Anatomy of a Modern Ransomware Attack

Schoolhouse

Generally, a ransomware group farms out phishing campaigns to another threat actor who specializes in them. There are some exceptions to this: Conti ransomware, for example, is part of a larger cybercriminal group commonly referred to as Wizard Spider . Wizard Spider is a complex organization involved in many different types of cybercrime and has one of the most sophisticated phishing exploit kits in use today.

... the anatomy of a ransomware attack from initial access to extortion. The rest of this page will walk through a typical ransomware attack and refer back to this figure. More details about each of these phases are available throughout the rest of this page and other sections of the site.

... ways that ransomware groups gain access through manual attacks, but automated ransomware groups rely heavily on trojanized software, especially in the form of fake downloads.

... delivering the phishing campaign sends an email with, for example, a Microsoft Excel attachment containing a macro or script. The macro may just execute a PowerShell script, or it might exploit a vulnerability such as CVE-2021-40444 (a vulnerability in the MSHTML component of Microsoft Office).

The script grabs the BazarLoader, which is injected into memory to avoid detection and performs a few basic reconnaissance commands. Commands such as whoami (note: whoami is native to every major operating system), net, and nltest allow the operator to understand the system on which it’s installed, as well as whose system was compromised, what privileges the user and the system has, and what else the user/system can access on the network, without raising any alerts in the Security Operation Center (SOC). For Windows systems, ransomware actors use Windows-native commands to avoid alerting security teams to their presence.

definition

What's the difference between a loader and a dropper? The two terms are often used interchangeably and perform many of the same tasks. But there is a technical difference between the two. A dropper is self-contained—it has everything it needs to start basic reconnaissance and pull down the final payload. A loader is more lightweight and calls out to command-and-control infrastructure to get instructions and possibly pull down a secondary loader.

... maps the victim network, gains the access needed to deploy the ransomware, and may establish footholds on systems beyond the initial access machine, to ensure they don’t lose access to the victim’s network. This stage is the longest and most complicated part of the ransomware attack. It’s discussed in more detail on the following pages: "The Handoff from IABs to Ransomware Affiliates," "Threat Hunting," and "Ransomware and Active Directory."  

... memory via Dynamic Link Library (DLL) hijacking, which is a way of injecting malicious code into an application on a Windows machine by taking advantage of the way applications search for and load DLLs. Once Cobalt Strike is loaded into memory, the exploration of the network will continue via Living off the Land (LotL) commands, such as:

... scope of the victim network, the ransomware actors are attempting to gain administrative credentials to facilitate moving around the network. Tools such as Mimikatz and BloodHound are commonly used to get information from endpoints or other areas of collection needed to get access to the Active Directory Controller.

Once the ransomware actor knows that they can successfully disable any security tools the victim has in place, they’ll use the credentials they’ve gathered to start moving around the network and often deploy other Cobalt Strike beacons.

Schoolhouse

One recurring theme across all stages of a ransomware attack is that ransomware actors prefer to use commands native to the operating system they’re attacking, such as Windows or Linux. This is often referred to as Living off the Land (LOL or LotL) by researchers. Using commands native to the operating system, as opposed to third-party tools, means that ransomware groups are less likely to be detected by defenders. Don’t misunderstand—ransomware groups have a lot of third-party tools they can and do use, but it’s important to watch for native OS commands, especially when they’re used in ways unusual for an organization.

... files to exfiltrate from the victim network. Secondary extortion is a critical part of a manual ransomware attack, and that requires, among other things, sensitive files that can be used for blackmail.

... not stop with just these files, but to consider what other files or types of files may present a lucrative extortion opportunity. The figure below, from the same manual, provides a list of keywords in English that the affiliate should search for among network files. The presence of this list of documents and keywords (including English ones) demonstrates how important exfiltration and secondary extortion is to ransomware groups.

... among ransomware groups because it’s reliable, easy to use, and used by many systems administrators, so it’s rarely flagged by security tools. As with other parts of the operation, user instructions for Rclone are well-documented in the Conti manual.

Not all ransomware groups use MEGA or other file share services. Most rely on compromised servers that act as staging servers before the data is pushed to the real command-and-control servers. Exfiltrated data generally resides on these intermediary servers for a few minutes to several hours before it’s moved to the main servers.