8 Ways Ransomware Operators Target Your Network
Security researchers explore how criminals are expanding their arsenals with new, more subtle, and more effective ransomware attack techniques.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt6d97282066e33638/64f0d303465245b14afb4d39/RansomwareSSIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Ransomware continues to plague IT security teams as attackers rework their campaigns to be more subtle, more effective, and much more expensive for the organizations they hit.
Security experts predict the pace of ransomware attacks will accelerate this year as operators continue to succeed in extorting ransoms. As campaigns grow more organized and targeted, and the tools they require become easier to access, the future looks ominous for defenders.
A key trend the industry is watching is the growth of double extortion attacks. Operators use two strategies: They demand a ransom for the return of stolen data, then threaten to publish the data if an organization doesn't pay. The emergence of this trend in the past year indicates that over time, more victims have refused to pay ransom due to protections like data backups.
Many ransomware campaigns start with a phishing email as attackers hope an unsuspecting employee will click a link or download a malicious payload. If they do, the malware attempts to contact the attackers' command-and-control (C2) server and explore the target environment. Once inside, they look for assets, such as accounts and systems with access to valuable data. If they find and encrypt that data before they're detected, it's not a good day for the business.
Some businesses don't know they've been breached until ransomware is deployed, CrowdStrike researchers said in their latest "Cyber Front Lines Report." While 69% of victims self-identified a security incident, in 14% of cases the breach was discovered due to execution of ransomware.
The average dwell time for ransomware attacks was 45 days in 2020; however, it's worth noting that in 26% of ransomware attacks, the dwell time was one day. In 48%, it was less than a week.
Knowing how attackers operate is a key first step in defending against them. Here, we discuss different ways that operators evaluate and target organizations with ransomware attacks.
Some malware operators "scout out" a victim before deploying attack tools, researchers explain in Malwarebytes' latest "State of Malware" report. This step helps them determine whether an attack might yield the results they want -- as researchers note, malware campaigns that result in a ransomware attack have a higher ROI if the victim is a business, not an individual consumer.
"Victim vetting" mechanisms are meant to collect data about the victim and answer questions such as:
• What domain is this endpoint connected to?
• What is the IP address of this endpoint?
• What applications are running on this endpoint?
• Who are the endpoint's active users?
Attackers may also try to spread laterally or use a Remote Access Trojan (RAT) to find these and other answers, researchers say. In doing so, they can also better allocate resources used in an attack, avoid traps, and reduce their chances of being discovered.
Researchers note they observe more malware samples call home with reports about target machines. These reports then undergo manual evaluation.
"This means there is a team of people manually sorting through reports generated by the malware, prioritizing the more interesting victims, assigning special cases for a deeper dive, and performing manual recon and lateral propagation," researchers state in the report.
Remote Desktop vulnerabilities topped patching priorities in 2020, due to an increased number of CVEs patched and organizations rushing to protect their newly remote workforces. Satnam Narang, staff research engineer at Tenable, calls Remote Desktop Protocol (RDP) vulnerabilities the "bread and butter" for both ransomware attackers and cybercriminals seeking financial gain.
Many ransomware attacks gain a foothold into a target organization through a weakness in RDP software or the way it's deployed. Brute-forcing RDP is the most common method attackers use to attempt to access Windows systems and execute malware,ZScaler reports. Its public cloud threat research reveals some 70% of business systems keep RDP ports open in the public cloud.
Attackers employ open source port-scanning tools to find publicly exposed RDP ports online. When they do, they try to break into the system with brute force or stolen credentials. Systems with weak credentials are easy targets. If successful, an attacker can sell their access online or weaken system security by disabling security software, deleting backups, or changing settings.
Ransomware attackers are seeking new targets to break into organizations, moving "up the stack" from server operating systems to flaws in applications and Web and application frameworks.
"Anything that has a data density application in SaaS, we started seeing ransomware moving [there]," says Srinivas Mukkamala, CEO of RiskSense.
The company's new ransomware-focused report found ransomware targeting CRM tools, open source tools, backup services, and remote access services. RiskSense researchers found 18 CVEs linked to ransomware attacks across six major parts of this space: WordPress, Apache Struts, Java, PHP, Drupal, and ASP.net. They also noticed attackers using 19 vulnerabilities in common open source tools and related projects, including Jenkins, MySQL, OpenStack, TomCat, Elasticsearch, OpenShift, JBoss, and Nomad.
"If you look at any modern data pipeline or digital transformation story, all of them have Elasticsearch as part of the data pipeline," Mukkamala says, noting this is a growing ransomware target.
The software-as-a-service (SaaS) category had the most CVEs seen trending with active exploits among ransomware families, a trend that underscores how threats are evolving as businesses consume more SaaS applications. A problem, RiskSense researchers note, is organizations often depend on service providers to ensure these vulnerabilities are quickly remediated as they are discovered. Until the service provider can mitigate the risk, the business remains exposed.
CrowdStrike researchers report an ongoing evolution of criminals adopting big game hunting (BGH) ransomware tactics. The trend, first detected in 2016 with the introduction of SamSam ransomware, has proliferated and changed as ransomware variants become more advanced.
In 2020, the trend continued. Financially motivated attacks made up 63% of cases analyzed by CrowdStrike Services over the past year; 81% of these cases either involved the deployment of ransomware or served as a precursor to ransomware. Attackers are refining and applying high-pressure extortion techniques and sharing new tactics across ransomware groups, they report.
One of these tactics is the development and deployment of an ELF ransomware binary that can be deployed to ESXi hosts with the goal of encrypting virtual systems. This technique was first seen in attacks by a group CrowdStrike calls Sprite Spider, which deployed the Defray777 ransomware in August 2020. Weeks later, it was used by a group called Carbon Spider. The researchers note criminals often share common exfiltration techniques as well.
The Egregor ransomware appeared in 2020 in attacks against Kmart, Ubisoft, Crytek, and Barnes & Noble, among other targets. Like many modern ransomware operators, the group behind Egregor promises if the ransom isn't paid within three days, attackers will leak part of the stolen data and alert the victim firm's clients and partners.
Researchers noticed several ways Egregor can spread and a handful of exploits operators used, including Microsoft Exchange Exploit CVE-2020-0688, VBScript Engine Exploit CVE-2018-8174, and Adobe Flash Player Exploit CVE-2018-4878/CVE-2018-1598. Another concerning infection method was the use of pen-testing platform Cobalt Strike.
The use of Cobalt Strike and other "living off the land" tools usually follows infection via phishing emails or brute forcing RDP ports. Cobalt Strike has become an increasingly common platform in attackers' toolkits, experts warn -- used in several campaigns, including a WastedLocker ransomware attack -- but there are ways to detect its use on your network.
Once on a machine, Egregor shuts down processes related to malware analysis, such as process monitor, in addition to applications such as MySQL, Microsoft OneNote, and Outlook. Shutting down these apps can protect the ransomware from analysis and unlock more files for attackers to encrypt, Malwarebytes researchers say.
A law enforcement operation recently arrested several people suspected of being behind the Egregor operation; however, security experts believe it will make a comeback.
Some ransomware operators, such as the Maze, RagnarLocker, and RegretLocker ransomware families, are pushing to give their tools more functionality, Malwarebytes researchers found.
"This last year we observed ransomware switching tactics and the birth of some big families," says Adam Kujawa, head of Malwarebytes Labs, pointing to Maze and Egregor ransomware as examples.
RagnarLocker, for example, found a new way to encrypt files on an endpoint that may have ransomware protection. The malware downloads a virtual machine image, loads it silently, and uses that virtual machine to launch the ransomware, accessing files through "shared folders."
This malware family used Windows XP images, which researchers note are smaller and likely a better option. Maze ransomware adopted the same technique but used Windows 10 images, which are larger, take more time, and consume more resources. To do this, the attacker would likely already need to compromise the endpoint and know the target system's technical capabilities: whether it can run a VM, for example, and how much attention that may draw.
RegretLocker did not attempt to run a VM on a target system, but it did try to accelerate the encryption of files found on a virtual hard drive file -- a large archive that holds the virtual hard disk of a virtual machine. Its operators tried a new strategy to "mount" the virtual hard disks so they could access files and encrypt, steal, or delete them.
In their analysis of CVEs weaponized in ransomware attacks, RiskSense researchers found 213 of 223, or 96%, were reported to the National Vulnerability Database (NVD) before 2019. Of the 213 flaws, 120 were actively used in ransomware threats trending in the past 10 years and 87 are currently trending.
"It's safe to say that once a vulnerability is tied to ransomware it should be considered a high risk exposure point, regardless of its age," researchers state. This should be a wake-up call to any business that only prioritizes patching newly disclosed CVEs and puts off older ones.
The top older vulnerabilities most active with ransomware families include CVE-2012-0507, CVE-2012-1723, CVE-2012-4681, and CVE-2013-0074.
"We rarely see zero-days which are successful in breaches," says RiskSense's Mukkamala. "I'm not saying it's not happening -- it's becoming more of a sparseness -- but really the successful ones are from the known vulnerabilities, and we're seeing the trend replicate in ransomware."
Security teams that want to cut down on ransomware exposure would do well to focus on CVEs from 2017, 2018, and 2019, as these years were large contributors to flaws weaponized in ransomware attacks, the report notes.
Forty percent of CVEs linked to ransomware attacks are connected to five common weakness enumerations (CWEs), RiskSense researchers report. The correlation, they say, makes it easier to predict which new vulnerability disclosures might appeal to ransomware families.
These five include:
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-20: Improper Input Validation
• CWE-264: Permissions, Privileges, and Access Controls
• CWE-94: Improper Control of Generation of Code, or Code Injection
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
App developers and software vendors who test for, and fix, these CWEs can make it more difficult for ransomware attackers and limit how often they deploy critical security patches.
Forty percent of CVEs linked to ransomware attacks are connected to five common weakness enumerations (CWEs), RiskSense researchers report. The correlation, they say, makes it easier to predict which new vulnerability disclosures might appeal to ransomware families.
These five include:
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-20: Improper Input Validation
• CWE-264: Permissions, Privileges, and Access Controls
• CWE-94: Improper Control of Generation of Code, or Code Injection
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
App developers and software vendors who test for, and fix, these CWEs can make it more difficult for ransomware attackers and limit how often they deploy critical security patches.
Ransomware continues to plague IT security teams as attackers rework their campaigns to be more subtle, more effective, and much more expensive for the organizations they hit.
Security experts predict the pace of ransomware attacks will accelerate this year as operators continue to succeed in extorting ransoms. As campaigns grow more organized and targeted, and the tools they require become easier to access, the future looks ominous for defenders.
A key trend the industry is watching is the growth of double extortion attacks. Operators use two strategies: They demand a ransom for the return of stolen data, then threaten to publish the data if an organization doesn't pay. The emergence of this trend in the past year indicates that over time, more victims have refused to pay ransom due to protections like data backups.
Many ransomware campaigns start with a phishing email as attackers hope an unsuspecting employee will click a link or download a malicious payload. If they do, the malware attempts to contact the attackers' command-and-control (C2) server and explore the target environment. Once inside, they look for assets, such as accounts and systems with access to valuable data. If they find and encrypt that data before they're detected, it's not a good day for the business.
Some businesses don't know they've been breached until ransomware is deployed, CrowdStrike researchers said in their latest "Cyber Front Lines Report." While 69% of victims self-identified a security incident, in 14% of cases the breach was discovered due to execution of ransomware.
The average dwell time for ransomware attacks was 45 days in 2020; however, it's worth noting that in 26% of ransomware attacks, the dwell time was one day. In 48%, it was less than a week.
Knowing how attackers operate is a key first step in defending against them. Here, we discuss different ways that operators evaluate and target organizations with ransomware attacks.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024