By Caique Barqueta: Our Threat Intelligence team, Heimdall, has analyzed and explained in detail the entire life cycle of a ransomware incident, exposing some details of the techniques used for initial access, persistence and lateral movement, as well as the impact it could have on the business.

We also present some control measures that can be implemented to help mitigate a ransomware incident that hasn't happened or is in progress, increasing the organization's security maturity.

Life cycle of a ransomware incident

In this section, we'll look at the main attacks used by ransomware actors to carry out their attacks on organizations, separating them by Initial Access, Preparation and Persistence and, finally, the Impact on the Target, i.e. the company.

Initial access

Phishing: Ransomware actors use phishing as an initial access technique because it is one of the most effective techniques for deceiving and manipulating users. It is worth noting that phishing involves the creation of fake emails or websites that are intended to appear legitimate to the user.

There are some of the main reasons why ransomware actors use phishing as their initial access method:

• Ease of execution and widespread execution of attacks: phishing compared to other tools can be easy to implement, as it can be used against various organizations, and today it is possible to buy phishing kits on the dark web or underground forums, which sell the entire infrastructure to the actors.
• Obtaining credentials: When using phishing, the focus of the actors is to collect a user's credentials, thus gaining initial access to an organization's network.
• Exploitation of human vulnerabilities: Actors use the human factor as one of the weakest links in security, since people can be tricked, distracted or emotionally manipulated so that the criminal can carry out their attack.

Valid Credentials: Ransomware actors use valid credentials as a way to gain initial access to network and systems because for some reasons such as:

• Avoiding initial detection: By using valid credentials, the cybercriminal avoids the suspicions of the intrusion detection system, thus appearing legitimate, and if the monitoring system is not equipped with settings to identify unusual logins, it can make access even easier.
• The credentials obtained by the criminal can be reused in other places within the organization, making it easier for them to move around.
• Use of credentials for persistence purposes, since once in the system cybercriminals can use the credentials to maintain access.
• The facility for actors to gain access to valid credentials has become very widespread in 2023, with various Dark web and Underground forums selling user credentials, and they can sometimes be found available in various places without any kind of payment.

Password guessing: Attackers can use this technique to try to guess a certain password for an account or system without having to exploit a vulnerability or use other advanced techniques. There are a few ways in which attacks carry out the password guessing attack, such as:

• Dictionary attacks: the actor uses a list of common words, default passwords and character combinations, this list being called a dictionary, in which they can make attempts on words such as "admin" or "123456".
• Brute-force attack: the actor uses all possible combinations of characters to find the correct password, where the method is much more time-consuming than the dictionary attack, as it can involve millions or even billions of attempts.

Services Exposed on the Internet: services exposed on the Internet, such as websites, email servers, databases and others can face various security risks, such as:

• DDoS attacks, in which actors can use DDoS attacks to overload a service by flooding it with a large volume of traffic, making it inaccessible to legitimate users.
• Exploitation of Software Vulnerabilities: if software and systems are outdated or poorly configured, they may contain known or unknown vulnerabilities that can be exploited by hackers.
• SQL Injection: If the service uses a database, it may be vulnerable to SQL injection attacks, in which an attacker manipulates SQL queries to access, modify or delete data from the database.
• XSS: Injected malicious code into web pages or applications that are displayed to users. This can allow the attacker to steal information, such as session cookies, or perform actions on behalf of the user.

Exploitation of Vulnerabilities: This category refers to a possible weakness or specific flaw in a piece of software, hardware or system that could be exploited by a malicious agent to compromise the security or functionality of the system, since a vulnerability could allow a cybercriminal to gain unauthorized access, execute malicious code or carry out other actions.

E-mail with Malicious Document delivery and use of Malware: cybercriminals may use this technique for a number of reasons, such as:

• Deceiving victims, since e-mail is one of the most common forms of communication and can therefore be used to deliver potentially malicious artifacts.
• In addition, this technique facilitates the efficient distribution of malware, whereby by attaching a malicious artifact to an e-mail, cybercriminals can reach many victims.
• Among other techniques and motifs, but they were in obtaining initial access.

 In addition to the risks and techniques used for initial access, the diagram below shows all the possible routes used by threat actors for Initial Access:

Preparation and Persistence

Command and Control: After gaining initial access to the system, attackers must seek to establish a Command and Control (C2) point as part of their attack strategy. It's worth remembering that C2 is a critical component for actors, as it helps them maintain control and manage their attack operations effectively. Below, we list some of the reasons why actors use C2 in their attacks:

• Persistence: ensure persistence in a system, even if the initial access credential is changed or if other measures are implemented.
• Data exfiltration: Actors can use C2 to extract data from the compromised system, allowing confidential or sensitive information to be stolen.
• Privilege escalation and lateral movement: The C2 point can be used as a platform to explore other systems on the network, moving laterally and seeking more privileged access.

Lateral movement: Actors can use movement to help escalate privileges, exploit more strategic targets, hinder detection, exploit other internal resources, map the network and possible targets, exfiltrate specific data, increase persistence and gain full visibility of the system to carry out the coordinated attack, i.e. an essential strategy for actors to achieve their ultimate goal, which is to deploy the ransomware payload and reach as many assets in the organization as possible.

Escalation of Privileges: Actors use escalation of privileges in the system or network in order to access restricted resources, gain total control of the system, exploit possible existing vulnerabilities, bypass security measures, use malware for persistence purposes, lateral movement, access to data protected by privileged access, among others, because escalation of privileges is of paramount importance to actors, since at the same time as using lateral movement, they can cause greater damage to the organization.

The following diagram shows the threat actor's Preparation and Persistence phase when it is directly in the victim's environment:

Impact on target

Data exfiltration: Actors can use data exfiltration, which is a process of transferring data from a controlled environment to an environment controlled by the attacker, often to the C2 server.

There are a number of reasons for data exfiltration, such as: theft of sensitive information, extortion and the use of ransomware, espionage and intelligence, breach of privacy and others.

As the alert focuses on describing the ransomware incident, we can say that the actors use data exfiltration to use as a way of obtaining ransom payments from an organization.

Destruction of Backups: ransomware actors use the destruction of backups to prevent organizations from recovering without paying a ransom, as well as causing additional data and damage.

In addition, it is noticeable that the actors destroy the backup in order to increase the ransom value, since the organization sometimes only has the backup as a way of recovering from a ransomware attack.

Data encryption: ransomware actors use data encryption as part of their modus operandi for a number of reasons, such as: pressuring the victim, maximizing the value of the ransom, increasing the psychological impact and, most importantly, requiring the victim to pay ransoms to the actors.

The following diagram exemplifies the Target Impact phase (Impact on the organization) that the threat actor can carry out, either with the data or with the backup:

Now that we've addressed the problem of the attack cycles of ransomware operations, we'll mention the main recommendations and security measures that can be implemented in order to help undermine an attack in progress or prevent it, remembering that no tool or control will be able to stop a ransomware attack on its own, so it's necessary to use and apply a deep defense in an organization's critical controls, in order to detect, prevent and respond to any possible ransomware incident and attack.

For a better understanding of the image, each diamond corresponding to its color signifies the use of a control to mitigate the risk related to an attack, unifying all the stages of an attack:

It is therefore of the utmost importance that organizations apply such measures, since the world of cybercrime is constantly evolving and highly lucrative for these criminals, who carry out the attack and can later demand exorbitant sums of money to supply the encryption key.

References

• Heimdall by ISH Technology