This is a follow-up of my series on Ransomware (Part One: Analyzing the Anatomy of a Ransomware Attack – msandbu.org) the reason why I released this follow-up is that lately we have seen a large increase in Ransomware attacks. The reason behind this is that because lately there have been many critical vulnerabilities related to external services such as VPN, VDI and web based services that have been exploited heavily by the different active ransomware groups.
In the first part I focused on the initial attack, on how the attackers get access. In this blog post I want to focus on what happens after the attackers get access (or get the foot inside the door). The approac will be different depending on which group is trying to get in and secondly what kind of vulnerabilities that are available for the attackers to use.
However we can divide it into 4 stages (which steps are done within each stage is different depending on the group)
- Initial access
- Reconniance
- Lateral movement and persistence
- Payload delivery
Earlier in 2021/2022 we got a lot of different examples where attackers would send attachments as ISO files trough phishing campaigns, effectively bypassing the email security gateways and when users opened the ISO file it would be automatically mounted in Windows.
Initial Compromise
- In most cases utilizing phishing attacks to get the end-user to click on a malicious attachment to run some specific payload to trigger a malware like Bazarloader on the compromised endpoint.
- Other some attacks start by exploiting a vulnerable endpoint such as VPN, VDI or web based services.
Information Collection / Reconnaissance
- The initial stage after getting access to an endpoint is doing an assessment of the environment, using built-in scripts and tooling to get information about machines/network/users/data which they use to figure out the next move.
- The table below summaries some of the main tools and scripts used and tooling that the ransomware operators use to assess the environment and try and gain further access to the environment.
NB: It should be noted that this is not a complete list, but just some of those I have encountered in different customer scenarios. However, it gives a better view of tooling/scripts that they are using to collect information, persistence and remote access.
- ADFind: Retrieves information from Active Directory (AD).
- Sharpview: A .NET tool used for advanced querying against AD data.
- Net Use: Command-line utility to connect, disconnect, and manage network resources, such as mapping network drives.
- NetScan: Tool for scanning the network for machines, ports, and other network features.
- Esentutl: Utility for managing Extensible Storage Engine (ESE) database files, sometimes used in digital forensics or credential recovery.
- WMIC: Windows Management Instrumentation Command-line utility, used for gathering and setting administrative information on local or remote systems.
- nltest: Command-line tool for testing and obtaining information about Windows domains and trusts.
- Anydesk/Teamviewer: Remote desktop software used for remote control, desktop sharing, online meetings, and file transfer behind firewalls and NAT proxies.
- Atera: IT management platform that combines Remote Monitoring and Management (RMM), Professional Services Automation (PSA), and remote access into one solution.
- DcSync: A feature of Mimikatz used to simulate the behavior of a Domain Controller (DC) to retrieve password data from other DCs.
- RouterScan: Tool to find and analyze network devices, including routers.
- Mimikatz: Software used to gather credential data from Windows systems.
- Cobalt Strike: Software for Adversary Simulations and Red Team Operations, which allows for threat emulation.
- Wdigest: Part of the Windows Digest Authentication protocol, sometimes referenced in discussions about credential storage and retrieval.
- Getuin: Likely a utility for retrieving user identification numbers or information.
- Invoke-SMBAutoBrute: PowerShell script for SMB protocol brute force attacks.
- Net-GPPPassword: Tool to retrieve and decrypt Group Policy Preferences passwords.
- SharpChrome: A tool for accessing and extracting data from Chrome Browser, such as cookies, history, and saved logins.
- Seatbelt: A C# project that performs various security checks and gathers system information for situational awareness.
- Kerberoast: Technique for extracting service account credentials from Active Directory using Kerberos tickets.
- Invoke-ShareFinder: PowerShell script to find open shares on the network.
- PowerView: PowerShell tool for gaining network situational awareness in Windows domains.
- ProcessHacker: A tool for monitoring system resources, debugging software, and detecting malware.
- FileZilla SFTP: FTP, FTPS, and SFTP client used for file transfers over these protocols.
- Advanced IP Scanner: Fast and easy-to-use network scanner for Windows, with a variety of scanning options.
- MSSQLUDPScanner: Likely a tool for scanning SQL servers on a network.
- Zero.exe: Could refer to different tools, needs more context for a specific purpose.
- Splashtop Remote: Remote desktop and support software.
- SQLCMD: Command-line utility for SQL Server, allowing for SQL queries and scripts execution.
- Bloodhound: Tool for analyzing and understanding Active Directory Trust Relationships.
- UAC-Tokenmagic: Likely a reference to techniques or tools for bypassing User Account Control (UAC).
- BITSAdmin: Command-line tool to create, download or upload jobs and monitor their progress using the Background Intelligent Transfer Service (BITS).
In addition to some of the scripts/tooling mentioned in the table above, they also using many built-in capabilities to navigate in the environment such as RDP, File Explorer and some operators have also been known to use Group Policy Management to perform operations across multiple machines at the same time to distribute ransomware, disable Firewall and such.
As of now the majority of ransomware is aimed at Windows based environments, because of majority of all enterprises are running Windows in large parts of the datacenter that includes Active Directory, fileservers, and SQL servers. In addition, having Windows endpoints. However, we have also seen ransomware operators moving to new target types as well. We have seen for instance recently new ransomware variants emerge that are aiming at other services such as NAS services.
If we put this into a scenario with a specific ransomware group such as Diavol.
Diavol
Diavol was a type of ransomware that was presumably used by a group called Wizard Spider and was first discovered by FortiGuard Labs in June 2021, that used a known malware type to steal information and load payload called BazarLoader.
The initial payload was delivered to an endpoint via phishing attack, which included a link to OneDrive URL. Reason behind using OneDrive is that is it typically an URL that bypasses most firewalls and spam filters. BazarLoader tend to use known commonly known cloud services to be able to bypass security filters.
Then the user is instructed to download a Zip file which contains an ISO file to allow it to bypass any security mechanisms in downloading the file. When the user then mounts the ISO file on their file system it will mount an LNK and DLL file. Once the user executed the LNK file, the BazarLoader infection was initiated.
Initially as with BazarLoader is starts by doing internal reconnaissance of the Windows environment using scripts and commands like
- Net group “Domain Computers” /domain
- Nltest /domain_trust /all_trusts
- Net localgroup “administrator”
After performing reconnaissance BazarLoader downloads a set of DLL files using BITS that contains Cobalt Strike and begins to communicate with the operators Cobalt Strike server.
Then from the compromised machine they usually run second stage of scripts, using tools like ADfind, and then performed dumping of local credentials using a bat script.
The attackers also tend to use tools like Rubeus to do Kerberoast which is used to harvest used based TGS tickets in the domain.
Once they managed to get access to file servers, they use tools like AnyDesk and FileZilla to exfiltrate data of the environment. Then they move further to more critical system such as Backup servers and domain controllers.
After they are done with data exfiltration and gotten access to core parts of the infrastructure including backup systems, they will trigger the initial payload.
The final payload is usually done via RDP with scripts to trigger the encryption process. To maximize the effect the ransomware terminates processes that can lock access to files such as Office applications and database services. Also, they try and stop services that can also lock file access such as httpd.exe, sqlserver.exe, chrome.exe and such.
They also use scripts to find all drives attached to the host machines. In addition, they also stop VSS and ensure that VSS snapshots are deleted before they run the encryption process.
For each of the machines that gets compromised Diavol creates a unique identifier, which is then communicated back to the C2 address.
Conti
Conti was first seen in May 2020 and was one of the most common ransomware variants in 2021. The main point of getting access started mostly through spear phishing campaigns that in most cases utilized a malicious JavaScript that would drop the malware either TrickBot, IcedID or BazarLoader.
They have also been known to use brute-force attacks using RDP.
Now like with Diavol with BazarLoader, Conti uses a range of different scripts to do reconnaissance such as nltest, whoami and net.exe. Then they use CoboltStrike to escalate privileges to local system and setup communication with C2 servers.
Then the attackers use different techniques to scan the network and collect information such as ADFind, RouterScan, SharpChrome and Seatbelt. They also used tools like Kerberoast and Mimikatz to collect admin hashes or extracting passwords.
They also spend time looking into local user account profiles in search of important data or files that can be used for leverage for the ransom such as:
- Outlook (ost files)
- Login Data stored within Chrome
- KeePass / LastPaaS information
- FileZilla (sitemanager.xml)
- Local OneDrive folders
They were also known to use known Windows based vulnerabilities such as ZeroLogon, PrintNightmare and EternalBlue to gained elevated privileges within the environment.
NB: Cisco Talos Security researchers got a hold of leaked Conti documentation from a disgruntled insider that shows the attack patterns, scripts and how to use the different tools. You can see a PDF file of the summary here Conti_playbook_translated.pdf
Once they have gotten elevated privileges, they use PsExec (That is part of the sysinternals suite from Microsoft) to copy and execute Cobalt Strike Beacon on most of the systems in the network. Once they have gotten access to the domain controllers, they use built-in service like Group Policy to disable Defender services to avoid detection.
Once that is done the attackers will run the final payload, which like with Diavol would stop a lot of different built-in services that can have locks on different files on the operating system, such as:
- Microsoft Exchange
- Microsoft SQL
- Acronis Backup
- BackupExec
Before it then starts to encrypt all the different files and folders on the target machines. Like most ransomware it also has a built-in list of folders that it will ignore during encryption, this is to ensure that the systems will continue to operate after data has been encrypted. This list is in most cases static and contains folders like:
- AppData
- Program Files
- Boot
- Windows
- WinNt
However, if you have for instance have a different partition layout or have data such as domain controller’s database stored on another partition it will get encrypted. Conti also skips some file extensions such as .exe, .dll, .sys, .lnk and after it is done with the encryption all files have a. CONTI extension and within each folder it also creates a ransom note.
in 2023, we saw new threat groups emerge that contain affiliates or members from
older groups.
We have groups such as the following:
• Royal
• RansomHouse
• BlackCat
• ClopLeaks
There are dozens more now. On social media, we can see new victims being published daily. Some sources
that can be used to follow these different threat groups are the following Twitter profiles:
https://twitter.com/TMRansomMonitor
https://twitter.com/RansomwareNews
Because of the frequency in which we’re seeing new victims being impacted, it is important to use
these sources to get a view on the current trends and understand which groups are the most active.