There have been discussions about whether or not ransomware activity is on the decline, including by our own experts here at Consortium Networks, spurred by geopolitical activity and law enforcement actions, the fact is that Q1 of 2023 has seen a 27% increase in ransomware data leaks over Q1 2022 (672 vs 855). This issue is not only growing in terms of frequency, but speed as well. In the past, we saw operators spend months studying a system and the organization whereas recently there have been instances of organizations’ data being encrypted within a matter of days from initial infiltration. According to the numbers, Ransomware is still a huge problem.
Ransomware actors regularly innovate their TTPs but at a high-level ransomware attacks typically follow a core set of patterns: initial access, lateral movement, execution, exfiltration, encryption, user notification, and extortion. In some cases DDoS has also been applied against victims and in others, threat actors moved directly to extortion bypassing the encryption step.
Some of the more effective means of combating ransomware have been backing up data in a secure environment that cannot be encrypted by the threat actors, and using legitimate services that have developed ways of decrypting many of the strains of ransomware.
However, neither of these methods deal with the significant potential damages resulting from sensitive data being leaked on publicly open ransomware extortion sites. The leaks can cause loss of intellectual property, competitive advantage, insider information, personally identifiable information (PII), personal health information (PHI), lead to various lawsuits, etc.
Thus, while it is very important to have a plan for dealing with a ransomware event, it is still preferable to try to prevent the event in the first place. In order to do so, it is vital to understand how the threat actors may gain access to victim systems and networks.
It is worth noting that currently, ransomware operations are typically conducted concurrently by two groups of threat actors under the Ransomware-as-a-Service model, which is the predominant model at the time of the publication of this overview in 2023. One is the named ransomware operator group such as LockBit, Royal, BlackBasta, or REvil, to name a few. This is typically a group of individuals who create, update, and maintain the ransomware code. They also frequently conduct the negotiations, and maintain the ransomware leak sites where data is openly published in the event a victim does not pay, or does not pay quickly enough. The second group are the affiliates, who conduct the reconnaissance, finding victims and gaining information about them, infect the victims, infiltrate the victims to gain further information, exfiltrate data, encrypt victims’ systems, and collect the funds in the event the victim pays. These unnamed groups will pay a share of the ransom (usually between 20%-30% to the named ransomware operators, from whom they rent the malware and other services).
At the initial access stage, ransomware actors target different potential entry vectors to obtain a footing in a victim organization. To do so, they use a range of tactics, including phishing, drive-by compromise, exploiting public-facing applications, abusing valid accounts purchased from other threat actors, breaching a node in the victim’s supply chain and moving laterally, or exploiting vulnerabilities in their IT system. In particular, a tactic that was trending up in Q3 2022 was purchasing access to a target company from Initial Access Brokers.
The following is a list of the systems and services that have been the predominant targets of ransomware threat actors, exploiting known vulnerabilities in:
- * VMWare’s hypervisor ESXi: Linux-based VMWare ESXi hypervisor
- * vSphere
- * Linux OS
- * Windows OS
- * Google Chrome
- * QNAP and Synology Network-attached storage (NAS) devices
- * Microsoft Internet Information Services (IIS) servers
- * VPN servers
- * FortiGate firewall
- * Zyxel Firewall
- * Microsoft Exchange Servers
- * Mitel MiVoice VOIP appliances
- * Microsoft SharePoint: Foundation, Server, and Enterprise Server
- * Microsoft Endpoint Configuration Manager
- Pulse Secure VPN: Pulse Connect Secure, The EdgeMax EdgeSwitch firmware
- * Citrix: Citrix ADC, Gateway, Workspace App, ShareFile
- * Microsoft Exchange Server
- * Fortinet: FortiOS
- * SonicWall: SonicWall SSLVPN SMA100, SonicOS Gen 6 and 7
- * F5: BIG-IP
- * QNAP: QNAP NAS running HBS 3 (Hybrid Backup Sync.), QNAP Systems Inc. Malware Remover
- * Sophos: Sophos XG Firewall devices, Sophos Firewall Operating System (SFOS)
- * Microsoft SharePoint
- * Apache Log4j
- * Microsoft Windows
- * Microsoft Office: Microsoft Office 2007 Service Pack 3 (SP3), Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016
- * Microsoft Windows Vista SP2
- * Windows Server 2008 SP2
- * Windows 7 SP1
- * Windows 8.1
- * vCenter: Oracle Knowledge Management product of Oracle E-Business Suite (component: Setup, Admin)
- * Accellion: Accellion FTA 9_12_370
- * FileZen
- * Atlassian: Confluence Server and Data Center
- * Zoho Corp: ManageEngine ADSelfService Plus
- * Microsoft Azure: Open Management Infrastructure
- * Microsoft Windows 10
- * Microsoft Server 2016 and 2019
Phishing for information enables the attacker to collect information and/or a list of employees susceptible to social engineering. In conjunction with a phishing campaign targeting a whole company, the threat actors will then follow up with a more targeted spearphishing campaign against those victims who reacted to the initial phishing.
To refine the spearphishing emails* and lures focused on these second stage victims, the attacker conducts research on social media profiles belonging to the employees who were successfully duped by the first wave of phishing emails (commonly Facebook, LinkedIn, and, more recently, Instagram). The threat actors typically look for any specific topics that they can exploit in order to gain further access to the victims including identifying company structures and organizational charts, and subjects like employees’ interests, hobbies, political views, and vacation destinations. This information is often publicly available on their social media and professional networking profiles.
In some cases, the attackers also use information from previous ransomware data leaks to create work related lures, such as spoofing a message related to an existing legitimate communication thread.
Once spearphished messages are refined for the specific target, lures are sent out as part of the spearphishing campaign and will typically contain malicious attachments or links to malicious content or sites. The attachments contain malicious zip files that are password protected to bypass antivirus detection controls and can contain .doc, .pdf, .xls files infected with malware. Ransomware actors often manipulate file extensions and icons making the attached executables appear to be benign files. When the user opens the attachment, a Remote Access Trojan (RAT) infects the user’s machine. Some of the RATs used by ransomware actors analyzed in the first six months of 2022 months include Borat RAT in 04/2022 and ROMCOM RAT in 08/2022.
Ransomware operators who have already gained access to a victim organization and have exfiltrated the data from that organization can also use the data they’ve obtained to create convincing lures to the victim’s supply chain or customers, spoofing the existing communications between the suppliers, affiliates, or customers, and the victim.
*It is worth pointing out that phishing isn’t limited to email communications and can occur via instant messaging services like Whatsapp and Telegram, text messaging, and even via telephone. But the goal is generally the same; to get a victim to disclose login information and/or to download malware.
Drive-by-infections/watering holes typically occur when an individual unknowingly visits a site that is hosting malware. In this case, the malware is usually downloaded without the visitor clicking on anything on the site, simply visiting it starts the download process. Thus, the victim usually doesn’t realize that they’ve become infected unless warned by the anti-virus software.
Initial Access Brokers
Initial access brokers (IABs) are a subset of criminal threat actors who specialize in gaining access to victim organizations. These groups are what we typically think of when we say “hackers.” They typically will not steal or alter anything in the compromised organization with the exception of dropping malware to maintain persistence, and grabbing some limited information or screenshots to prove their access to a client, for fear of being discovered on the victim’s network. IABs will use all of the same techniques described here to gain access, but in addition, they frequently use things like compromised credentials and brute forcing. The most common forms of access that IABs sell are:
- Remote Desktop Protocol (RDP)
- Active Directory (AD)
- Server Root Credentials
- Web Shell Access
- Remote Monitoring & Management (RMM)
- Control Panels
While IABs will usually not name the exact organization they have compromised in their advertisements on dark web platforms, fearing researchers will alert the organization, they will typically describe the victim organization including things like size, geographic location, revenue, and industry vertical.
Ransomware continues to be a major threat to all organizations public and private, as well as individuals. Despite some drop off in ransomware activity during parts of 2022, there is no conclusive evidence that ransomware operators are scaling back their activities. On the other hand, there is evidence that the activity may actually be increasing, including an increase in the number of victim’s whose information has been leaked and, by some measures, an increase in financial losses.
While there have been some successful methods in preventing parts of the damage related to ransomware, including description and better back-up technology, these do not deal with a major part of ransomware operations: the leaking of sensitive data by threat actors if they don’t get paid. Thus, organizations still need to be laser focused on doing whatever they can to prevent the ransomware operators from gaining initial access and dropping their payload. This includes:
- Monitoring for vulnerabilities that ransomware operators are known to exploit,
- Monitoring for leaked credentials and account takeover attempts,
- Monitoring for Initial Access Brokers who are offering access to organizations similar to their own,
- Having tools in place to block as many phishing attempts as possible,
- Providing thorough and regular training on all types of phishing,
- Preventing employees from visiting sites that may be hosting malware,
- Monitoring the ransomware leak sites so that in the event an organization they have links with is leaked, they can change their security posture with that organization.