Ransomware

ransomware attack: From breach to the ransom demand

Researchers from tech security company SentinelOne examined a server that was used by criminals in October last year to turn a small security breach in a corporate network into a damaging Ryuk ransomware attack. This sort of data can be vital in helping understand the tactics and techniques used by attackers.

The network was initially infected with the Trickbot malware. Once the network was breached by the Trickbot malware, the hackers started to hunt around to find out what they had gained access to – and how to make money out of it.

"Over the course of some time they dig around in the network and they attempt to map it out and understand what it looks like. They have an endgame, and their endgame is to monetise the data, the network, for their illicit gain," SentinelOne researcher Joshua Platt told ZDNet. "They already understand there is the potential for making money and are looking to expand that leverage."

Once the hackers decided to exploit the network breach, they used tools like PowerTrick and Cobalt Strike to secure their hold on the network and explored further, searching for open ports and other devices to which they could gain access. Then they moved on to the ransomware phase of the attack.

From the initial TrickBot infection, through profiling the network, to finally initiating the Ryuk malware attack took around two weeks, said SentinelOne. "Going by the timestamps, we can guess the time period of two weeks for dwell time," the company's blog post said.

Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally, according to the UK's National Cyber Security Centre advisory from last year.

It's targeted ransomware: the ransom is set according to the victim's perceived ability to pay, and it can take days or even months from the initial infection to the ransomware being activated, because the hackers need time to identify the most critical network systems. But the NCSC said this delay also gives defenders a window of opportunity to stop the ransomware attack from being triggered, if they can detect that first infection.

According to the FBI, Ryuk is an extremely lucrative project for its criminal developers, generating roughly $61m in ransom between February 2018 and October 2019.

Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.

Perhaps the most notorious form of ransomware is Locky, which terrorised organisations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a $17,000 ransom to have its networks restored.

Locky remained successful because those behind it regularly update the code to avoid detection. They even update it with new functionality, including the ability to make ransom demands in 30 languages, so criminals can more easily target victims around the world. Locky became so successful, it rose to become most prevalent forms of malware in its own right.

While not as prolific as it once was, Locky remains one of the most dangerous forms of ransomware, regularly going quiet before reemerging with new attack techniques.

Cryptowall is another form of ransomware which has found great success for a prolonged period of time. Starting life as doppelganger of Cryptolocker, it's gone onto become one of the most successful types of ransomware.

Like Locky, Cryptowall has regularly been updated in order to ensure its continued success and even scrambles file names to make it harder for victims to know which file is which, putting additional pressure on the victim to pay.

The success of Ryuk in forcing companies to pay ransoms means that the crooks have a bulging war chest with which to hone their attacks. "It's obviously going to increase; they have more money and more ability now to hire even more talent," said Platt.

Ransomware also continues to evolve, Platt said: "When you look at the beginning of ransomware, they would ransom personal computers for $300, and now we are into the millions of dollars".

The next step, he said, would be more sophisticated extortion attempts: "These guys are digging around in the networks they are looking for the biggest possible thing they can extort companies with."

Report abuse