The Anatomy of a Modern Ransomware Attack

THE AUTHOR

James Green
October 22, 2021

The Anatomy of a Modern Ransomware Attack

We recently asked renowned Ransomware Expert Allan Liska to describe the anatomy of a modern ransomware attack. See his response in this video, and in case you've missed it, here's the transcript:


James Green:

So I think a lot of times when we're thinking of cyber crime, we're thinking of a lone actor, alone in a basement wearing a hoodie, typing away at their keyboard. And the reality of what cyber crime looks like today couldn't be more different. Specifically in the context of ransomware, could you describe the different pieces that come together to make a full ransomware operation?

Allan Liska:

It's funny, the Ukrainian Cyber Police, whenever they do a bust of a ransomware group, they take great video of it. Not once in any of those videos have any of the ransomware actors been in hoodies. So completely blow away that myth. But yeah, a ransomware operations is really complex. It's not a single actor, again, as you say, operating in the basement. Especially when we talk about Ransomware as a Service, which is where there's one ransomware actor who rents out his ransomware capability to anybody who wants to sign up, to what he calls affiliates.

            And you have the ransomware actor himself, the one who created the RaaS operation. They have developers, so they're either on payroll or on contract, they have developers that build out the infrastructure, help weaponize exploits, build the Portable Executable that's given out to everybody, to the affiliates to be used in the ransomware attack.

            They also have what we call the Initial Access Brokers. Those are the people that do the scanning and gain that initial access, and then hand that over to the operators who will be actually performing the ransomware attack. We have negotiators. So most of these ransomware actors are not native English speakers, so they hire negotiators to manage the negotiation chats basically. And they do that, they have money launderers who are responsible for distributing the ransoms that are paid. So getting Bitcoin into actual cash, or fancy cars, or whatever else that they want.

            So there's a really a wide range of people that are involved in ransomware operations, either as a core group or as a contractor that regularly worked for these ransomware actors. Some of these ransomware groups have a 100 people or more that are just core employees is probably not quite the right term, but close enough to employees that you'd count them at that.

James Green:

And since you mentioned employees and payroll, I think it's important as defenders to think about and picture the adversary correctly. These people are sometimes operating out of an office building. They literally, or at least figuratively have payroll, employees. It's a business.

Allan Liska:

Right, exactly. And the ransomware actors often think of themselves as business people. They're not, they're criminals, let's be clear. But you can run a criminal operation, and that's what they're doing. Because they think of themselves that way, often when you interact with these ransomware actors, you basically have to treat them like they're a business person. Because if you don't, you wind up having your decryption key deleted permanently, your files deleted, all kinds of bad things, if you go in with with the approach that you're just a criminal and you're going to have to listen to everything I say.

James Green:

So as opposed to the sole operator in a basement... Let me just see if I can list off a few of the things you said. You've got somebody who creates a software in the first place, somebody who gains initial entry, somebody who comes in and does the exploration and figures out how to actually kick off the ransomware attack. We've got negotiators, money launderers, probably more. So the point is, this is a serious full scale operation that you're contending with. And as a defender, folks need to think about it that way.

Allan Liska:

Right. Exactly. You need to realize when you're defending against ransomware, you're defending against a group of people targeting to you, and then multiply that by the dozens of ransomware groups that are out there. And you'll really understand what you're up against as a defender.

James Green:

Thanks so much, Allan.

Allan Liska:

Thank you.


Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap