Understanding how ransomware attacks breach and maintain control over their targets

  • Modern ransomware strains use a combination of AES and RSA encryption method to prevent any recovery attempt.
  • Attackers sign the ransomware with a fake or stolen Authenticode certificate to avoid detection by existing anti-malware tools.

An individual or a group of people experiencing slowdown of a system followed by forbidden access to docs and files that were earlier available is likely to be under a ransomware attack. The other symptom of a ransomware attack is when there is a complete hijack of a network or system and a ransom message is displayed validating your fear.

If you’re a curious personality witnessing the event, you’d hear yourself questioning, for once, how did they do it?

How do they do it?

Ransomware attacks target firms of all sizes depending upon what their motives are; blackmailing, extortion, reputation damage, revenge, etc. The steps in a typical ransomware attack include infections, security key exchange, encryption, extortion, and unlocking, in that order.

Recently, research by Sophos highlighted the common bypass techniques of prominent crypto-ransomware families that we are going to discuss below. Also, these attacks are typically timed in the middle of the night (when the IT staff is unavailable) for uninterrupted deployment of malware.

Malicious code signing

Actors sign their ransomware with an Authenticode certificate, which could be either by stolen from a Certificate Authority or be a duplicate one. This helps disguise the ransomware as a safe legitimate program and avoid detection by an anti-malware program or the Windows operating system.

Privilege escalation and lateral movement

  • Attackers first exploit vulnerabilities at endpoints and abuse existing Windows tools, as well as open-source security or penetration testing tools to conduct reconnaissance.
  • Then, adversaries attempt to elevate their privileges to reach high-value targets. For that, they use post-exploitation tools to harvest a local domain administrator’s credentials.
  • It is now an easy-peasy task to map the Active Directory domain and determine the location of valuable targets and file servers used for data backups, for which a victim is more likely to agree to pay a ransom.
  • Also, attackers leverage malicious scripts to automatically distribute ransomware to other endpoints and servers in a network, thereby making the attack even more severe.

Network first

  • As noted by the researchers, the ransomware typically targets one or more compromised endpoints and often it also infects the file servers. The objective here is to encrypt as many documents as possible.
  • Therefore, attackers first encrypt the network drives as it provides access to various business documents stored on one or more central file servers.

File renaming and file encryption

  • Renaming a document or a file is an important step in the attack as it helps prevent double encryption of files and gives visibility to the attack.
  • Renaming can be done either prior to encryption or post encryption; it depends on the family of the ransomware.
  • Many modern ransomware such as Petya, WannaCry, Locky, and others, use a combination of AES and RSA encryption method to secure their malware against the victims’ recovery attempts.

In their whitepaper, Sophos researchers also note further techinques attackers use to block every attempt of data recovery.