Ransomware: How It Happens

Introduction

Originally, ransomware was a type of malware developed to make data and systems inaccessible until a ransom was paid to the attacker. It usually encrypted data or parts of the systems and required payment for the decryption key, no matter which systems were infected.

Recently, ransomware has evolved into a more elaborate type of attack, carried out by groups of multiple individuals who divide tasks and coordinate the various phases that make up the attack.

Attackers compromise organization networks and critical systems, exfiltrate data, destroy backups, encrypt data and make multiple extortion ultimatums, demanding payment for encryption keys and threatening to publish the data if the ransom is not paid. They can also make other extortion demands, such as threatening to launch denial of service attacks (DDoS) against the organization or blackmailing customers by threatening to publish leaked sensitive information.

Attacks have grown significantly and monetary extortion values are also increasing with the emergence of the RaaS (Ransomware as a Service) business model. In this model, specialized groups act in an organized way in different roles:

• Ransomware Operators: create and maintain the ransomware code, operate the Command and Control (C2) infrastructure, maintain the data leak sites and facilitate the negotiation and payment processing. Usually, the name of the ransomware corresponds to the name of the operator who created it.
• Affiliates: are responsible for compromising the victims and carrying out the attacks, receiving a percentage of the ransom. They can buy access to the victims’ networks from Initial Access Brokers.
• Initial Access Brokers (IAB): attackers specialized in compromising networks and systems in order to sell access information, such as compromised credentials and exploits for vulnerabilities.

Understanding how ransomware attacks happen helps determine measures to protect, detect and respond to incidents. Identifying which specific ransomware was used in an attack can help with steps for incident response and remediation. In some instances, decryption keys may be publicly available and lateral movements from a specific ransomware group known.

Although the attacks are not exactly the same, since they depend on the victim's environment and the attacker's mode of operation, it is possible to highlight some common ransomware phases. The infographic "Ransomware: How it happens" illustrates the common phases of a ransomware attack, which are detailed below.

1. Initial Access

The attacker seeks to compromise the organization's network using different vectors, such as leaked credentials, software vulnerabilities, social engineering (where the user is tricked into circumventing a security measure) and malware. Some common examples are:

• Leaked remote access credentials, such as VPN and RDP passwords, compromised via data leaks, brute force attacks or malware.
• Vulnerabilities in systems exposed on the Internet, especially on edge equipment, such as firewalls and VPN entry points.
• Phishing, by email or text message, leading to malicious websites to capture credentials or install malware.
• Malware sent as an email attachment or downloaded from malicious websites, for example from ads included in online search engine responses.
• Phone calls where the attacker is posing as technical support to install remote desktop tools, or an organization employee requesting password reset.

Initial Access is usually performed by an affiliate or IAB. In the case of IAB, access may have occurred prior to the ransomware attack itself and the information sold to different affiliates.

A mechanism that has been widely employed to capture access credentials, including session tokens, are infostealers. Among the main vectors of infection by this type of malware are product key/activation generator applications (keygens) and pirated programs or applications.

2. Persistence and C2

The attacker seeks to establish persistent access, that is, any means that allows him/her to return to the environment even if the initial access is eliminated. It also seeks to establish a communication mechanism between the compromised system and the C2 infrastructure. Some of the techniques used are:

• Creation of new accounts or modification of existing accounts.
• Malware installation, such as a backdoor access mechanism.
• Scheduling tasks and malicious startup scripts.
• Unauthorized use of legitimate remote access tools, such as RDP and SSH.

3. Privilege Escalation

The attacker seeks to obtain privileged permissions that make it possible to perform administrator activities, access sensitive data and move laterally on the network. Some of the most used techniques are:

• Exploitation of vulnerabilities.
• Compromise of privileged accounts, for example, via leaked passwords or credential dumps.
• Changing accounts, for example, by adding permissions or inclusion in groups.

4. Lateral Movement

The attacker seeks to understand the environment and gain access to critical systems and data. It also propagates the ransomware (malware) through the environment to perform Encryption in the Impact phase. It usually makes use of:

• Network scans.
• Compromised credentials.
• Software vulnerabilities.
• Remote access tools, such as RDP and SSH.

As the attacker gets new access points, he/she can try to escalate privileges on other systems and establish new Persistence and C2 points.

5. Impact

The attacker seeks to cause maximum impact to pressure the organization to pay the ransom, interrupting operations and causing financial losses and damage to reputation. The most common techniques include:

• Data exfiltration: requires payment in exchange for not publishing sensitive data, such as personal or intellectual property data. Exfiltrated data can also be sold on the Dark Web or used to extort customers.
• Data encryption: to make systems and data inaccessible and require payment for keys to decrypt the information.
• Destruction of backups: to prevent the environment from being restored and require payment for the decryption keys.