Some of the tools and techniques mentioned in these chapters may fall out of favor with ransomware groups, but the same principles of defense will remain salient even as ransomware attacks evolve.
In The History of Ransomware we discussed the disgruntled Conti ransomware affiliate who exposed the tools and instructions—including a how-to manual—that several of Conti’s affiliates used to conduct operations. Below is the first page of the manual included with that toolset.
“Stage I. Increasing privileges and collecting information
1. Initial exploration
1.1. Search for company income
– Finding the company’s website
– On Google: SITE + revenue (mycorporation.com + revenue) (“mycorporation.com” “revenue”) check more than 1 site, if possible
(owler, manta, zoominfo, dnb, rocketrich)
The manual starts off by telling the ransomware attacker to research the victim across multiple sites to find out how much it’s worth. The attacker will then use that information to set the ransom price. The rest of the manual is a step-by-step guide to gaining the administrative privilege access needed to carry out the successful ransomware attack. This manual, and the scripts included with it, provided an easy-to-understand how-to guide based on lessons learned.
This is one of the reasons why defending against ransomware is so challenging. The ransomware groups have seen defenses deployed by victims, figured out how to get around them, and documented that information. This is why it’s so important for organizations to understand how the attackers work, so that they can learn to be able to quickly identify malicious behavior even if the tactics, techniques, and procedures (TTPs) have changed and react accordingly.
Generally, a ransomware group farms out phishing campaigns to another threat actor who specializes in them. There are some exceptions to this: Conti ransomware, for example, is part of a larger cybercriminal group commonly referred to as Wizard Spider. Wizard Spider is a complex organization involved in many different types of cybercrime and has one of the most sophisticated phishing exploit kits in use today.
The anatomy of a ransomware attack from initial access through extortion
The image above is a diagram of …
… the anatomy of a ransomware attack from initial access to extortion. The rest of this page will walk through a typical ransomware attack and refer back to this figure. More details about each of these phases are available throughout the rest of this page and other sections of the site.
There are primarily four ways that ransomware groups gain access to victim networks:
The first three are the most common …
… ways that ransomware groups gain access through manual attacks, but automated ransomware groups rely heavily on trojanized software, especially in the form of fake downloads.
A fifth, relatively uncommon delivery method, uses exploit kits. They used to be one of the most common ways to deliver ransomware, but their use has declined significantly over the last few years because they rely primarily on exploiting flaws in Adobe Flash or Microsoft Internet Explorer, which have fallen out of use (and been discontinued). Both of these types of ransomware attacks used to be delivered primarily through banner ads and other web-based mechanisms.
Each method of initial access is different and is discussed in more detail on another page. This page will use the example of a phishing email as the point of initial access.
The ransomware operator or group …
… delivering the phishing campaign sends an email with, for example, a Microsoft Excel attachment containing a macro or script. The macro may just execute a PowerShell script, or it might exploit a vulnerability such as CVE-2021-40444 (a vulnerability in the MSHTML component of Microsoft Office).
If the exploit is successful or the PowerShell script is able to run, the malicious document runs the script that reaches out to a command-and-control server to pull down a loader.
The script grabs the BazarLoader, which is injected into memory to avoid detection and performs a few basic reconnaissance commands. Commands such as whoami (note: whoami is native to every major operating system), net, and nltest allow the operator to understand the system on which it’s installed, as well as whose system was compromised, what privileges the user and the system has, and what else the user/system can access on the network, without raising any alerts in the Security Operation Center (SOC). For Windows systems, ransomware actors use Windows-native commands to avoid alerting security teams to their presence.
What’s the difference between a loader and a dropper? The two terms are often used interchangeably and perform many of the same tasks. But there is a technical difference between the two. A dropper is self-contained—it has everything it needs to start basic reconnaissance and pull down the final payload. A loader is more lightweight and calls out to command-and-control infrastructure to get instructions and possibly pull down a secondary loader.
During this stage, the ransomware actor …
… maps the victim network, gains the access needed to deploy the ransomware, and may establish footholds on systems beyond the initial access machine, to ensure they don’t lose access to the victim’s network. This stage is the longest and most complicated part of the ransomware attack. It’s discussed in more detail on the following pages: “The Handoff from IABs to Ransomware Affiliates,” “Threat Hunting,” and “Ransomware and Active Directory.”
This stage often starts with Cobalt Strike. It’s estimated that 66% of ransomware attacks include the use of Cobalt Strike. Originally developed as a penetration testing tool, several cracked versions of Cobalt Strike have been released on underground forums, and it has been widely adopted by all types of cybercriminals from nation-state actors to ransomware groups.
Cobalt Strike is usually loaded into …
… memory via Dynamic Link Library (DLL) hijacking, which is a way of injecting malicious code into an application on a Windows machine by taking advantage of the way applications search for and load DLLs. Once Cobalt Strike is loaded into memory, the exploration of the network will continue via Living off the Land (LotL) commands, such as:
In addition to discovering the size and …
… scope of the victim network, the ransomware actors are attempting to gain administrative credentials to facilitate moving around the network. Tools such as Mimikatz and BloodHound are commonly used to get information from endpoints or other areas of collection needed to get access to the Active Directory Controller.
The threat actors will also use this time to disable any security programs that may hinder their ability to move around. There are several tools that can help the ransomware actor with this task, but many ransomware groups also have scripts that can do the job. One ransomware actor left several of these scripts behind after a failed ransomware attack. The image below, for example, is the script that disables Windows Defender.
Ransomware actors often use the Windows Management Instrumentation Command-Line (WMIC) utility to execute files that were pushed over Server Message Block (SMB) to other machines. They can also use PowerShell to execute Cobalt Strike beacons on those remote machines.
Once the ransomware actor knows that they can successfully disable any security tools the victim has in place, they’ll use the credentials they’ve gathered to start moving around the network and often deploy other Cobalt Strike beacons.
Ransomware actors also look for credentials that allow them to log in to Linux and VMware ESXi servers. This is made easier by administrators’ common practice of keeping spreadsheets with username and password information for these servers on their endpoints. Ransomware groups know to look for these.
One recurring theme across all stages of a ransomware attack is that ransomware actors prefer to use commands native to the operating system they’re attacking, such as Windows or Linux. This is often referred to as Living off the Land (LOL or LotL) by researchers. Using commands native to the operating system, as opposed to third-party tools, means that ransomware groups are less likely to be detected by defenders. Don’t misunderstand—ransomware groups have a lot of third-party tools they can and do use, but it’s important to watch for native OS commands, especially when they’re used in ways unusual for an organization.
Ransomware actors are also looking for …
… files to exfiltrate from the victim network. Secondary extortion is a critical part of a manual ransomware attack, and that requires, among other things, sensitive files that can be used for blackmail.
The Conti document dump specifically outlines exfiltration. The figure below shows affiliates how to run a specific PowerShell script that can be used to find available shared drives. The document then instructs the affiliates to look for specific types of files.
The Conti manual provides affiliates with instructions on how to find available shared drives on the network and what files they should be looking for
Specifically, the bad guys look for things like:
The Conti manual advises affiliates to …
… not stop with just these files, but to consider what other files or types of files may present a lucrative extortion opportunity. The figure below, from the same manual, provides a list of keywords in English that the affiliate should search for among network files. The presence of this list of documents and keywords (including English ones) demonstrates how important exfiltration and secondary extortion is to ransomware groups.
Instructions from the Conti manual on specific keywords for which affiliates should be searching
The next step is to get the data out of the network. The most common tools used by ransomware groups for this purpose include:
Rclone, in particular, is popular …
… among ransomware groups because it’s reliable, easy to use, and used by many systems administrators, so it’s rarely flagged by security tools. As with other parts of the operation, user instructions for Rclone are well-documented in the Conti manual.
Affiliates are instructed to create a new account on MEGA, the file-sharing service (which ransomware groups are told to pay for with Bitcoin, to maintain anonymity). As shown in the image below, once the affiliate knows which files need to be uploaded, they’re instructed to create an Rclone config file. A help file also warns the affiliate to limit the number of streams (simultaneous uploads) they create, because creating too many streams could alert the target to the affiliate’s presence.
Help file for Rclone written by the Conti operators for their affiliates
Not all ransomware groups use MEGA or other file share services. Most rely on compromised servers that act as staging servers before the data is pushed to the real command-and-control servers. Exfiltrated data generally resides on these intermediary servers for a few minutes to several hours before it’s moved to the main servers.
Before the ransomware can be deployed, however, the ransomware
actor has some work to do.
The first step in the deployment phase is to find and encrypt or destroy any backups. This is why it’s crucial to ensure that backups aren’t readily accessible from the network. Ransomware groups actively disrupt backups to try to force victims to pay—after all, if there are no backups, there’s no restore.
Generally, the next step is to deploy the ransomware on one or two systems to ensure that everything works as advertised. There’s always a battle between the ransomware actor and security tools, especially endpoint protection. The ransomware actor wants to ensure that the malware can encrypt network machines (which will generally include disabling all known security tools) without raising alerts or having their executable blocked.
With the test successfully run, the last step is to deploy the ransomware across the network. There are several ways this can be done. The ransomware actor may write a simple script that uses PsExec to execute the ransomware after pushing it to all the different machines via SMB.
They may also use Microsoft Group Policy Object (GPO) to push the ransomware from the domain controller. Some ransomware groups have used Microsoft System Center Configuration Manager (SCCM) or another remote monitoring and management (RMM) tool to push the ransomware to the target systems.
As part of the ransomware deployment process, ransomware groups also delete the Volume Shadow Copy Service (VSS). VSS is an automated service on Windows machines that makes backup copies of common file types on Windows. That way, if a file is corrupted or accidentally deleted, there’s a backup copy that can be quickly restored.
Coincidentally, many of the files automatically backed up by VSS are the types of files that ransomware actors like to encrypt. The VSS can’t be encrypted, so ransomware operators have to delete the files out of VSS to ensure there isn’t a quick way to restore encrypted files. This is an important step in ransomware detection, and is discussed in detail on this site.
After the shadow copies have been deleted and the ransomware deployed, the ransomware actor pops up a ransom note. Sometimes the demand will also be sent to all printers in the network.
Most guides mark the deployment of the ransomware as the end of the attack, but it really isn’t. For some organizations, the hardest (and lengthiest) part is the extortion stage. We’ve already discussed a number of ways that ransomware groups attempt to extort victims, but it’s difficult to adequately prepare for the sight of all an organization’s customers or a school’s students’ private data posted to an extortion website.
Remember, preparation is paramount …
… when carrying out ransomware tabletop exercises. Not only does the victim organization have to negotiate with criminals to avoid an even more critical situation, they have important decisions to make that will have a large impact on the organization’s future.
Decisions must be made quickly…
… Ransomware groups exploit a sense of urgency, such as countdown clocks, to panic their victims. In ransomware chats, the ransomware group’s negotiator uses phrases like “We need your quick feedback,” and “Please don’t delay, don’t make this mistake.” The goal is to get the victim to pay quickly before going to authorities or bringing in a negotiator.
The fallout from ransomware negotiation and extortion can last for months, not just because sensitive files are published on extortion sites, but also because of the effect on employees, clients, students, and others from having their personal details revealed. And, of course, there are the lawsuits that inevitably follow.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!
Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too