Ransomware is a type of malware that has historically been designed to encrypt data and make systems that rely on it unusable. Malicious actors then demand ransom in exchange for decrypting the data.

In 2021, we saw a huge rise in the number of ransomware attacks, where many companies were faced with their IT infrastructure and data becoming encrypted and many got their data stolen by different ransomware groups. In Norway, where I am based, we have also seen many large organizations be attacked by ransomware in the last year, which has also ended up affecting the Norwegian population. Here are some of the organizations that got hit by a ransomware attack in 2021 in Norway:

• Nordic Choice Hotels: This is one of the largest hotel chains in Scandinavia. When they got attacked, they needed to switch to manually checking people into their rooms.
• Amedia: This is the second-largest news publisher in Norway and publishes more than 90 newspapers. When they got attacked, it halted all newspaper production for over a week.
• Nortura: This is one of the largest food producers in Norway, so when they got hit by ransomware, it meant that farmers were not able to deliver animals to get processed.

In addition, there have been many high-profile attacks in other countries, such as the attack on Colonial Pipeline in the US and on MSP software provider Kaseya, which ended up impacting close to 1,500 customers worldwide.

After the attack on Colonial Pipeline, the US government implemented a new reporting regulation, which meant that an organization within the US that has fallen victim to a ransomware attack must report the incident to the FBI, CISA, or the US Secret Service.

In the last few years, we have also seen that ransomware attacks against healthcare have almost doubled, according to Sophos (https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/), however, the attacks against healthcare is not done intentionally since most ransomware groups tend to avoid healthcare businesses. In 2022, we saw several cases where ransomware groups provided the decryption key to organizations for free to avoid impacting systems that can affect patient treatments within healthcare areas such as hospitals.

The attack on Kaseya, which was done through their Virtual System Administrator (VSA) product, ended up affecting the Swedish supermarket chain Coop, which needed to close 500 stores after the attack throughout the Nordics.

In a survey that Sophos did, where they spoke with 5,400 IT decision-makers in 2021, about 37% had been hit by ransomware in the last year, which is, fortunately, a significant reduction from the year before when that number was 51%.

There have, however, also been some significant changes in the behavior of attackers. Most likely, the reduction in the number of attacks could be related to less automated attacks and more hands-on targeted attacks. Emsisoft, the security software company behind ID ransomware (malwarehunterteam.com), allows us to identify which ransomware strain has encrypted files by uploading the ransomware note file. Emsisoft posted on its website that, in 2021, there were close to 560,000 submissions to the service, which is 50,000 more than it had the year before. In addition, Emsisoft also estimated that only 25% of victims submit to their website (https://id-ransomware.malwarehunterteam.com/).

We have also seen an increase in personal engagement from threat actors. For instance, we have seen an increase in attacks close to holidays such as Christmas, since people are often more stressed and are more likely to fall victim to phishing attacks.

So many organizations worldwide have faced ransomware attacks, and looking at the statistics, the number of large organizations that have been impacted only seems to be rising. But has ransomware evolved over the last few years?

Ransomware is mostly used by attackers to exploit the weakest points in your infrastructure and then encrypt your data and infrastructure using some form of encryption method. Once the encryption is done, they leave a ransom note and wait. The only way to get access to the original data (or to be able to decrypt it) is by buying a decryption tool from the attackers using one of the digital currencies. There are also other attack methods, but I will get back to that a bit later.

Within the ransom note, you get instructions about how to contact them or access their support channels, which are typically hidden behind Tor addresses. When you access their support channel, some of the operators give some information about what happened and how much you need to pay to get access to the decryption tool:

Figure 1.1 – Ransomware operator chat support

A ransomware attack often involves multiple teams or people. Many of the different ransomware groups are split into smaller groups and affiliates. Many of the affiliates often work together to gain access to an environment, or might even be someone on the inside. They sell or give access to other teams who deploy the ransomware. The profit is usually divided between the affiliate and the group, with a one-time payment to acquire access to the environment.

Affiliates operate independently or as a member of organized groups, while some of the most well-known ransomware groups are doing active recruitment programs to get afiliates.

Ransomware attackers are only focused on getting access, encryption data, and waiting for the organization to make contact. In most cases, the ransomware operators also have some insight into your organization and the number of employees, which will also impact the ransom fee.

Most ransomware operators host self-service portals with built-in chat support to get details and information on how to pay for the decryption tool, which is only accessible on the Tor network. The most well-known groups tend to use Monero as the crypto of choice since many see it as an untraceable currency. However, we have seen other cryptocurrencies being used as well. There is also recent evidence showing that threat actors conduct business for one another, such as using money laundering services to make the money untraceable.

While most security professionals agree that you should never pay the ransom, many have paid the ransom in pure desperation to gain access to their files and get their services back up and running. Consider the alternative – your entire infrastructure, backup, and other services are gone, and rebuilding your services would take too much time and your company could even go bankrupt.

We have also seen that many organizations have been relying more on cyber insurance to cover costs related to ransomware. Ransomware was involved in 75% of all cyber insurance claims during the first half of 2021; this has also led to a significant increase in the cost of premiums.

Important note

It should be noted that in a survey that Sophos did in 2021, for organizations that paid the ransom, the average amount of data they were able to recover was only close to 65% (https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/). In some cases, when you are negotiating the price with the attackers, some of the different ransomware operators give you a free sample to show you that they have the decryption tool and can decrypt the data. In most cases, this can decrypt a single file or a single virtual machine. In most cases, they also have a good mapping of the environment, and they know which of the machines are running, such as the backup service, so you will most likely only be able to decrypt a non-important virtual machine such as a test server.

When you pay the ransom, you will either pay to get the decryption key for every single machine or get a decryption key and tool that is used for the entire environment. Once you get access to the decryption tool, it can take many hours to decrypt a single machine. If you need to decrypt an entire environment, you can expect it to take a long time.

Over the last few years, there has been a lot of focus on getting good backup and data protection services in place, and those organizations that have good backup systems and routines in place can easily restore data and be up and running again.

However, it should be noted that in many ransomware cases, we have also seen that the backup data was encrypted by the attackers. Fortunately, we are seeing more and more backup vendors adding new features, such as immutable backups, so that ransomware is less likely to impact the data.

This, of course, means that attackers have a lower chance of getting paid, so they also switch tactics to not only encrypt data but also exfiltrate data that they then could use as means for leverage.

This was, unfortunately, the case for the Finnish psychotherapy center Vastaamo, which was hit by ransomware in late 2020, where the attackers managed to encrypt their data and steal 40,000 patient journals. The attackers also used another extortion tactic, which was to contact the patients via email and ask them for a ransom directly, and if they didn’t get paid, they would publish their journals.

It should be noted that the electronic patient record that was compromised was running an outdated version of Ubuntu 16.04.1, Apache 2.4.18 (which came out in 2015), and PHP 5.6.40, which all contain many known vulnerabilities.

While most ransomware attacks aim at performing data encryption and data exfiltration, there is also another attack vector that is becoming more and more popular: Distributed Denial of Service (DDoS) attacks. DDoS-based ransomware attacks are more aimed at online retailers or cloud-based applications. Microsoft, in their yearly DDoS attack trends, stated that they see close to 2,000 DDoS attacks daily and that in 2021, they stopped one of the largest DDoS attacks ever reported, where they mitigated a DDoS attack with a throughput of 3.47 TBps and a packet rate of 340 million packets per second against an Azure customer in Asia.

The attack only lasted 15 minutes but that is more throughput than most ISPs and local data centers can handle.

Important note

More vendors are seeing an increase in the amount of DDoS attacks, and buying a DDoS attack from a botnet that lasts 1 hour only costs about $50 on the dark web. You can find more information about DDoS attack statistics in the yearly Microsoft DDoS protection report at https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends/ and also from Cloudflare Radar at https://radar.cloudflare.com/notebooks/ddos-2021-q4.

Cloudflare also stated in their yearly DDoS trend report that in Q4 2021, they saw an increase of DDoS attacks of 29% compared to the previous years in the same quarter. They also surveyed customers that were targeted by DDoS attacks, and one-fourth of the respondents reported that they received a ransom letter demanding payment from the attacker.

While many DDoS attacks aim to overload the infrastructure with a large amount of traffic from multiple sources (mostly botnets) against your services, there has also been an increase in DDoS amplification attacks, where the attackers utilize a weakness in a protocol that essentially does a reverse DDoS attack. We have seen such examples with the DTLS protocol.

In 2020, Citrix and their ADC product had a weak implementation of the DTLS protocol, wherein earlier firmware was vulnerable to a DDoS amplification attack. The attackers sent forged DTLS packets where the ADC would send large packets back to the attackers, potentially leading to outbound bandwidth exhaustion, so essentially DDoS.

So far, we have taken a closer look at some of the attacks and tactics that different ransomware operators are using. Now, let’s take a closer look at some of the main attack vectors that most ransomware operators use to gain initial access.

An attack vector is best described as one of the paths that an attacker can use to try and gain access to an environment.

For ransomware attackers to be able to distribute the payload, they must go through different stages before they can launch the attack. The main attack pattern is where the attackers first gain initial access using one of the different attack vectors, which may be a compromised end user machine or infrastructure. Then, they use different techniques to try and move around the network using credentials that allow them to access other parts of the network or utilize some form of vulnerability. Then, they use different tooling or scripts to give them persistent access to the environment. Once they have been able to gain full access to the environment, they use scripts or other methods to run the payload across the infrastructure to gain further access:

Figure 1.2 – The typical attack pattern in a ransomware attack

So, how do they get their foot in the door of our infrastructure?

The following are some of the main methods.

Exploiting known vulnerabilities

This is where attackers utilize some form of vulnerability in an external service. This could be that the attacker is trying to gain access using some form of Remote Code Execution (RCE). In the last few years, we have seen many different vulnerabilities that have been used to launch ransomware attacks. Some of the products that have been victims of these attacks are as follows:

• Citrix ADC
• Microsoft Exchange
• Fortinet
• Pulse VPN
• SonicWall

Important note

A good source for seeing some of the known traffic patterns that I’ve been using for years is Bad Packets on Twitter, which has a good feed that looks at current traffic that is trying to abuse vulnerable endpoints across different services. I recommend that you add that as a source to pay attention to: https://twitter.com/bad_packets. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has made a list of known exploited vulnerabilities that can be found here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

One of the biggest vulnerabilities that was disclosed last year was ProxyShell, which used multiple vulnerabilities within Microsoft Exchange. Many security researchers were quick to provide proof-of-concept exploits using simple Python/PowerShell scripts, as seen here: https://github.com/horizon3ai/proxyshell.

This chain of vulnerabilities could allow attackers to access mailboxes stored in Exchange and also provide web shell access to the Exchange Client Access servers.

Vulnerabilities are not only used for initial access but are also used to do lateral movement. In the summer of 2021, a new vulnerability was disclosed that was a weakness in the Print Spooler service (also known as PrintNightmare) within Windows that allowed attackers to run privileged file operations on the operating system.

This meant that attackers could run arbitrary code with system privileges, both locally and remotely. Attackers that had managed to compromise an end user machine could use this vulnerability to gain further access to the infrastructure, such as domain controllers that were running the Print Spooler service.

Access through credential stuffing

Credential stuffing is where the attackers automate the process of injecting stolen username and password pairs or just try to log in against different online services. Most end users are creatures of habit and tend to reuse their usernames and passwords across many third-party services or websites. When those third-party services get breached, the end user’s information – or worse, credentials – gets compromised. In many cases, attackers dive into the different data sources from those attacks to see whether they can find any reusable credentials that they can use to try and access any external services that an organization might have.

One good way of seeing whether you have leaked credentials is by using the online service https://haveibeenpwned.com, where you can enter your email address and it will check through the different data sources to see whether your information has been leaked and what kind of data sources it was contained in.

haveibeenpwned.com also has a free domain notification service, which means that you can get notified if one of your users within a domain was in a data breach, which I also highly recommend that you sign up for.

Other services can provide similar features to detect whether a username or password has been comprised, such as the following:

• F-Secure ID PROTECTION
• Google Password Manager
• Microsoft Edge Password Monitor

In addition to this, many attackers are also carrying out phishing attacks with the aim of harvesting credentials, such as sending end users to a fake Office 365 site to collect usernames and passwords.

A new attack method that is becoming more and more common is the use of OAuth phishing against Azure Active Directory (AD), where attackers send spoofed Microsoft 365 login pages. When the user clicks on the link to provide the application access, the end user is greeted with a Permissions requested dialog:

Figure 1.3 – OAuth permission screen for a phishing attack

If the user clicks on Accept, the attacker will be able to get access to their profile in Office 365, which might also include access to emails and files, depending on what kind of permissions are granted.

Access through brute-force attacks

One of the most common attack vectors that we see is brute-force attacks on misconfigured services, such as attacks on a Windows server that is publicly exposed with Remote Desktop Protocol (RDP) enabled. This can also be any exposed service that has weak security mechanisms, such as a lack of MFA, which RDP has by default, making it susceptible to attacks.

With one customer I was working with, the initial point of compromise was an exposed Windows Server in Azure that had a public IP address and RDP enabled. Since the machine was also domain-joined and had a weak local administrator account password, it did not take a lot of time for the attackers to guess the correct combination of usernames and passwords and gain access to the environment.

As we have also seen that in cloud-based environments, attackers often have a predefined set of credentials that they use when they are doing brute-force attacks for known IP ranges. Azure environments typically use a combination of usernames such as AZADMIN/AZUREADMIN/AZURE with different combinations of passwords. An automated attack typically starts within minutes of when the machines come online in Azure.

Access through a compromised workstation or end user machine

One of the most common entry points of ransomware attacks is through a compromised end user machine. This is usually triggered when the user opens an attachment that they received or by visiting a website and from there running some form of executable.

This mostly happens because an end user receives malicious attachments from a phishing email, or by drive-by downloads. The malicious content can be a Word document containing scripts or other malicious content or Excel documents with macros.

These phishing emails are usually delivered in short campaigns. Over 60 days, Akamai observed more than 2,000 million unique domains associated with malicious activity. Of those, close to 90% had a lifespan of fewer than 24 hours, and 94% had a lifespan of fewer than 2 days. Therefore, it makes it extremely difficult to block using DNS protection services. Palo Alto also states that the majority of (close to 70%) Newly Registered Domains (NRDs), where there are an average of 140,000 domains created yearly that are associated with malicious or suspicious traffic.

The phishing emails and attachments either use malicious scripts or macros that typically contain the use of a vulnerability to be able to get access to the machine. In most cases, it requires that the end user opens the attachment and enables the content or triggers the macros. However, in August 2021, Microsoft identified a small number of attacks that were using a RCE vulnerability in MSHTML, which is the HTML engine built into Windows.

This specific vulnerability only required that the user viewed the file or document in Windows Explorer to trigger the payload to run.

Another example that I saw during COVID and with people working from home was that many employees would use their work machines directly connected to their home router, in doing so getting a public IP address on their machine from the ISP. This meant that they became susceptible to brute-force attacks if, for instance, RDP was enabled on their client machine. Make sure that RDP/SMB is not enabled and outbound firewall rules are in place unless they are specifically needed.

The worst thing possible has happened – someone has managed to compromise your infrastructure and encrypted your data. How did it happen and how did they get in?

Let’s explore some of the mechanics behind some of the different ransomware types.

Diavol ransomware

Diavol was a type of ransomware that was presumably used by a group called Wizard Spider and was first discovered by FortiGuard Labs in June 2021. It used BazarLoader, which was known malware, to steal information and malware payloads.

The initial payload was delivered to an endpoint via a phishing attack, which included a link to a OneDrive URL. The reason behind using OneDrive is that it typically provides a URL that bypasses most firewalls and spam filters.

BazarLoader tends to use commonly known cloud services to be able to bypass security filters. Then, the user is instructed to download a ZIP file that contains an ISO file to allow it to bypass any security mechanisms in downloading the file. When the user mounts the ISO file on their filesystem, it will mount an LNK and DLL file. Once the user executes the LNK file, the BazarLoader infection is initiated.

Initially, as with BazarLoader, it starts by doing internal reconnaissance of the Windows environment using scripts and commands such as the following:

• Net group "Domain Computers" /domain
• Nltest /domain_trust /all_trusts
• Net localgroup "administrator"

After performing reconnaissance, BazarLoader downloads a set of DLL files using Background Intelligent Transfer Service (BITS), which contains Cobalt Strike, and begins to communicate with the operator’s Cobalt Strike server. Then, from the compromised machine, they usually run the second stage of scripts, using tools such as AdFind, and then dump local credentials using a BAT script.

The attackers also tend to use tools such as Rubeus to perform a Kerberoast, which is used to harvest used Ticket Granting Server (TGS) tickets in the domain.

Once they manage to get access to file servers, they use tools such as AnyDesk and FileZilla to exfiltrate the data from the environment. Then, they move to more critical systems, such as backup servers and domain controllers.

Once they’ve performed data exfiltration and have access to the core parts of the infrastructure, including backup systems, they trigger the initial payload.

The final payload is usually done via RDP with scripts to trigger the encryption process. To maximize the effect, the ransomware terminates processes that can lock access to files, such as Office applications and database services. Also, they try and stop services that can also lock file access such as httpd.exe, sqlserver.exe, chrome.exe, and others.

They also use scripts to find all drives attached to the host machines. In addition, they stop the Volume Shadow Copy Service (VSS) and ensure that VSS snapshots are deleted before they run the encryption process.

For each machine that gets compromised, Diavol creates a unique identifier, which is then communicated back to the C2 address.

Figure 1.4 – Overview of the attack pattern for Diavol

This overview shows the different stages and attack patterns in a Diavol attack, where the final payload is typically distributed to all parts of the infrastructure using RDP.

Conti ransomware

Conti was first seen in May 2020 and was one of the most common ransomware variants in 2021. The main point of access was mostly through spear-phishing campaigns, which, in most cases, utilized malicious JavaScript code that would first drop a malware loader into the infrastructure using either TrickBot, IcedID, or BazarLoader.

They have also been known to use brute-force attacks using RDP.

Now, like with Diavol and BazarLoader, Conti uses a range of different scripts to do reconnaissance, such as nltest, whoami, and net.exe. Then, they use Cobalt Strike to escalate privileges to the local system and set up communication with C2 servers.

Then, the attackers use different tools to scan the network and collect information such as AdFind, Router Scan, SharpChrome, and Seatbelt. They also use tools such as Kerberoast and Mimikatz to collect admin hashes or extract passwords.

They spend time looking into local user account profiles in search of important data or files that can be used for leverage for the ransom, such as the following:

• Outlook (OST files)
• Login data stored within Chrome
• KeePass/LastPass information
• FileZilla (sitemanager.xml)
• Local OneDrive folders

They were also known to use common Windows-based vulnerabilities such as Zerologon, PrintNightmare, and EternalBlue to gain elevated privileges within the environment.

Cisco Talos security researchers got a hold of leaked Conti documentation from a disgruntled insider that shows the attack patterns, scripts, and how to use the different tools. You can see a PDF file of the summary here: https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/639/original/Conti_playbook_translated.pdf?1630583757.

Once they have gotten elevated privileges, they use PsExec (part of the Sysinternals suite from Microsoft) to copy and execute Cobalt Strike Beacon on most of the systems in the network. Once they have gotten access to the domain controllers, they use built-in services such as Group Policy to disable Defender services to avoid detection.

Once that is done, the attackers run the final payload, which, as with Diavol, will stop a lot of different built-in services that can have locks on different files on the operating system, such as the following:

• Microsoft Exchange
• Microsoft SQL
• Acronis Backup
• Backup Exec

Most ransomware also has a built-in list of folders that it will whitelist during the encryption process. This is to ensure that the systems will continue to operate after data has been encrypted. This list is in most cases static and contains folders such as the following:

• AppData
• Program Files
• Boot
• Windows
• WinNT

However, if you have a different partition layout or data such as the domain controller’s database stored on another partition, for instance, it will get encrypted. Conti also skips some file extensions such as .exe, .dll, .sys, and .lnk. After it is done with the encryption, all files have a .CONTI extension, and within each folder, it also creates a ransom note.

Sodinokibi/REvil ransomware

Sodinokibi/REvil is maybe the most prolific ransomware group on our list. They were the ones behind the infamous Kaseya VSA supply chain attack, and they were also behind the attacks on other large companies such as Travelex and JBS Foods. JBS Foods, which is also the world’s largest meat producer, ended up paying 11 million dollars to REvil to get access back to their data.

Like the other ransomware operators mentioned earlier, REvil has been known to use malware loaders such as IceID, as well as using different brute-force attacks and exploiting known vulnerabilities such as FortiOS VPN, Pulse VPN, BlueGate, Citrix, and Oracle WebLogic Server, to name a few.

They are also one of the ransomware operators that first started targeting VMware ESXi virtual machines. They used the built-in ESXCLI command line to force stop the virtual machines and then encrypt data directly at the VMware datastore level.

For one customer that I was working with that got hit with Sodinokibi, the initial point of entry was a compromised virtual machine (via RDP) in Azure, which was then used to access the virtual infrastructure.

Like the others, REvil also had a collection of scripts and utilities that they use to do reconnaissance of the network. One thing, however, that sets them a bit apart, is that they were able to restart virtual machines in safe mode with networking and still be able to run their payload. The advantage was that they were able to run their payload and disable any EDR services on the machines before rebooting back to default mode.

Fortunately, in early 2022, the Russian government arrested multiple key resources behind the REvil ransomware group on request from the US; you can read more about it here: https://www.wsj.com/articles/russia-says-it-raided-prolific-ransomware-group-revil-with-arrests-seizures-11642179589.

LockBit ransomware

One of the most common ransomware groups at the time of writing is LockBit, which has impacted a lot of large organizations since its emergence back in 2019, such as Accenture, which was hit in late 2021.

LockBit, in addition to the other Ransomware as a Service (RaaS) operators, used a well-known Russian-speaking website forum known as XSS to advertise their affiliate program. Then, the XSS operators banned all ransomware topics on their website and LockBit started to use its own infrastructure to advertise its affiliate program.

LockBit has been known to recruit insiders to gain access to infrastructure using their affiliate program, enticing them with millions of dollars in exchange for access to valuable company data:

Figure 1.5 – A screenshot showing the recruitment program for LockBit

LockBit advertised on their website that their method of encrypting data was a lot faster than other ransomware variants and that they have great pride in their programming in terms of encryption.

Also, their ransomware (like most other ransomware variants) does not function in Russian-language-speaking countries and infrastructure that has a system language set to Russian. There is, in some cases, a built-in detection mechanism that will inform the operators or stop the information collection process if the system is running Russian.

They use a similar modus operandi to the other groups we've talked about; however, they have also evolved a lot during the last year. In October 2021, there were also rumors that they have developed their first LockBit Linux-ESXi variant.

ESXi ransomware isn’t something new, but this new variant targets both vCenter and VMware ESXi while utilizing vulnerabilities to be able to gain access to the VMware environment.

The latest additions

Now, in 2023, we have seen new threat groups emerge that contain affiliates or members from older groups.

We have groups such as the following:

• Royal
• RansomHouse
• BlackCat
• ClopLeaks

There are dozens more. On social media, we can see new victims being published daily. Some sources that can be used to follow these different threat groups are the following Twitter profiles:

• https://twitter.com/TMRansomMonitor
• https://twitter.com/RansomwareNews

Because of the frequency in which we're seeing new victims being impacted, it is important to use these sources to get a view on the current trends and understand which groups are the most active.

Looking at the big picture

Now that we have looked at some of the main attack vectors and more closely at some of the different ransomware variants, I wanted to paint a bigger picture and provide some important considerations.

Let us start by looking at the first phase of a ransomware attack where the initial compromise happens:

• In most cases, phishing attacks are utilized to get the end user to click on a malicious attachment to run some specific payload to trigger malware, such as BazarLoader, on the compromised endpoint.
• Other attacks start by exploiting a vulnerable endpoint such as Exchange, RDP, or other third-party services that are available. We have seen that after an affiliate has gained access to an organization, that access is sold to threat actors for between $5,000 and $50,000, depending on the type of access.

Once the attacker has managed to gain access, the second phase starts which is collecting information:

• The initial stage after getting access to an endpoint is assessing the environment, using built-in scripts and tooling to get information about machines/networks/users/data. This information is also used to gather proof of what kind of organization they have gained access to if they want to sell their access to it later.

The following table summarizes some of the main tools and scripts that ransomware operators use to assess an environment and try and gain further access to the environment.

It should be noted that this is not a complete list; I have just specified some I have encountered in different customer scenarios. However, it gives a better view of the tooling that hackers are using to collect information:

Figure 1.6 – Table overview of commonly used tools and scripts

In addition to some of the scripts/tooling mentioned in the preceding table, attackers use many built-in capabilities to navigate the environment. These can be features such as RDP and File Explorer. Some operators have also been known to use Group Policy Management to perform operations across multiple machines at the same time.

At the time of writing, the majority of ransomware is aimed at Windows-based environments, because the majority of all enterprises are running Windows in large parts of their data centers. This includes Active Directory, file servers, and SQL servers, as well as Windows endpoints. However, we have also seen ransomware operators moving to new target types. There are also new ransomware variants emerging that are aimed at other services, such as NAS services. One of these new variants is called Deadbolt, which is aimed at QNAP NAS appliances. There have also been some variants for Linux and Mac OS X, so this is something that we should all pay attention to.

Now that we have taken a look at the different attack vectors and some of the different ransomware variants and their attack patterns, I want to look at some of the common attack vectors in more depth, starting with identity-based attacks.

Identity-based attacks are becoming more and more common with the move to public cloud services such as Microsoft 365.

SaaS services have a common property, which is that they are available from the internet, which means that anyone can access the services.

As mentioned earlier, one of the common attack vectors is credential stuffing, where an attacker tries to log in with a list of usernames and/or email addresses that have been taken from a breach.

The following screenshot shows login attempts for one of our tenants, where it is typical that we see numerous login attempts each day from multiple locations.

This screenshot is a snippet from our sign-in log coming from Azure AD and parsed using Log Analytics (which I will cover in Chapter 7, Protecting Information Using Azure Information Protection and Data Protection):

Figure 1.7 – Overview of blocked authentication attempts to Office 365

Now, since this is Azure AD, Microsoft has built in different IP filters to stop login attempts coming from known malicious IP addresses, which means they are stopped before they can try and authenticate. However, this just shows how much authentication traffic is coming in a short period.

So, where are they coming from? How did the attackers find the user account that they are trying to log in to?

In many cases, attackers have different scrapers and scripts that crawl through websites to collect all the email addresses they can find. This can also include email addresses that were collected from an existing data breach.

A good way to see where credentials have been stolen from is by checking the affected email address at https://haveibeenpwned.com. The following screenshot shows the result where the email address was not breached:

Figure 1.8 – Information showing that no user information was found

However, if the information is found in one of the data breaches that the service has access to, the following result will appear:

Figure 1.9 – Information showing that user information was found in a breach

In some cases, the service will not display that passwords have been collected but that it only has email information collected. This is likely because the data source is not available at haveibeenpwnd.com or the attackers have bots that scrape or crawl websites for information such as email addresses.

There are even free services online that can be used to extract emails from a URL, such as Specrom Analytics (https://www.specrom.com/extract-emails-from-url-free-tool/) or using a simple Python script that can do the same as well. Then, we can compare whether the user accounts where we are getting multiple authentication attempts are easily searchable from the public website.

One way to reduce the amount of spam and brute-force attacks against users’ identities is by limiting the amount of public information that is available.

For instance, if your corporate website is published behind a Web Application Firewall (WAF), you can block traffic based on user agents.

A user agent is a form of identity where the software (the browser) identifies itself to the web server. Most common browsers today use a user agent, for example, Mozilla/5.0 (Windows NT 10.0; Win64; x64), AppleWebKit/537.36 (KHTML, like Gecko), Chrome/97.0.4692.99, Safari/537.36, and Edge/97.0.1072.76.

Important note

You can use the following website to determine what kind of known user agents are used to crawl websites and what is legitimate end user traffic: https://user-agents.net/my-user-agent.

User agents are easily forged and can even be changed using built-in mechanisms within Google Chrome developer mode, for instance, but most automated crawling using scripts tends not to bother with changing the user agent.

So, in 4 hours, I have a lot of traffic coming to my public website, which is being crawled from someone that is running something that identifies as python-requests/2.26.0, which is most likely an automated script to crawl my website:

Figure 1.10 – Web scraping attempts against my website in 4 hours using data collected in Azure Log Analytics

Having firewall rules in place to block a specific user agent would reduce the amount of crawling and would also reduce spam/phishing targeting our organization. However, if the attackers make the extra effort to alter the user agent, then blocking only certain user agents will have little effect.

Here is a great write-up on how to block or at least make it more difficult for crawlers to scrape your website: https://github.com/JonasCz/How-To-Prevent-Scraping.

Sometimes, your end user email addresses might be available on other sources that you might not have control over. However, a quick Google search can reveal some information about where the email address might be sourced.

Another way that access brokers or affiliates collect information is by using phishing attacks. There are many examples of this. One that we saw earlier this year is where users are sent an email that contains embedded links that take the victim to a phishing URL that imitates the Office 365 login page and prefills the victim’s username for increased credibility.

When the user tries to enter their username and password on the fake login page, there are scripts on the server that collect the user information and upload it to a central storage repository or on the server.

How are vulnerabilities utilized for attacks?

So, now that we have taken a closer look at some of the ways that attackers try to collect information about our end users either from scraping, phishing, or credential stuffing, we are going to take a closer look at some of the vulnerabilities that some of the different ransomware operators have been known to use in their attacks. Later in this section, I will go through how you can monitor vulnerabilities against your services.

Many of the vulnerabilities that we will go through are either utilized for initial compromise or to gain elevated access to a compromised machine and, lastly, lateral movement. The reason is to give you some understanding of how easy it can be to compromise a machine or a service and that the time before a high-severity vulnerability is known before ransomware operators start to leverage it is pretty short.

So, we are going to focus on the following vulnerabilities:

• PrintNightmare: CVE-2021-34527
• Zerologon: CVE-2020-1472
• ProxyShell: It consists of three different vulnerabilities that are used as part of a single attack chain: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207
• Citrix NetScaler ADC: CVE-2019-19781

PrintNightmare

Let’s start with PrintNightmare, which was a vulnerability that was published in July 2021. Using this vulnerability, an attacker could run arbitrary code with system privileges on a remote system and local system, so long as the Print Spooler service was enabled. So, in theory, you could utilize this vulnerability to make the domain controllers run arbitrary code, so long as the Print Spooler service was running. This is because of the functionality within a feature called Point and Print, which allows a user to automatically download config information about the printers directly from the print server to the client.

All Microsoft Common Vulnerabilities and Exposures (CVEs) get published on MSRC with dedicated support articles, highlighting which systems are affected and recommendations in terms of workaround and other countermeasures, as seen here for PrintNightmare: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.

In regard to PrintNightmare, there were multiple scripts that the InfoSec community made that could easily be used; as an example, here’s a simple PowerShell payload that exploited the vulnerability, which did not require administrator access rights and comes with a predefined DDL file that creates a local admin account on the machine: https://github.com/calebstewart/CVE-2021-1675.

Benjamin Delpy, the creator of the popular tool called Mimikatz, also created a proof of concept by setting up a public print server that you could then use from an endpoint to connect to that public server, which would then automatically create a CMD pane running as a local system context.

It took Microsoft many weeks before they managed to provide patches and recommendations on how to fix this. In the middle of August, only 1 month later, there were already news articles about ransomware operators that were exploiting the PrintNightmare vulnerability to compromise organizations.

Microsoft provided recommendations when the vulnerability was known, which was to disable the Print Spooler service until they managed to provide a security fix. It also allowed many administrators to realize that the Print Spooler service is not required to run on servers that are not end user facing, such as Citrix/RDS servers.

Important note

A general best practice is to ensure that only required services are running on a service – for example, the Print Spooler service should not be running on a domain controller. This guidance document from Microsoft provides a list of the different services and recommendations for each of them: https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server.

Zerologon

Next, we have Zerologon, another high-severity CVE that exploits a vulnerability in the Netlogon process in Active Directory, which allows an attacker to impersonate any computer, including a domain controller.

To be able to leverage this vulnerability, the attack needed to be able to communicate with the domain controllers, such as having a Windows client that is joined to the Active Directory domain.

Then, the attackers would spoof another domain controller in the infrastructure and use the MS-NRPC protocol to change the password for the machine account in Active Directory, which is as simple as sending a simple TCP frame with the new password:

Figure 1.11 – Zerologon attack process

Once the new password had been accepted, the attackers could then use that new account to start new processes with an Active Directory domain controller context, which was then used to compromise the remaining infrastructure. Zerologon has been used in many ransomware attacks to, through lateral movement, compromise Active Directory and gain access to the domain controllers.

This vulnerability was fixed in a patch from Microsoft in August 2020. In September 2020, the security researchers from Secura who discovered the vulnerability issued their research, and within a week, there were already different proofs of concept published on how you can leverage the exploit. You can find the link to the initial whitepaper on the vulnerability here: https://www.secura.com/uploads/whitepapers/Zerologon.pdf.

In the months after, many organizations were hit by Ruyk, where they used the Zerologon vulnerability. On average, most security researchers state that it takes between 60 and 150 days (about 5 months) for an average organization to install a patch once it has been released by the vendor.

ProxyShell

Then, we have ProxyShell, which is a vulnerability consisting of three different CVEs used as part of a single attack chain that affected Microsoft Exchange 2013/2016/2019, which allowed attackers to do pre-authenticated RCE.

The main vulnerabilities lie in the Client Access Service (CAS) server component in Exchange, which is exposed to the internet by default to allow end users to access email services externally.

In short, the ProxyShell exploit does the following:

• Sends an Autodiscover request to leak the user's LegacyDN information with a known email address.
• Sends a MAPI request to the CAS servers to leak the user’s SID using the LegacyDN.
• Constructs a valid authentication token from the CAS service using the SID and email address.
• Authenticates to the PowerShell endpoint and executes the code using the authentication token. The example code can be found on GitHub at https://github.com/horizon3ai/proxyshell.

Horizon3.ai released a Python script to showcase how easy it is to exploit this vulnerability (https://github.com/horizon3ai/proxyshell), where you just need to run the script and point it to an Exchange CAS server.

All these vulnerabilities were patched in April 2021, but the information was published publicly in June 2021.

In February 2022, it was discovered that a significant number of organizations had failed to update their Exchange services, even though it was urgently required. More precisely, 4.3% of all Microsoft Exchange services that were publicly accessible were still unpatched for the ProxyShell vulnerability. Out of those that did apply the ProxyShell patch, 16% of organizations did not install the subsequent patches that were released from July 2021 onward, which left them open to attacks. As a result, many organizations had still not fully eliminated the vulnerability, even after six months had passed. As seen in the following Shodan screenshot from February 2022, there were still quite a high amount of public-facing Exchange servers that had the vulnerability present:

Figure 1.12 – Shodan search for vulnerable ProxyShell Exchange servers

Using a free account in Shodan.io, you can search for different applications and/or services and get an overview map of vulnerabilities. In this case, I used the http.component:"outlook web app" search tag.

Citrix ADC (CVE-2019-19781)

Lastly, we have the vulnerability in the Citrix ADC (CVE-2019-19781), which was also a high-severity vulnerability that allowed unauthenticated attackers to write a file to a location on disk. It turned out that by using this vulnerability, you could run RCE on the ADC appliance.

This had multiple implications since an ADC is often a core component in the network to provide load balancing and reverse proxy services for different services. Therefore, it most likely had many network interfaces with access to different zones, and in many cases, had access to usernames/passwords and SSL certificates.

The vulnerability itself was exploiting a directory traversal bug that calls a Perl script, which is used to append files in XML format to the appliance. This is then processed by the underlying operating system. This, in turn, allows for RCE.

This caused a lot of turmoil, with close to 60,000 vulnerable Citrix ADC servers being affected, because the vulnerability was out and Citrix did not have a patch ready. The vulnerability became public at the end of 2019, while Citrix had an expected timeframe of patches being available at the end of January 2020. This vulnerability also affected four major versions of the ADC platform, which also meant that the patch needed to be backported to earlier versions, which affected the timeline of when the patch could be ready.

While Citrix provided a workaround to mitigate the vulnerability, this did not work for all software editions because of licensing issues, with features that were not available.

Eventually, the patch was released and the vulnerability was closed, but many ADC instances were compromised. Many got infected with simple bitcoin mining scripts and others were used to deploy web shells.

One group, which was later referred to as Iran Network Team, created a web shell on each of the ADC appliances that they compromised. The group was pretty successful in deploying a backdoor to a significant number of ADC appliances. Many of these appliances were already patched but were still vulnerable due to the password-less backdoor left open on their devices by the attackers. This web shell could easily be accessed using a simple HTTP POST command.

In addition, another threat actor created a new backdoor named NOTROBIN. Instead of deploying a web shell or bitcoin mining, they would add their own shell with a predefined infection key. In addition, they would attempt to identify and remove any existing backdoors, as well as attempt to block further exploitation of the affected appliances. They did this by deleting new XML files or scripts that did not contain a per-infection secret key. This meant that a compromised ADC appliance was only accessible through the backdoor with the infection key.

Looking back at these vulnerabilities that I’ve covered, many of them were used as part of a ransomware attack. It is important to note the following:

• The time between when a vulnerability is discovered and an attacker starts exploiting it is becoming shorter and shorter.
• You should always apply security patches as soon as possible because in many cases, you might not realize the impact of a vulnerability until it is too late.
• After a vulnerability is known, if it takes too much time to install the patch to remediate it, chances are that someone might have already exploited the vulnerability.
• Also, in many cases, an attacker might have already been able to exploit the vulnerability to create a backdoor that might still be utilized even after the patch is installed.
• Many vulnerabilities evolve after the initial publication. This means that after a vulnerability becomes known, many security researchers or attackers can find new ways to use the vulnerability or find vulnerabilities within the same product/feature/service, as was the case with PrintNightmare.
• The amount of CVEs is increasing year by year: https://www.cvedetails.com/browse-by-date.php.
• High-severity vulnerabilities are not limited to Windows. This also affects other core components, including firewalls and virtualization platforms such as VMware.
• Vulnerabilities from a ransomware perspective can be used for both initial access and lateral movement, depending on what kinds of services are affected by the vulnerability.

Now that we have taken a closer look at some of the different attack vectors, such as identity-based attacks, and also looked at some of the vulnerabilities that have been utilized for ransomware attacks, such as PrintNightmare and Zerologon, let’s take a closer look at how to monitor for vulnerabilities.

Monitoring vulnerabilities

There will always be vulnerabilities and bugs, so it is important to pay attention to updates that might impact your environment.

An average business today might have somewhere between 20 and 100 different pieces of software installed within their environment. This might also include software from the same number of vendors. Consider using the following software if you are a small company running an on-premises environment:

• VMware: Virtualization
• Fortinet: Firewall
• HP: Hardware and server infrastructure
• Citrix: Virtual apps and desktop
• Microsoft Exchange: Email
• Microsoft SQL: Database
• Windows: Clients and servers
• Chrome: Browser
• Microsoft Office: Productivity
• Cisco: Core networking, wireless
• Adobe: PDF viewer/creator
• Apache HTTP: Web server

In addition to this, end users have their own applications that they need and there may be other line-of-business applications that you might need as part of your organization. Here, we have already listed over 10 different vendors and many applications/products that need to be patched. How do we maintain control and monitor for vulnerabilities?

This falls into a category called vulnerability management, which is the practice of identifying and remediating software vulnerabilities. Remediating software vulnerabilities is done either through configuration changes or, in most cases, by applying software patches from the vendors. We will go into using tooling to patch infrastructure and services in Chapter 10, Best Practices for Protecting Windows from Ransomware Attacks, but one thing I want to cover is how to monitor vulnerabilities.

While many commercial products can be used, I also tend to use other online data sources, which are listed as follows, and also many sources on social media have been extremely useful.

For example, you can use a centralized RSS feed to monitor security advisories from different vendors. This is the most common tool that I use to monitor vulnerabilities from vendors. Most websites have an RSS feed that I can collect into an RSS reader such as Feedly. Some of the RSS feeds that I use are the following:

• VMware Security Advisories RSS feed: https://www.vmware.com/security/advisories.xml.
• Citrix security RSS feed: https://tools.cisco.com/security/center/rss.x?i=44.
• NIST RSS feed: https://nvd.nist.gov/vuln/data-feeds.

In addition to the different software vendors, I also follow the centralized RSS feed from NIST. However, this is not vendor-specific, so often, I use it to correlate information that’s vendor-specific to NIST.

• Microsoft doesn’t use RSS anymore and instead uses email notifications, which you can sign up for here: https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1). However, I do monitor the Microsoft Security Response Center (MSRC) blog, which highlights some of the higher severity vulnerabilities: https://msrc-blog.microsoft.com/.

It should be noted that, depending on the different vendors you use, monitoring all these RSS feeds can be a time-consuming and repetitive process. In many cases, you should limit the amount of RSS feeds to a minimum. Some vendors also have good filtering capabilities so that you do not get information about vulnerabilities related to products you do not have. Going through the information from these feeds is something that should be turned into a routine. In larger IT teams, this task should be rotated between multiple people – for instance, you should have someone responsible for going through the information and presenting relevant information on Monday mornings.

While RSS feeds are one way to get this information, I also use some other online sources to monitor the current landscape:

• Vulmon: This provides an automated way to get alerts and notifications related to vulnerabilities and can be mapped to products. You can get a view of the latest vulnerabilities here: https://vulmon.com/searchpage?q=*&sortby=bydate. In addition, you can use Vulmon as a search engine to find related vulnerabilities and more information.
• Social media: Twitter can be an extremely useful service for monitoring current threats/vulnerabilities. As an active Twitter user myself, I have some main sources that I follow to stay up to date on current threats/vulnerabilities:
  • vFeed Inc. Vulnerability Intelligence As A Service (@vFeed_IO)
  • Threat Intel Center (@threatintelctr)

There are also products from third-party vendors that can automate this to scan the environment and look at current vulnerabilities, such as services from Qualys and Rapid7, which can be good tools to have in your toolbox when you are mixing a lot of third-party services in a large environment. It should be noted that these products do not have 100% coverage on all products/vendors, so it is still important that you have a mapping of your current application vendors and the services/applications they are providing, as well as ensuring that you are monitoring the status of each application.

In this chapter, we took a closer look at some of the main attack vectors that ransomware operators are using to get their foot in the door, by either using existing credentials or phishing attacks to lure end users and gain access to a compromised machine.

In most cases, attackers utilize one or multiple vulnerabilities either directly on an end user’s machine or to exploit external services that the organization has available.

We also took a look at some of the extortion tactics attackers use, in addition to other attack vectors, such as DDoS attacks, to pressure organizations into paying the ransom.

Then, we looked closer at some of the more well-known ransomware operators and their modus operandi, as well as some of the more frequently used attack vectors regarding identity and exploiting vulnerabilities and how they have been used in successful attacks.

Finally, we looked into how to monitor vulnerabilities and some of the sources that can be useful assets in your toolbox.

In the next chapter, we will start to look at countermeasures and build a secure foundation for our IT services, as well as adopt a zero-trust-based security architecture.