Part One: Analyzing the Anatomy of a Ransomware Attack

Writing a book takes a long time, and just a couple of weeks ago I just wrapped up and released my new book related to Ransomware Protection and as part of any book you need to do some research. Before I started on writing the book I was involved with several cases where customers had been affected by ransomware, however I had only scratched the surface in understanding the complex picture behind it. As part of any article/book/blogpost I do I tend to do a lot of research to fill in the missing gaps and expand my own understanding about the subject.

Hence, I wanted to write a short series of blogposts to provide you with an overview of the various stages involved in a ransomware attack, as well as the basic measures you can take to mitigate the risk of falling victim to such an attack. Although the specific attack vectors and methods of lateral movement will vary, most ransomware attacks follow a similar series of steps. In this first post I want to highlight the main different attack vectors that are usually used for ransomware attacks.

It’s important to note that the ultimate objective of a ransomware attack is to acquire maximum access, encrypt the data, and exfiltrate any valuable information. Attackers aim to extract data to increase their leverage and chances of receiving payment.

When examining the attack vectors from the user’s perspective, which is where most ransomware attacks originate, there are several factors to consider.

  1. Phishing attacks involve tricking users into opening or running a specific attachment or giving away sensitive information such as their username and password. Attackers often send attachments that exploit known vulnerabilities to gain access to the victim’s computer. Phishing attempts are typically sent through email, which is the most commonly used delivery method, but they can also occur through other collaboration channels such as Microsoft Teams.
  2. Drive-by downloads occur when attackers direct users to a specific website to download what appears to be a legitimate application. However, the application is actually a fake one that contains a Remote Access Trojan (RAT). This attack vector however is not frequently used in ransomware attacks.
  3. Attackers manage to gain access to a user’s credentials (username and password) in order to access internal systems such as VPN, VDI, email, or other publicly available services. This method of attack is known as user credential theft, which might occur where a user reuses their information on other 3.party websites which are then hacked. One example with Colonial Pipelines, where the attackers managed to gain access to their internal system trough a compromised user account.

Typically, most ransomware attacks begin with a phishing attack. One example was with the Follina vulnerability where an attacker exploited the CVE-2022-30190 (Follina) vulnerability by embedding exploit code in a malicious Word document. This allowed the attacker to gain initial access to the system. When the weaponized Word document was executed, it retrieved an HTML file from a remote server that contained a PowerShell payload and the attacker immediately inject the payload into a legitimate processes (such as explorer.exe) on the host.

On the flip side, there are attack vectors that primarily target publicly available services such as VPN, VDI, email, and other similar services. In many cases we have also seen vulnerabilities in a specific product which was the starting point of a ransomware attack. Such as one case regarding Microsoft Exchange and the vulnerability Proxy Shell. This vulnerability was exploited to install multiple web shells in Microsoft Exchange, resulting in the discovery of sensitive information, dumping of LSASS, and the use of Plink and Fast Reverse Proxy to proxy RDP connections into the environment.

One of the most common attack vectors that organizations face when transitioning to public cloud environments is brute-force attacks. These attacks are particularly prevalent when public-facing services or infrastructure are deployed without adequate security measures in place, leaving the server or service vulnerable to brute-force attacks. For instance, a customer was targeted in an attack where a server with RDP open and a weak local administrator password was compromised.

Another common attack vector is Distributed Denial of Service (DDoS) attacks. In DDoS-based ransomware attacks, the objective is not to encrypt or steal data but rather to keep public-facing services offline until the organization pays the ransom. While this may seem like a nuisance to many organizations, it can be particularly detrimental to ecommerce websites where the entire business runs through the website.
Cloudflare has stated that the have seen an 67% increase YoY of reported ransom DDoS attacks.Cloudflare DDoS threat report 2022 Q3

Considering these attack vectors, what are some of the measures can we take to reduce the chances of us becoming the next victim?

  • Taking control of vulnerabilities is crucial. Attackers frequently exploit known vulnerabilities to gain initial access or establish a foothold in an infrastructure, whether it is an endpoint or a server. Every year, there are over 20,000 CVEs spanning a wide range of products and platforms. It is important to have a clear understanding of your application and product landscape and closely monitor any vulnerabilities that may exist within your environment. Typically, it takes organizations around 30 to 60 days to install patches, and ransomware attacks have been observed to exploit vulnerabilities that are no older than 30 days, so this means that you might be already to late if you want to long.
  • Implementing guardrails is essential, particularly when deploying services in the cloud. Making a service publicly available is extremely easy in the cloud, but most cloud platforms offer mechanisms that can prevent administrators or developers from setting up public-facing services and ensure that services are deployed in a secure context. For large organizations, it is worth considering implementing external attack surface management services. These services enable you to view your infrastructure and services the same way as an attacker would, from the outside.
  • Phishing attacks remain the dominant attack vector for ransomware attacks. Therefore, it is essential to have security mechanisms in place for your collaboration tools. These mechanisms should include protection against spoofed DNS domains or Newly Registered Domains (NRD), as well as blocking uncommon attachments such as ISO, EXE, HTA, JS, and BAT. To further reduce the risk of malicious documents exploiting known vulnerabilities on a machine, Attack Surface Reduction rules can be implemented to limit Office’s ability to spawn child processes. Additionally, Application Guard can be used to ensure that files are only allowed to run within a virtualized sandbox environment on the endpoint.

In the initial segment of this series, we examined various attack vectors and strategies that can be employed to minimize the possibility of an attack. It is important to note that the majority of ransomware assaults are targeted at Windows and Active Directory environments. Many of the scripts, tools, and techniques used are intended to obtain access to an Active Directory network. The most efficient approach to lowering the risk is either by removing Windows from the equation or relocating your endpoints to Azure Active Directory.

The next blog post will delve into the second phase, where we will examine what occurs after an endpoint has been breached and the malware loader attempts to establish persistent access to a system.

Leave a Reply

Scroll to Top