice but to negotiate ransom for their data and systems.
Let’s explore familiar methods for each phase.
First access phase
Attackers typically follow one of two paths to penetrate an organization’s network:
One approach is through servers that provide services such as VPN access, websites, or email on the internet.
Sometimes the attackers already have valid user credentials to access the server. They often obtain credentials through a phishing campaign, a brute force attack (such as password spraying), or database leaks on the darknet.
Other times, cybercriminals take advantage of software vulnerabilities to gain first access. These are some examples:
The other classic approach is through the client, using email messages. Attackers usually send a message containing an infected .docx, .xlsx or .zip file. In most cases, when the mail recipient opens the attached file, they execute an office macro to compromise the client.
Solidify access phase
To solidify access, attackers aim to acquire the highest privileges in the organization’s network, such as Active Directory Domain Administrator privileges or root privileges. Therefore, they focus on lateral movement and privilege escalation techniques.
Lateral movement is navigating around the organization’s network or jumping from system to system by further exploiting vulnerabilities or with the help of valid users. It lets cybercriminals perform reconnaissance, exploring assets and discovering more vulnerabilities.
When attackers gain access to a new system, they use privilege escalation techniques to capture users with higher privileges. There are many types of privilege escalation attack vectors, from scarewear to access token manipulation to exploiting operating system vulnerabilities. Privilege escalation helps cybercriminals avoid detection and retain access. In fact, even if the victim detects and isolates the attacker’s initial breach point, the attacker maintains strongholds in different network systems using different accounts.
Another main goal in the solidify access phase is to create multiple backdoors in the victim’s network so that the attackers can access the network in different ways and at any time.
Well embedded within the perimeter, attackers gain detailed knowledge of the organization’s network and data. This reconnaissance is akin to burglars watching a house for days, learning schedules and patterns, testing windows and sliding doors, and identifying what’s in the house. They don’t do any harm; they’re planning the job.
Potential damage phase
The final phase is when the cybercriminals wreak havoc. They:
- Steal data
- Destroy any backups
- Encrypt the entire network
The typical attacker leaves a ransom note somewhere in the system. In most cases the note is an HTML or text file containing the following information:
- An explanation of what the attacker has done
- Any guarantees They make
- How to contact the attackers by email or through a website on the darknet
- (If contact is through a darknet website) a key to identify the victim
- Warnings against remediation attempts
This image shows an actual ransom note left by cybercriminals.
That’s a chilling message to receive. Anyone working in DevOps or Security dreads a ransom incident, which can cost an organization millions. Fortunately, you can dramatically reduce the likelihood of ever finding a ransom note on your own systems.
Preventing ransomware attacks
In my career as a pentester and incident response consultant, I’ve identified two main reasons why attackers are so successful in compromising companies:
- The systems are not up to date with the latest patches
- The systems do not have secure configurations
Most organizations are not aware of how vulnerable they are. Time and time again, when I’ve seen companies become victims due to one or both of these risks, it’s because the system versioning and configurations are not visible across their entire infrastructure. Without that visibility, they can’t perform an appropriate risk assessment.
That's why we founded Mondoo, to help companies see their vulnerabilities and to provide them with concrete recommendations for action.
Identify which updates are missing on each system.
Receive clear instructions on how to fix individual problems.
The next article in this ransomware blog series will explore some of the details of ransomware incidents. Subscribe to our blog to be notified when this article is published.