Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report.
Main modes of distribution for the major ransomware families
Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum impact (for example, WannaCry); as ransomware-as-a-service (RaaS), sold on the dark web as a distribution kit (for example, Sodinokibi); or by means of an automated active adversary attack, where attackers manually deploy the ransomware following an automated scan of networks for systems with weak protection.
Cryptographic code signing ransomware
Cryptographic code signing ransomware with a bought or stolen legitimate digital certificate in an attempt to convince some security software the code is trustworthy and doesn’t need analysis.
Privilege escalation using readily available exploits, like EternalBlue, to elevate access privileges. This allows the attacker to install programs such as remote access tools (RATs), and to view, change or delete data, create new accounts with full user rights, and disable security software.
Lateral movement and hunting across the network
Within an hour, attackers can create a script to copy and execute the ransomware on networked endpoints and servers.
In order to speed up the attack, the ransomware might prioritize data on remote/shared drives, target smaller document sizes first, and run multiple encryption processes at the same time.
The threat of remote attacks
The file servers themselves are often not infected with the ransomware. Instead, the threat typically runs on one or more compromised endpoints, abusing a privileged user account to remotely attack documents, sometimes via the Remote Desktop Protocol (RDP) or targeting remote monitoring and management (RMM) solutions typically used by managed service providers (MSP) to manage customers’ IT infrastructure and/or end-user systems.
File encryption and renaming
There are a number of different methods for file encryption, including simply overwriting the document, but most are accompanied by either the deletion of the backup or original copy to hinder the recovery process.
Ransomware attack techniques continue to evolve
“The creators of ransomware have a pretty good grasp of how security software works and adapt their attacks accordingly. Everything is designed to avoid detection while the malware encrypts as many documents as possible as quickly as possible and makes it hard, if not impossible, to recover the data.
“In some cases, the main body of the attack takes place at night when the IT team is at home asleep. By the time the victim spots what’s going on, it is too late.
“It is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued,” said Mark Loman, director of engineering for threat mitigation technology at Sophos, and the author of the report.