General Introduction
Last updated
Last updated
Ransomware is the use of malicious software to hold a system or systems hostage until a demanded amount of money (either in cash or bitcoin) is paid to the threat actor. Then a “key” is provided to unlock the affected systems. This tends to be a “Catch-22” since the ransomware is still in the environment, and could easily be reactivated and the threat actor would then ask for more ransom. The US Federal Bureau of Investigation recommends that affected organizations NEVER pay ransom to threat actors, as this funds cyber crime and propagates the problem further in other organizations.
To explain how ransomware works, we will use the cyber kill chain as a reference. The concept of the cyber kill chain was developed, in part, by Lockheed Martin. The cyber kill chain is the seven phases that malware and advanced persistent threats (APTs) typically follow and the relationship to one another in a process from start to finish. The kill chain can usually be applied to most forms of malware, but generally involves malware/ransomware that is trying to encrypt valuable files after they have been exfiltrated from the organization network for use on the black market or for further leverage to get organizations to pay the ransom to unlock their systems.
There are seven phases of the Cyber Kill Chain:
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control (CnC)
Actions on Objectives (Exfiltration/Encryption)
The first step of deployment of ransomware is reconnaissance. This is the act of gathering high-value target data, including email addresses, network data, system details, personal data, and other data that would potentially be helpful in the next stage of the kill chain. A key place for reconnaissance is social media. Social media allows threat actors to see who works in which companies and what their titles are, and in some cases who their manager is. This data is very helpful for threat actors to start building their target list.
A key activity during the reconnaissance phase is social engineering. This is the practice of extracting information from people by talking through things. This could be as simple as someone pretending to be a delivery person for the CEO, and then gathering information like names, phone numbers, and email addresses. This could also be someone posing as a service technician for the local Internet service provider, who is coming to repair the Internet and needs access to the local server room. These are just two examples of hundreds that could be used to gather information for a potential malware event.
System details are especially helpful to threat actors since they can then determine what potential vulnerabilities are associated with those operating systems/hardware platforms. Those vulnerabilities could then be exploited to allow backdoor access to the corporate network, which is the next phase of the kill chain...weaponization.
Weaponization is the practice of using the information gathered from the reconnaissance phase to then determine the exploits to use for the vulnerabilities that were discovered during the previous phase of ransomware deployment. This phase is mainly meant to ensure that the threat actors have a method of access to the corporate network or targeted systems.
Another way to look at this, is that burglars are looking for low-hanging fruit first; they are looking for houses that leave their doors/windows unlocked. Once a burglar knows which houses leave vulnerabilities open, they can return at a time that suits them to take what they want from the house.
Threat actors work in the same pattern. They will find vulnerabilities in systems, make a note of those systems and develop a plan of attack to start probing a network and its connected systems to see what is of value. At this point the threat actor is more interested in multiple points of entry into an organization network so that they have multiple beachheads they can use to start the next phase...delivery.
Now that the threat actor has discovered vulnerable systems in the organization network, and has also found a way to establish a connection into that network using vulnerabilities that exist on the systems in the network, they need to deliver the malware they want to use. This is where things get a little scary. The delivery method can range from email saying the recipient has won a Starbucks gift card with a link to “accept the gift” that actually downloads the exploit of the vulnerability in the network. Another method of delivery is to make a “drop” inside the organization physical office. This is nothing more than a USB thumb drive with an autorun that delivers the exploit. If the vulnerable system is exposed to the public internet and the vulnerability is remotely exploitable without user interaction, the threat actor can remotely deliver the payload of their exploit without any internal assistance from the organization.
An interesting fact of ransomware delivery is that delivery via a phishing email is the most common method of exploit delivery into organizations. This is mainly due to the general lack of basic cyber security awareness training that should be provided to all employees. Some of the largest data breaches in history were initiated by phishing as the delivery method: Equifax, Adobe, Marriott (Starwood), and several others all had phishing delivery involved somewhere in the deployment of the exploits.
Now that the malware has been delivered, the next phase of ransomware deployment is to execute an initial piece of the malware and exploit the vulnerabilities in the environment. The exploit does nothing but provide a potential method of installation of the malware that is part of the delivered payload to the enterprise network and systems. Other parts of the exploits include the ability for the malware to replicate and move laterally across the network using exploits of vulnerabilities that were previously detected during the reconnaissance phase of the attack.
At this point, there is nothing really damaging happening, other than the delivery of a payload of software into the organization's network. From the threat actor's perspective, there is only a chance that their efforts will prove to be effective at this point. However, there may be countermeasures in place to block their movements, and render their efforts inert.
The installation phase of the cyber kill chain is where things start to get interesting. The delivered malware is now installed on the systems that have been penetrated during the first four phases of deployment. What makes this so interesting is that the installation phase takes place in a matter of seconds. Some of the most sophisticated ransomware installation events took place simultaneously in a network...in under a second.
The installation of the malware on hosts in the organization environment can start to trigger alert systems in the SOC, like antivirus software, and even network security hardware detecting the sudden new network connections from the malware.
Frequently, exploitation and installation of malware occurs in the same motion. This is mainly due to the antivirus/antimalware, firewalls, IDS/IPS, or other potential security mechanisms that are in place in the enterprise environment. The timeframe for exploitation and installation of the malware is usually very short. However, once installed, it can lay dormant for long periods of time without calling out. This is oftentimes to slowly replicate itself in other parts of the environment so as to avoid detection. Other times, it will immediately initiate the next phase of deployment: command and control.
Threat actors are very patient and persistent, they will wait until their malware has been spread as far as it can before initiating the attack any further. After installation, threat actors will typically let the ransomware sit in an unactivated state in an environment for extended periods of time. This adds to the possibility that the ransomware will be inadvertently added to backups or restore points, thereby cementing their presence in the organization's network.
Command and control is the method by which the installed ransomware calls out to the threat actor to make a connection. This is when the ransomware can start to take control, and create multiple connections for data exfiltration.
Simply put, a C&C is a server that has the ability to proxy commands/control to the infected hosts all over the world. This is very rarely the same machine that the threat actor is sitting at. More sophisticated C&Cs will actually be proxied multiple times across the globe before being accessed via a dark web connection from the threat actor's local machine.
C&C is also when the pertinent data is located and selected for exfiltration during the last phase of the ransomware deployment.
This is the final phase of the ransomware attack, the actual mission of the threat actor from the beginning. The goal is to exfiltrate data from the organization environment, then encrypt and lock systems as a final step. This is frequently the only sign of the threat actor in the environment. There are some cases where the threat actor's presence in a network or environment is never detected, and is passed off as normal network activity.
Ransomware is especially volatile because threat actors will hold the decryption key from the organization for a determined amount of money to be paid via bitcoin or other electronic fund payment. If the organization does not pay the ransom, then the threat actor will start to leak their sensitive data to urge the victim for payment of the ransom.
Recovering from ransomware can be done in one of two ways:
Paying the ransom to the threat actor to gain access to your network and impacted systems
Not paying the ransom and utilizing backup and recovery solutions that are existing in the organization environment
Multiple law enforcement agencies do not recommend paying the threat actors, because they still have access to the network and could strike again at any time in the future if all breaches are not sealed properly and completely. They recommend working with experienced threat hunters and anti-malware firms to mitigate the threat quickly.
Use of backups and recovery systems is usually the only other option left open to organizations. However, the main issue there is that there is no telling how long the malware has been in the environment, and could also be included in the backup images of the impacted systems.
The most common defense against ransomware, or any malware for that matter, is to have a strong antivirus/antimalware properly installed and configured in the organization environment. This includes endpoint protection, server protection, and cloud system protection. The network also needs to be protected using next-generation firewalls, intrusion detection/intrusion prevention systems, and lateral traffic analyzers to ensure that malware is not attempting to move between detection platforms.
The single greatest defense tactic against threat actors in an organization is education. Every organization should have some sort of training or enablement that helps all employees spot and report suspected phishing emails, and ways to report infected hosts to the security team or SOC.