How does ransomware work?
The worst thing possible has happened – someone has managed to compromise your infrastructure and encrypted your data. How did it happen and how did they get in?
Let’s explore some of the mechanics behind some of the different ransomware types.
Diavol ransomware
Diavol was a type of ransomware that was presumably used by a group called Wizard Spider and was first discovered by FortiGuard Labs in June 2021. It used BazarLoader, which was known malware, to steal information and malware payloads.
The initial payload was delivered to an endpoint via a phishing attack, which included a link to a OneDrive URL. The reason behind using OneDrive is that it typically provides a URL that bypasses most firewalls and spam filters.
BazarLoader tends to use commonly known cloud services to be able to bypass security filters. Then, the user is instructed to download a ZIP file that contains an ISO file to allow it to bypass any security mechanisms in downloading the file. When the user mounts the ISO file on their filesystem, it will mount an LNK and DLL file. Once the user executes the LNK file, the BazarLoader infection is initiated.
Initially, as with BazarLoader, it starts by doing internal reconnaissance of the Windows environment using scripts and commands such as the following:
Net group "DomainComputers" /domainNltest /domain_trust /all_trustsNetlocalgroup "administrator"
After performing reconnaissance, BazarLoader downloads a set of DLL files using Background Intelligent Transfer Service (BITS), which contains Cobalt Strike, and begins to communicate with the operator’s Cobalt Strike server. Then, from the compromised machine, they usually run the second stage of scripts, using tools such as AdFind, and then dump local credentials using a BAT script.
The attackers also tend to use tools such as Rubeus to perform a Kerberoast, which is used to harvest used Ticket Granting Server (TGS) tickets in the domain.
Once they manage to get access to file servers, they use tools such as AnyDesk and FileZilla to exfiltrate the data from the environment. Then, they move to more critical systems, such as backup servers and domain controllers.
Once they’ve performed data exfiltration and have access to the core parts of the infrastructure, including backup systems, they trigger the initial payload.
The final payload is usually done via RDP with scripts to trigger the encryption process. To maximize the effect, the ransomware terminates processes that can lock access to files, such as Office applications and database services. Also, they try and stop services that can also lock file access such as httpd.exe, sqlserver.exe, chrome.exe, and others.
They also use scripts to find all drives attached to the host machines. In addition, they stop the Volume Shadow Copy Service (VSS) and ensure that VSS snapshots are deleted before they run the encryption process.
For each machine that gets compromised, Diavol creates a unique identifier, which is then communicated back to the C2 address.
Figure 1.4 – Overview of the attack pattern for Diavol
This overview shows the different stages and attack patterns in a Diavol attack, where the final payload is typically distributed to all parts of the infrastructure using RDP.
Conti ransomware
Conti was first seen in May 2020 and was one of the most common ransomware variants in 2021. The main point of access was mostly through spear-phishing campaigns, which, in most cases, utilized malicious JavaScript code that would first drop a malware loader into the infrastructure using either TrickBot, IcedID, or BazarLoader.
They have also been known to use brute-force attacks using RDP.
Now, like with Diavol and BazarLoader, Conti uses a range of different scripts to do reconnaissance, such as nltest, whoami, and net.exe. Then, they use Cobalt Strike to escalate privileges to the local system and set up communication with C2 servers.
Then, the attackers use different tools to scan the network and collect information such as AdFind, Router Scan, SharpChrome, and Seatbelt. They also use tools such as Kerberoast and Mimikatz to collect admin hashes or extract passwords.
They spend time looking into local user account profiles in search of important data or files that can be used for leverage for the ransom, such as the following:
- Outlook (OST files)
- Login data stored within Chrome
- KeePass/LastPass information
- FileZilla (
sitemanager.xml) - Local OneDrive folders
They were also known to use common Windows-based vulnerabilities such as Zerologon, PrintNightmare, and EternalBlue to gain elevated privileges within the environment.
Cisco Talos security researchers got a hold of leaked Conti documentation from a disgruntled insider that shows the attack patterns, scripts, and how to use the different tools. You can see a PDF file of the summary here: https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/639/original/Conti_playbook_translated.pdf?1630583757.
Once they have gotten elevated privileges, they use PsExec (part of the Sysinternals suite from Microsoft) to copy and execute Cobalt Strike Beacon on most of the systems in the network. Once they have gotten access to the domain controllers, they use built-in services such as Group Policy to disable Defender services to avoid detection.
Once that is done, the attackers run the final payload, which, as with Diavol, will stop a lot of different built-in services that can have locks on different files on the operating system, such as the following:
- Microsoft Exchange
- Microsoft SQL
- Acronis Backup
- Backup Exec
Most ransomware also has a built-in list of folders that it will whitelist during the encryption process. This is to ensure that the systems will continue to operate after data has been encrypted. This list is in most cases static and contains folders such as the following:
- AppData
- Program Files
- Boot
- Windows
- WinNT
However, if you have a different partition layout or data such as the domain controller’s database stored on another partition, for instance, it will get encrypted. Conti also skips some file extensions such as .exe, .dll, .sys, and .lnk. After it is done with the encryption, all files have a .CONTI extension, and within each folder, it also creates a ransom note.
Sodinokibi/REvil ransomware
Sodinokibi/REvil is maybe the most prolific ransomware group on our list. They were the ones behind the infamous Kaseya VSA supply chain attack, and they were also behind the attacks on other large companies such as Travelex and JBS Foods. JBS Foods, which is also the world’s largest meat producer, ended up paying 11 million dollars to REvil to get access back to their data.
Like the other ransomware operators mentioned earlier, REvil has been known to use malware loaders such as IceID, as well as using different brute-force attacks and exploiting known vulnerabilities such as FortiOS VPN, Pulse VPN, BlueGate, Citrix, and Oracle WebLogic Server, to name a few.
They are also one of the ransomware operators that first started targeting VMware ESXi virtual machines. They used the built-in ESXCLI command line to force stop the virtual machines and then encrypt data directly at the VMware datastore level.
For one customer that I was working with that got hit with Sodinokibi, the initial point of entry was a compromised virtual machine (via RDP) in Azure, which was then used to access the virtual infrastructure.
Like the others, REvil also had a collection of scripts and utilities that they use to do reconnaissance of the network. One thing, however, that sets them a bit apart, is that they were able to restart virtual machines in safe mode with networking and still be able to run their payload. The advantage was that they were able to run their payload and disable any EDR services on the machines before rebooting back to default mode.
Fortunately, in early 2022, the Russian government arrested multiple key resources behind the REvil ransomware group on request from the US; you can read more about it here: https://www.wsj.com/articles/russia-says-it-raided-prolific-ransomware-group-revil-with-arrests-seizures-11642179589.
LockBit ransomware
One of the most common ransomware groups at the time of writing is LockBit, which has impacted a lot of large organizations since its emergence back in 2019, such as Accenture, which was hit in late 2021.
LockBit, in addition to the other Ransomware as a Service (RaaS) operators, used a well-known Russian-speaking website forum known as XSS to advertise their affiliate program. Then, the XSS operators banned all ransomware topics on their website and LockBit started to use its own infrastructure to advertise its affiliate program.
LockBit has been known to recruit insiders to gain access to infrastructure using their affiliate program, enticing them with millions of dollars in exchange for access to valuable company data:
Figure 1.5 – A screenshot showing the recruitment program for LockBit
LockBit advertised on their website that their method of encrypting data was a lot faster than other ransomware variants and that they have great pride in their programming in terms of encryption.
Also, their ransomware (like most other ransomware variants) does not function in Russian-language-speaking countries and infrastructure that has a system language set to Russian. There is, in some cases, a built-in detection mechanism that will inform the operators or stop the information collection process if the system is running Russian.
They use a similar modus operandi to the other groups we've talked about; however, they have also evolved a lot during the last year. In October 2021, there were also rumors that they have developed their first LockBit Linux-ESXi variant.
ESXi ransomware isn’t something new, but this new variant targets both vCenter and VMware ESXi while utilizing vulnerabilities to be able to gain access to the VMware environment.
The latest additions
Now, in 2023, we have seen new threat groups emerge that contain affiliates or members from older groups.
We have groups such as the following:
- Royal
- RansomHouse
- BlackCat
- ClopLeaks
There are dozens more. On social media, we can see new victims being published daily. Some sources that can be used to follow these different threat groups are the following Twitter profiles:
- https://twitter.com/TMRansomMonitor
- https://twitter.com/RansomwareNews
Because of the frequency in which we're seeing new victims being impacted, it is important to use these sources to get a view on the current trends and understand which groups are the most active.
Looking at the big picture
Now that we have looked at some of the main attack vectors and more closely at some of the different ransomware variants, I wanted to paint a bigger picture and provide some important considerations.
Let us start by looking at the first phase of a ransomware attack where the initial compromise happens:
- In most cases, phishing attacks are utilized to get the end user to click on a malicious attachment to run some specific payload to trigger malware, such as BazarLoader, on the compromised endpoint.
- Other attacks start by exploiting a vulnerable endpoint such as Exchange, RDP, or other third-party services that are available. We have seen that after an affiliate has gained access to an organization, that access is sold to threat actors for between $5,000 and $50,000, depending on the type of access.
Once the attacker has managed to gain access, the second phase starts which is collecting information:
- The initial stage after getting access to an endpoint is assessing the environment, using built-in scripts and tooling to get information about machines/networks/users/data. This information is also used to gather proof of what kind of organization they have gained access to if they want to sell their access to it later.
The following table summarizes some of the main tools and scripts that ransomware operators use to assess an environment and try and gain further access to the environment.
It should be noted that this is not a complete list; I have just specified some I have encountered in different customer scenarios. However, it gives a better view of the tooling that hackers are using to collect information:
|
ADFind |
Atera |
Invoke- SMBAutoBrute |
Advanced IP Scanner |
|
SharpView |
BloodHound |
Net-GPPPassword |
MSSQLUDP Scanner |
|
Net Use |
DCSync |
SharpChrome |
Zero.exe |
|
NetScan |
Router Scan |
BITSAdmin |
Spashtop Remote |
|
Esentutl |
Mimikatz |
Invoke-ShareFinder |
SWLCMD |
|
WMIC |
Cobalt Strike |
PowerView |
UAC-TokenMagic |
|
Nltest |
WDigest |
Process Hacker |
Kerberoast |
|
AnyDesk/TeamViewer |
Getuin |
FileZilla SFTP |
Seatbelt |
Figure 1.6 – Table overview of commonly used tools and scripts
In addition to some of the scripts/tooling mentioned in the preceding table, attackers use many built-in capabilities to navigate the environment. These can be features such as RDP and File Explorer. Some operators have also been known to use Group Policy Management to perform operations across multiple machines at the same time.
At the time of writing, the majority of ransomware is aimed at Windows-based environments, because the majority of all enterprises are running Windows in large parts of their data centers. This includes Active Directory, file servers, and SQL servers, as well as Windows endpoints. However, we have also seen ransomware operators moving to new target types. There are also new ransomware variants emerging that are aimed at other services, such as NAS services. One of these new variants is called Deadbolt, which is aimed at QNAP NAS appliances. There have also been some variants for Linux and Mac OS X, so this is something that we should all pay attention to.
