Ransomware, at its core, is structured to be as loud as possible. Threat actors rely on the ability to impact as many systems as possible, as quickly as possible, to incentivize their victims to pay the asking demand to get back up and running as fast as they can. While there are many different threat actors using ransomware and many different variants of ransomware, these threat actors use virtually the same attack lifecycle.
Let’s take a step into a threat actor’s mind to understand, from the 30,000-foot view, how a ransomware incident generally plays out. This overview outlines the general process for a Windows-specific environment, as that’s still the most common target for ransomware.
An actor who leverages ransomware has one main goal: gain access to as many environments as possible in hopes of getting a few big payoffs. This access is obtained, generally, in three ways:
One thing to note: with the rise of affiliate models like ransomware-as-a-service (RaaS), the actor who gained initial access to the environment may not be the one who holds the environment for ransom.
This is commonly seen when prolific malware such as TrickBot or Dridex is deployed through a phishing email. This type of malware is designed to spread as quickly as it can through the environment, and operates in a complex botnet framework to maintain access. The access that malware provides is then sold to the highest bidder on dark web marketplaces.
Once a threat actor intending to deploy ransomware has access to the environment, the next step toward the main goal is to map out the environment as quickly as possible. Much like many in the security industry, threat actors also leverage playbooks to increase efficiency. This is important for defenders and the intel community, because it can help identify what comes next based on previously identified tradecraft.
These actors will use public tools such as ADFind to query Active Directory for user and other system information, and open-source tools such as MimiKatz to attempt to gain higher privileges.
In an attempt to be more stealthy, they may leverage built-in programs on target systems such as “whoami” or “net user.” This is commonly called “living off the land,” and is an attempt to move up successive rungs toward the highest level of privileged user: the domain administrator.
During this process, actors will also target backups. This may involve stopping and deleting volume shadow copies, using their access to search specifically for common backup program names and extensions, or even attempting to login to cloud-based backup storage solutions. Threat actors will try as hard as they can to make it nearly impossible to recover from their deployment of ransomware.
Once an actor has gained that prized domain admin account, the next step is deploying the ransomware to halt operations in the target environment.
In most cases, the system targeted for reconnaissance within the environment has access to a number of systems, such as a domain controller or a file server. This gives the actor the ability to identify which method of delivering the ransomware encryptor will have maximum impact.
The actual deployment of the encryptor happens in a number of ways:
Domain controllers and file servers are highly valued targets for threat actors looking to deploy ransomware, because these servers contain sensitive information. Domain controllers contain the keys to the environment kingdom, and the file server potentially contains the company’s sensitive or protected information. This part of the attack lifecycle has become a crucial aspect of any ransomware event.
The tricky part of data exfiltration for investigators and environment owners is that without full visibility through network logging and command-line logging, it’s difficult to ascertain what exactly an actor was able to access, let alone take out of the environment. This is where actors capitalize upon the situation and publicly shame organizations (for instance, on blogs) in attempts to get paid.
A common misconception of ransomware events is that it is a fully automated effort. While there are some variants of ransomware that are configured as such, the majority of ransomware incidents are a result of a human actor. The silver lining in all of this is that defenders have chances to identify and interrupt these events if they know where to look.
The best way to interrupt a threat actor’s attempts to hold the environment for ransom is to make it harder for them. Places to start:
This resource from Mandiant provides a number of technical enhancements that cover how to do many of these things. Ultimately, there is no silver bullet to stop ransomware, and security tools can only go so far. So also keep these best practices in mind: