Anatomy of a Ransomware Incident

Ransomware, at its core, is structured to be as loud as possible. Threat actors rely on the ability to impact as many systems as possible, as quickly as possible, to incentivize their victims to pay the asking demand to get back up and running as fast as they can. While there are many different threat actors using ransomware and many different variants of ransomware, these threat actors use virtually the same attack lifecycle.

Let’s take a step into a threat actor’s mind to understand, from the 30,000-foot view, how a ransomware incident generally plays out. This overview outlines the general process for a Windows-specific environment, as that’s still the most common target for ransomware.

1. Initial Compromise

An actor who leverages ransomware has one main goal: gain access to as many environments as possible in hopes of getting a few big payoffs. This access is obtained, generally, in three ways:

1. Phishing
2. Abusing single-factor entry points (such as VPN, RDP jump boxes and VDI environments)
3. Exploiting critical vulnerabilities in externally facing devices

One thing to note: with the rise of affiliate models like ransomware-as-a-service (RaaS), the actor who gained initial access to the environment may not be the one who holds the environment for ransom.

This is commonly seen when prolific malware such as TrickBot or Dridex is deployed through a phishing email. This type of malware is designed to spread as quickly as it can through the environment, and operates in a complex botnet framework to maintain access. The access that malware provides is then sold to the highest bidder on dark web marketplaces.

2. Elevating Privileges and Lateral Movement

Once a threat actor intending to deploy ransomware has access to the environment, the next step toward the main goal is to map out the environment as quickly as possible. Much like many in the security industry, threat actors also leverage playbooks to increase efficiency. This is important for defenders and the intel community, because it can help identify what comes next based on previously identified tradecraft.

These actors will use public tools such as ADFind to query Active Directory for user and other system information, and open-source tools such as MimiKatz to attempt to gain higher privileges.

In an attempt to be more stealthy, they may leverage built-in programs on target systems such as “whoami” or “net user.” This is commonly called “living off the land,” and is an attempt to move up successive rungs toward the highest level of privileged user: the domain administrator.

During this process, actors will also target backups. This may involve stopping and deleting volume shadow copies, using their access to search specifically for common backup program names and extensions, or even attempting to login to cloud-based backup storage solutions. Threat actors will try as hard as they can to make it nearly impossible to recover from their deployment of ransomware.

3. Deploying Ransomware

Once an actor has gained that prized domain admin account, the next step is deploying the ransomware to halt operations in the target environment.

In most cases, the system targeted for reconnaissance within the environment has access to a number of systems, such as a domain controller or a file server. This gives the actor the ability to identify which method of delivering the ransomware encryptor will have maximum impact.

The actual deployment of the encryptor happens in a number of ways:

1. Manual deployment: The actor will log in to systems and manually run the encryptor on systems within the environment.
2. Script files: The actor will leverage several script files to automate the deployment from one or two systems within the environment, using protocols such as RDP, WMI, and windows batch scripts.
3. Group Policy Objects (GPOs): The actor will leverage access to the domain controller to create new GPO files to run the encryptor, much like how a systems administrator would manage the environment.
4. Existing software deployment tools: Because threat actors gain the highest level of privilege within the environment, they likely have access to the third-party tools used to administer the account. That includes deployment software such as Windows SCCM, Kaseya, ManagedEngine, and so on.
5. Self-propagation/worm capabilities: Sometimes the encryptor is designed to abuse critical vulnerabilities in the operating system, providing the encryptor the ability to make its way through the environment, leveraging stolen credentials and exploiting unpatched OS vulnerabilities.

4. Data Exfiltration and Extortion

Domain controllers and file servers are highly valued targets for threat actors looking to deploy ransomware, because these servers contain sensitive information. Domain controllers contain the keys to the environment kingdom, and the file server potentially contains the company’s sensitive or protected information. This part of the attack lifecycle has become a crucial aspect of any ransomware event.

The tricky part of data exfiltration for investigators and environment owners is that without full visibility through network logging and command-line logging, it’s difficult to ascertain what exactly an actor was able to access, let alone take out of the environment. This is where actors capitalize upon the situation and publicly shame organizations (for instance, on blogs) in attempts to get paid.

A common misconception of ransomware events is that it is a fully automated effort. While there are some variants of ransomware that are configured as such, the majority of ransomware incidents are a result of a human actor. The silver lining in all of this is that defenders have chances to identify and interrupt these events if they know where to look.

Ransomware Pre-Mediation

The best way to interrupt a threat actor’s attempts to hold the environment for ransom is to make it harder for them. Places to start:

1. Clean up Active Directory: Create a tiered account setup, limit the use of administrator accounts, then deprovision and remove user accounts no longer used.
2. Use network segmentation to your advantage: For example, user systems should be able to access some servers, but servers rarely need to initiate network communications to user systems.
3. Add multi-factor authentication to everything: This means any entry point, any jump point, even including web-based services.

This resource from Mandiant provides a number of technical enhancements that cover how to do many of these things. Ultimately, there is no silver bullet to stop ransomware, and security tools can only go so far. So also keep these best practices in mind:

1. Backup early, backup often: This is a great time to figure out what, and where, your critical assets are. Not just business-critical ones, either—think about domain controllers that hold Federal Information Security Management Act (FISMA) roles. Also consider where these backups are being stored and what will happen to them if your domain administrator account is compromised.

2. Re-evaluate your disaster recovery (DR) plan: Ransomware that impacts business operations is a critical event worthy of a specific section. You should think of it similar to the effect of a hurricane taking out your data center. Evaluate how long you can be down, and then add that timeframe to your practice exercises of migrating services to a DR site.
3. Realistically evaluate your “willing to pay”: What are the classifications your team has for paying a ransom? This can be a complicated discussion for the business, and should be discussed before the team is fully immersed in a ransomware event.