Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Ransomware infections: Lessons from the trenches

Ransomware landscape of 2022

Ransomware attacks have been on the rise in recent years, and 2022 was no exception. According to the latest DataProt ransomware statistics, the predicted frequency of ransomware attacks is one every 11 seconds. Ransomware gangs did not spare (and won’t spare) any industry as era of ransomware as-a-service (RaaS) opened the door to lucrative and dynamic opportunities for them.

Year of LockBit

Source

LockBit, discovered in 2019, returned in 2022 and became the most active and dangerous ransomware. It is not slowing down and aims to be on podium in 2023, impacting organizations across industries around the globe with the exception of Russia and former CIS countries because of their affiliate program rules – automated vetting process by fear of prosecution in these areas of the world.

Source

Source

2022 was also the year when LockBit, the criminal organization behind the ransomware of the same name, introduced its first ransomware bug bounty program, rewarding not only vulnerabilities but also “brilliant ideas” or doxing (revealing personal information) of affiliate program managers.

In addition, 2022 brought us ransomware lessons learned regarding the “hack back” strategy. A distributed denial-of-service (DDoS) attack took down the LockBit ransomware operation’s leak website, which appeared to have been launched in response to cybercriminals publishing data stolen from Entrust (a LockBit victim). The counterattack only slowed LockBit’s ability to leak the stolen data slightly, and failed to prevent the imminent disclosure.

After the attack, LockBit enhanced its DDoS resiliency and incorporated DDoS as part of the extortion step in its modus operandi. Though the DDoSers behind the counterattack remain unknown, the “hack back” strategy was a failed attempt to stop the data leak and drew immediate press attention to the attack.

Extortion at a new level

Ransomware infections are always designed with two main objectives:

  1. To disrupt the victim’s operations. A malware deployment can be a smokescreen to cover up the real intention of the attack.
  2. To get a ransom, which is always associated with extortion.

Decryptors aim for swift restoration and data exfiltration, followed by threat of publishing sensitive/secret data, DDoS attacks (LockBit, AlphV/BlackCat) or even creating personalized extortion services by notifying employers and customers about the leak (Cl0p, AlphV/BlackCat). Ransomware gangs have strengthened their approach by “hardcoding” extortion into their operations.

Source

Good old TTPs

One of the most important lessons learned from ransomware is that it is not just a single piece of malware that encrypts and exfiltrates data. It is a full-blown multi-stage attack that employs multiple tactics, techniques and procedures (TTP) which rely on known vulnerabilities and tools.

This combined TTP approach is a very effective method to compromise many companies. Hence, when creating our “ransomware prevention checklist” below, we included common TTPs.

Reconnaissance and initial access

  1. Social engineering: phishing and insider access, through Remote Server Administration Tools (RSAT) like AnyDesk, TeamViewer, MobaXterm, mottynew.exe, ScreenConnect and WinSCP.

    Source
  2. Drive-by-download (Qakbot, SocGholish)
  3. Vulnerabilities (Exchange ProxyShell/ProxyLogon, VPN Auth Bypass/RCEs)
  4. Too much exposure (RDP, SMB exposed to the Internet, VPN with no MFA)

    Hosts with RDP port exposed to the Internet
  5. Compromised accounts
    1. Public repositories like GitHub
    2. Dark Web full of info stealers offers – like RedLine, Vidar
    3. Public Credential leaks
    4. Cooperation with other Threat Groups
    5. Previous Incidents

Execution and persistence

  1. Execution on its own or through scheduled task
  2. Powershell Empire
  3. VPN access
  4. Create additional VMs

Credential access

    1. Credentials from affiliates
    2. Mimikatz
    3. Kerberoasting
    4. lsass dump via ProcessHacker


AlphaV requesting TGS with weak encryption RC4-HMAC for further Kerberoasting

Defense evasion

  1. GMER, PC Hunter and Process Tracker
  2. Group policy to disable MDE

Discover

  1. Advance Port Scanner
  2. Network Scanner
  3. ADFinder
  4. ADExplorer
  5. SoftPerfect Network

CrowdStrike graph showing suspicious process activities on patient 0 of AlphV/BlackCat ransomware (from initial access to discover)

Lateral movement

  1. Self-propagation through SMB with compromised credentials
  2. CobaltStrike
  3. Psexec
  4. Propagation through Group Policy
  5. RDP connections
  6. Threat actors use lateral movement to amplify the scope of attack

Timeline of propagating ransomware through GPO which sets schedule task executing ransomware file


Propagating malware via PsExec.exe

Exfiltration

  1. Cloud storage tools like MEGA, FreeFileSync and RClone
  2. StealBit malware
  3. filetransfer[.]io
  4. Compromised M365 inboxes tampered with rules to exfiltrate mails
  5. WinRAR, 7zip
  6. WinSCP
  7. FileZilla

Impact

  1. Local and network encryption
  2. AES with key encrypted by RSA (generated with BCryptGenRandom)
  3. Removing administrators accounts
  4. Destruction of VMWare ESXi environment
  5. vssadmin usage to destroy VSS

How can you protect yourself from ransomware

Know about yourself better than attackers do

There is no place like home for an attacker who has found an environment full of shadow IT. Only a reliable configuration management database (CMDB) that is constantly updated will enable you to implement an effective ransomware defense and response strategy. One emerging technology — external attack surface management (EASM), which inventories your exposure — is a game changer in this fight.

The hygiene factor

Lessons learned from ransomware show that we continue to make the same mistakes when it comes to vulnerability remediation; therefore, you must ask yourself the following questions:

  • Do I have a vulnerability management program – including scanning and a well-defined remediation process – in place to remediate 0-days/critical CVEs in few days?
  • Do I have control over which of my services are exposed to the Internet?
  • Which of my ports are open to the Internet?
  • Which of my applications may be used in which environment within my organization?
  • Do I have multi-factor authentication (MFA) implemented everywhere, especially for administrators? (Adversaries always look for them)
  • Do I have control over my Active Directory domain, including secure configuration, identity protection and strict monitoring of changes to GPOs, sensitive accounts and UEBA?

These are just a few of the questions that we usually encounter during an incident response (IR). You can find more at https://www.cisa.gov/stopransomware/ransomware-guide

Don’t panic, it’s just ransomware

Incidents happen, so be prepared and create an effective IR plan. Here are some of the most common ransomware lessons we’ve learned from our IRs:

  • Appoint a crisis management taskforce for efficient coordination
  • Isolate (but don’t shut down) hosts and networks with ransomware infections
  • Preserve highly volatile artifacts like firewalls, domain controllers and VPNs
  • Don’t restore any system before securing evidence
  • Collect detailed cyber threat intelligence (CTI) about ransomware to enhance your IR plan
  • Get ready for a lot of work (Mean time of recovery is measured in weeks)

EDR is your best buddy

In our experience, all ransomware victims had no endpoint detection and response (EDR) solution or platform in place. IR without EDR takes 2-3 times longer to respond and recover than with it.

Attack starts outside your organization

Detecting your problems before adversaries do is a key step in ransomware prevention. Digital risk protection services (DRPS) will help you identify credential leakage, stolen information being sold and publicly available credentials as early as possible.

Takeaways

One of the key lessons we learned from ransomware in 2022 is that we don’t apply the lessons learned from ransomware attacks fast enough. Bad actors have been exploiting old vulnerabilities (made famous from 2018 to 2021), launching familiar phishing campaigns and still achieving success. We must start immediately with the basic hygiene by running vulnerability checks, closing unnecessary ports and installing EDRs, followed by implementing EASM, leakage monitoring, IR playbooks, red teaming and threat hunting. Our ultimate goal should be to build resilience not only against ransomware, but also against any known or unknown threats that are yet to come.

Share this article

About the author

Aleksander Pawlicki

Global CERT Incident Response Lead, Senior Atos Expert, Security Enthusiast

In charge for technical leadership of Atos Global CERT, which provides services of Digital Security and Incident Response (DFIR), Threat Intelligence (TI) and Threat Hunting (TH) to Atos and its customers.

Responsible for leading incident response for large investigations or crisis.

Security enthusiast, who strongly believes in purple team philosophy.

Follow or contact Aleksander

All articles


The view from the attacker’s side – How ransom gangs operate and why they are so successful


The changing face of ransomware


The impact of ransomware attacks on business


The role of cybersecurity hygiene in a ransomware incident


Countering ransomware: how to build the right cyber governance strategy


How to protect your cloud from ransomware


Zero Trust: the key to stopping ransomware in its tracks


A comprehensive approach to ransomware defense


Cyber resilience against ransomware: fiction or reality?


How government and law enforcement can help prevent ransomware attacks


Ransomware infections: lessons learnt from the trenches


Batting ransomware: front-line insights from a CTO and a CISO