Evolving Tactics, Techniques, and Procedures in the Ransomware Landscape

Ransomware attacks have increased manifold over the years and so have the ransom demands. This year-over-year evolution of ransomware threats is primarily attributed to emerging tactics, techniques, and procedures adopted by attackers.

Most common intrusion point

According to a report from Group-IB, Remote Desktop Protocol (RDP) was the common point of intrusion for ransomware in 2019. Vulnerable Windows RDP ports were abused in 70-80% of all ransomware attacks in 2019 to gain an initial foothold.

Big-league players like Ryuk, LockerGoga, REvil, MegaCortex, Maze, and NetWalker used open RDP port to sneak into a company’s networks and servers.

Other attack methods

  • The report also highlighted that exploit kits, external remote services, spear-phishing attachments, and valid accounts are other attack techniques used by ransomware operators to gain access to victims’ computers.
  • More advanced ransomware actors rely on supply-chain compromise, exploiting unpatched vulnerabilities in public-facing applications, and compromising managed service providers (MSPs) to obtain access to valuable targets.

Further tactics adopted by attackers

Once attackers gain an initial foothold on targeted computers, they deploy their tools and move to the next stages for establishing persistence, escalating privileges, evading detection, acquiring credentials, mapping the network, stealing files, and then encrypting them.

Evasion techniques evolve

  • Evading detection while continuing to spread the ransomware remains the primary focus of threat actors.
  • Some of the widely used detection evasion techniques include disabling security tools on a victim’s computer, disguising ransomware as legitimate software, and bypassing User Account Control (UAC).
  • However, there are a few ransomware families that have evolved their anti-analysis techniques to spread stealthy across computers. For example, Netwalker operators leverage a reflective DLL Loading technique to improve ransomware’s anti-analysis capabilities. RagnarLocker operators use an Oracle VirtualBox Windows XP virtual machine to hide the ransomware.

Extortion method evolves

Recently, several ransomware actors opted to leak files of victims who failed to fulfill their ransom demands. The trend was started by Maze in November 2019 and later was followed by 12 other ransomware gangs including those behind REvil, Nefilim, DoppelPaymer, CLOP, Pysa, and RagnarLocker.

Ako ransomware operators went beyond the ‘Name and Shame’ tactic to increase their profits by asking two ransoms: one for decrypting the files and another for not publishing the stolen files.

Final thoughts

Along with the evolution in intrusion and attack methods, there has also been a steep rise in the discovery of new ransomware. With threat actors scaling up their malicious operations with each passing year, it is feared that large companies will face several challenges in protecting their sensitive information and critical assets from ransomware attacks.