Windows Ransomware Detection and Protection E-Book

Windows Ransomware Detection and Protection

Securing Windows endpoints, the cloud, and infrastructure using Microsoft Intune, Sentinel, and Defender

Marius Sandbu

BIRMINGHAM—MUMBAI

Windows Ransomware Detection and Protection

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Mohd Riyan Khan

Publishing Product Manager: Prachi Sawant

Senior Editor: Arun Nadar

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Aryaa Joshi

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Prashant Ghare

Marketing Coordinator: Marylou De Mello

First published: March 2023

Production reference: 1230223

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-634-5

www.packtpub.com

I would like to thank my wife Silje, who has always supported me through the writing of this book; without her love and support, I would never have been able to write this book.

Contributors

About the author

Marius Sandbu is a cloud evangelist and architect working at Sopra Steria in Norway with over 17 years of experience in the IT industry. Marius has a wide range of technical experience across different technologies, such as identity, networking, virtualization, endpoint management, and infrastructure, with a special focus on the public cloud. He is an avid blogger, co-hosts the CloudFirst podcast, and is also an international speaker at events such as Microsoft Ignite and Citrix Synergy. He previously worked at Tietoevry, where he was the technical lead for the public cloud unit, and also worked at the University of Oslo as a system administrator.

About the reviewers

Matt Davidsson is a senior systems engineer with over 20 years of experience within the IT industry, with a focus on security. For the last few years, he has been working as a CISO and combining it with hands-on work within the Microsoft 365 Security ecosystem. Previously, he was a Microsoft Certified Trainer and held training courses around the world for Microsoft 365, Azure, and other security products.

Nitish Anand is a seasoned cybersecurity professional with 8 years of experience in the field. Holding the Certified Information Systems Security Professional (CISSP) certification, he has a deep understanding of security principles and practices, and is well versed in identifying and mitigating potential threats. He currently works as a security analyst at Microsoft. He is dedicated to staying up to date on the latest cybersecurity trends and best practices to ensure the protection of sensitive information and systems. He has a deep understanding of industry standards and regulations and is able to effectively communicate and educate others on the best practices for securing networks and systems.

Table of Contents

Preface

Part 1: Ransomware Basics

1

Ransomware Attack Vectors and the Threat Landscape

Evolution of ransomware

Attack vectors

Exploiting known vulnerabilities

Access through credential stuffing

Access through brute-force attacks

Access through a compromised workstation or end user machine

How does ransomware work?

Diavol ransomware

Conti ransomware

Sodinokibi/REvil ransomware

LockBit ransomware

The latest additions

Looking at the big picture

Identity-based attacks

How are vulnerabilities utilized for attacks?

Monitoring vulnerabilities

Summary

2

Building a Secure Foundation

Zero-trust design principles

Identity pillar – zero-trust maturity

Device pillar – zero-trust maturity

Network pillar – zero-trust maturity

Application pillar – zero-trust maturity

Data pillar – zero-trust maturity

Network access

Vulnerability and patch management

Vulnerability management example for PrintNightmare

Identity and access control

User life cycle management

Ensuring strong passwords and authentication methods

Role-based access control and using least privilege

Security logging and monitoring

A secure foundation within Microsoft Azure

Summary

Part 2: Protect and Detect

3

Security Monitoring Using Microsoft Sentinel and Defender

Technical requirements

Understanding Microsoft Sentinel and Microsoft Defender

Designing and implementing Microsoft Sentinel

Collecting logs and data sources

Performing Kusto and log queries

Seeing the full picture

Creating analytics rules and handling incidents

Analytics rules

Ransomware detection – looking for initial compromise

Detecting vulnerabilities with Defender

Summary

4

Ransomware Countermeasures – Windows Endpoints, Identity, and SaaS

Technical requirements

Securing endpoints

ASR rules

Microsoft Defender and antimalware

Update Management

Securing Microsoft Office apps

Securing the web browser

Other miscellaneous endpoint countermeasures

DNS filtering

PowerShell

SMB protocol

LOLBAS

Default applications

Securing user identity

Securing Active Directory

Securing email services

Protecting the domains

Protecting the content and URLs

Other countermeasures

Summary

5

Ransomware Countermeasures – Microsoft Azure Workloads

Technical requirements

Network segmentation and design

Identity and access management in Microsoft Azure

Hub-and-spoke virtual networks

The anatomy of a VM in Azure

Microsoft Defender for Servers

Azure Policy

Azure Backup

Overall recommendations for Azure-based workloads

Summary

6

Ransomware Countermeasures – Networking and Zero-Trust Access

Attackers and lateral movement

Providing users with secure access to services

Microsoft

Citrix

Cloudflare

SASE

File access

Remote management services

DDoS protection

Summary

7

Protecting Information Using Azure Information Protection and Data Protection

Technical requirements

Data exfiltration

Data classification

Azure Information Protection

DLP features and the future of AIP

Encryption on SQL Server

Best practices for backups and data protection

Summary

Part 3: Assume Breach

8

Ransomware Forensics

You got ransomware, now what?

Phase one – validating an alert

Phase two – discovering the impact

Phase three – understanding the attack vector and what to look for

A manual approach

An automatic approach

Closing the door

Summary

9

Monitoring the Threat Landscape

How to monitor the threat landscape

Threat management

What does the future hold?

Summary

10

Best Practices for Protecting Windows from Ransomware Attacks

Best practices and security settings in Windows

Remote desktop management

Administrative shares

LAPS and restrict usage of local accounts

Windows Firewall best practices

Tamper Protection

Automatic patching of infrastructure

File Server Resource Manager and file groups

Other top tips to protect against ransomware

Summary

Index

Other Books You May Enjoy

Part 1:Ransomware Basics

This part covers an overview of ransomware, how it works, and the different attack vectors and tactics that are often used as part of an attack.

It also explores different ransomware groups and highlights the most common attack vectors that have been used in real-life scenarios.

This part has the following chapters:

1

Ransomware Attack Vectors and the Threat Landscape

In this chapter, we will start by providing an introduction to what ransomware is, how attacks are carried out, an overview of some of the main attack vectors used by attackers, and how ransomware groups are operated. Then, we will go into a bit more depth on some of the most well-known ransomware groups such as Conti, LockBit, and Sodinoikibi, and how they have historically performed attacks.

Ransomware has many complex forms. In the last 5 years, we have seen ransomware grow even more complex. This calls for a new level of responder to address these threat actors. Therefore, in this chapter, we will get a better understanding of the different attack tactics and how attacks are carried out. This will then be built upon in the upcoming chapters when we go through the different countermeasures to protect from these types of attacks.

In this chapter, we’re going to cover the following main topics:

Understanding these topics can help us respond better and be better prepared. These are all vital pieces of knowledge and skills to have in our tool belt.

Evolution of ransomware

Ransomware is a type of malware that has historically been designed to encrypt data and make systems that rely on it unusable. Malicious actors then demand ransom in exchange for decrypting the data.

In 2021, we saw a huge rise in the number of ransomware attacks, where many companies were faced with their IT infrastructure and data becoming encrypted and many got their data stolen by different ransomware groups. In Norway, where I am based, we have also seen many large organizations be attacked by ransomware in the last year, which has also ended up affecting the Norwegian population. Here are some of the organizations that got hit by a ransomware attack in 2021 in Norway:

In addition, there have been many high-profile attacks in other countries, such as the attack on Colonial Pipeline in the US and on MSP software provider Kaseya, which ended up impacting close to 1,500 customers worldwide.

After the attack on Colonial Pipeline, the US government implemented a new reporting regulation, which meant that an organization within the US that has fallen victim to a ransomware attack must report the incident to the FBI, CISA, or the US Secret Service.

In the last few years, we have also seen that ransomware attacks against healthcare have almost doubled, according to Sophos (https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/), however, the attacks against healthcare is not done intentionally since most ransomware groups tend to avoid healthcare businesses. In 2022, we saw several cases where ransomware groups provided the decryption key to organizations for free to avoid impacting systems that can affect patient treatments within healthcare areas such as hospitals.

The attack on Kaseya, which was done through their Virtual System Administrator (VSA) product, ended up affecting the Swedish supermarket chain Coop, which needed to close 500 stores after the attack throughout the Nordics.

In a survey that Sophos did, where they spoke with 5,400 IT decision-makers in 2021, about 37% had been hit by ransomware in the last year, which is, fortunately, a significant reduction from the year before when that number was 51%.

There have, however, also been some significant changes in the behavior of attackers. Most likely, the reduction in the number of attacks could be related to less automated attacks and more hands-on targeted attacks. Emsisoft, the security software company behind ID ransomware (malwarehunterteam.com), allows us to identify which ransomware strain has encrypted files by uploading the ransomware note file. Emsisoft posted on its website that, in 2021, there were close to 560,000 submissions to the service, which is 50,000 more than it had the year before. In addition, Emsisoft also estimated that only 25% of victims submit to their website (https://id-ransomware.malwarehunterteam.com/).

We have also seen an increase in personal engagement from threat actors. For instance, we have seen an increase in attacks close to holidays such as Christmas, since people are often more stressed and are more likely to fall victim to phishing attacks.

So many organizations worldwide have faced ransomware attacks, and looking at the statistics, the number of large organizations that have been impacted only seems to be rising. But has ransomware evolved over the last few years?

Ransomware is mostly used by attackers to exploit the weakest points in your infrastructure and then encrypt your data and infrastructure using some form of encryption method. Once the encryption is done, they leave a ransom note and wait. The only way to get access to the original data (or to be able to decrypt it) is by buying a decryption tool from the attackers using one of the digital currencies. There are also other attack methods, but I will get back to that a bit later.

Within the ransom note, you get instructions about how to contact them or access their support channels, which are typically hidden behind Tor addresses. When you access their support channel, some of the operators give some information about what happened and how much you need to pay to get access to the decryption tool:

Figure 1.1 – Ransomware operator chat support

A ransomware attack often involves multiple teams or people. Many of the different ransomware groups are split into smaller groups and affiliates. Many of the affiliates often work together to gain access to an environment, or might even be someone on the inside. They sell or give access to other teams who deploy the ransomware. The profit is usually divided between the affiliate and the group, with a one-time payment to acquire access to the environment.

Affiliates operate independently or as a member of organized groups, while some of the most well-known ransomware groups are doing active recruitment programs to get afiliates.

Ransomware attackers are only focused on getting access, encryption data, and waiting for the organization to make contact. In most cases, the ransomware operators also have some insight into your organization and the number of employees, which will also impact the ransom fee.

Most ransomware operators host self-service portals with built-in chat support to get details and information on how to pay for the decryption tool, which is only accessible on the Tor network. The most well-known groups tend to use Monero as the crypto of choice since many see it as an untraceable currency. However, we have seen other cryptocurrencies being used as well. There is also recent evidence showing that threat actors conduct business for one another, such as using money laundering services to make the money untraceable.

While most security professionals agree that you should never pay the ransom, many have paid the ransom in pure desperation to gain access to their files and get their services back up and running. Consider the alternative – your entire infrastructure, backup, and other services are gone, and rebuilding your services would take too much time and your company could even go bankrupt.

We have also seen that many organizations have been relying more on cyber insurance to cover costs related to ransomware. Ransomware was involved in 75% of all cyber insurance claims during the first half of 2021; this has also led to a significant increase in the cost of premiums.

Important note

It should be noted that in a survey that Sophos did in 2021, for organizations that paid the ransom, the average amount of data they were able to recover was only close to 65% (https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/).In some cases, when you are negotiating the price with the attackers, some of the different ransomware operators give you a free sample to show you that they have the decryption tool and can decrypt the data. In most cases, this can decrypt a single file or a single virtual machine. In most cases, they also have a good mapping of the environment, and they know which of the machines are running, such as the backup service, so you will most likely only be able to decrypt a non-important virtual machine such as a test server.

When you pay the ransom, you will either pay to get the decryption key for every single machine or get a decryption key and tool that is used for the entire environment. Once you get access to the decryption tool, it can take many hours to decrypt a single machine. If you need to decrypt an entire environment, you can expect it to take a long time.

Over the last few years, there has been a lot of focus on getting good backup and data protection services in place, and those organizations that have good backup systems and routines in place can easily restore data and be up and running again.

However, it should be noted that in many ransomware cases, we have also seen that the backup data was encrypted by the attackers. Fortunately, we are seeing more and more backup vendors adding new features, such as immutable backups, so that ransomware is less likely to impact the data.

This, of course, means that attackers have a lower chance of getting paid, so they also switch tactics to not only encrypt data but also exfiltrate data that they then could use as means for leverage.

This was, unfortunately, the case for the Finnish psychotherapy center Vastaamo, which was hit by ransomware in late 2020, where the attackers managed to encrypt their data and steal 40,000 patient journals. The attackers also used another extortion tactic, which was to contact the patients via email and ask them for a ransom directly, and if they didn’t get paid, they would publish their journals.

It should be noted that the electronic patient record that was compromised was running an outdated version of Ubuntu 16.04.1, Apache 2.4.18 (which came out in 2015), and PHP 5.6.40, which all contain many known vulnerabilities.

While most ransomware attacks aim at performing data encryption and data exfiltration, there is also another attack vector that is becoming more and more popular: Distributed Denial of Service (DDoS) attacks. DDoS-based ransomware attacks are more aimed at online retailers or cloud-based applications. Microsoft, in their yearly DDoS attack trends, stated that they see close to 2,000 DDoS attacks daily and that in 2021, they stopped one of the largest DDoS attacks ever reported, where they mitigated a DDoS attack with a throughput of 3.47 TBps and a packet rate of 340 million packets per second against an Azure customer in Asia.

The attack only lasted 15 minutes but that is more throughput than most ISPs and local data centers can handle.

Important note

More vendors are seeing an increase in the amount of DDoS attacks, and buying a DDoS attack from a botnet that lasts 1 hour only costs about $50 on the dark web. You can find more information about DDoS attack statistics in the yearly Microsoft DDoS protection report at https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends/ and also from Cloudflare Radar at https://radar.cloudflare.com/notebooks/ddos-2021-q4.

Cloudflare also stated in their yearly DDoS trend report that in Q4 2021, they saw an increase of DDoS attacks of 29% compared to the previous years in the same quarter. They also surveyed customers that were targeted by DDoS attacks, and one-fourth of the respondents reported that they received a ransom letter demanding payment from the attacker.

While many DDoS attacks aim to overload the infrastructure with a large amount of traffic from multiple sources (mostly botnets) against your services, there has also been an increase in DDoS amplification attacks, where the attackers utilize a weakness in a protocol that essentially does a reverse DDoS attack. We have seen such examples with the DTLS protocol.

In 2020, Citrix and their ADC product had a weak implementation of the DTLS protocol, wherein earlier firmware was vulnerable to a DDoS amplification attack. The attackers sent forged DTLS packets where the ADC would send large packets back to the attackers, potentially leading to outbound bandwidth exhaustion, so essentially DDoS.

Attack vectors

So far, we have taken a closer look at some of the attacks and tactics that different ransomware operators are using. Now, let’s take a closer look at some of the main attack vectors that most ransomware operators use to gain initial access.

An attack vector is best described as one of the paths that an attacker can use to try and gain access to an environment.

For ransomware attackers to be able to distribute the payload, they must go through different stages before they can launch the attack. The main attack pattern is where the attackers first gain initial access using one of the different attack vectors, which may be a compromised end user machine or infrastructure. Then, they use different techniques to try and move around the network using credentials that allow them to access other parts of the network or utilize some form of vulnerability. Then, they use different tooling or scripts to give them persistent access to the environment. Once they have been able to gain full access to the environment, they use scripts or other methods to run the payload across the infrastructure to gain further access:

Figure 1.2 – The typical attack pattern in a ransomware attack

So, how do they get their foot in the door of our infrastructure?

The following are some of the main methods.

Exploiting known vulnerabilities

This is where attackers utilize some form of vulnerability in an external service. This could be that the attacker is trying to gain access using some form of Remote Code Execution (RCE). In the last few years, we have seen many different vulnerabilities that have been used to launch ransomware attacks. Some of the products that have been victims of these attacks are as follows:

Important note

A good source for seeing some of the known traffic patterns that I’ve been using for years is Bad Packets on Twitter, which has a good feed that looks at current traffic that is trying to abuse vulnerable endpoints across different services. I recommend that you add that as a source to pay attention to: https://twitter.com/bad_packets. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has made a list of known exploited vulnerabilities that can be found here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

One of the biggest vulnerabilities that was disclosed last year was ProxyShell, which used multiple vulnerabilities within Microsoft Exchange. Many security researchers were quick to provide proof-of-concept exploits using simple Python/PowerShell scripts, as seen here: https://github.com/horizon3ai/proxyshell.

This chain of vulnerabilities could allow attackers to access mailboxes stored in Exchange and also provide web shell access to the Exchange Client Access servers.

Vulnerabilities are not only used for initial access but are also used to do lateral movement. In the summer of 2021, a new vulnerability was disclosed that was a weakness in the Print Spooler service (also known as PrintNightmare) within Windows that allowed attackers to run privileged file operations on the operating system.

This meant that attackers could run arbitrary code with system privileges, both locally and remotely. Attackers that had managed to compromise an end user machine could use this vulnerability to gain further access to the infrastructure, such as domain controllers that were running the Print Spooler service.

Access through credential stuffing

Credential stuffing is where the attackers automate the process of injecting stolen username and password pairs or just try to log in against different online services. Most end users are creatures of habit and tend to reuse their usernames and passwords across many third-party services or websites. When those third-party services get breached, the end user’s information – or worse, credentials – gets compromised. In many cases, attackers dive into the different data sources from those attacks to see whether they can find any reusable credentials that they can use to try and access any external services that an organization might have.

One good way of seeing whether you have leaked credentials is by using the online service https://haveibeenpwned.com, where you can enter your email address and it will check through the different data sources to see whether your information has been leaked and what kind of data sources it was contained in.

haveibeenpwned.com also has a free domain notification service, which means that you can get notified if one of your users within a domain was in a data breach, which I also highly recommend that you sign up for.

Other services can provide similar features to detect whether a username or password has been comprised, such as the following:

In addition to this, many attackers are also carrying out phishing attacks with the aim of harvesting credentials, such as sending end users to a fake Office 365 site to collect usernames and passwords.

A new attack method that is becoming more and more common is the use of OAuth phishing against Azure Active Directory (AD), where attackers send spoofed Microsoft 365 login pages. When the user clicks on the link to provide the application access, the end user is greeted with a Permissions requested dialog:

Figure 1.3 – OAuth permission screen for a phishing attack

If the user clicks on Accept, the attacker will be able to get access to their profile in Office 365, which might also include access to emails and files, depending on what kind of permissions are granted.

Access through brute-force attacks

One of the most common attack vectors that we see is brute-force attacks on misconfigured services, such as attacks on a Windows server that is publicly exposed with Remote Desktop Protocol (RDP) enabled. This can also be any exposed service that has weak security mechanisms, such as a lack of MFA, which RDP has by default, making it susceptible to attacks.

With one customer I was working with, the initial point of compromise was an exposed Windows Server in Azure that had a public IP address and RDP enabled. Since the machine was also domain-joined and had a weak local administrator account password, it did not take a lot of time for the attackers to guess the correct combination of usernames and passwords and gain access to the environment.

As we have also seen that in cloud-based environments, attackers often have a predefined set of credentials that they use when they are doing brute-force attacks for known IP ranges. Azure environments typically use a combination of usernames such as AZADMIN/AZUREADMIN/AZURE with different combinations of passwords. An automated attack typically starts within minutes of when the machines come online in Azure.

Access through a compromised workstation or end user machine

One of the most common entry points of ransomware attacks is through a compromised end user machine. This is usually triggered when the user opens an attachment that they received or by visiting a website and from there running some form of executable.

This mostly happens because an end user receives malicious attachments from a phishing email, or by drive-by downloads. The malicious content can be a Word document containing scripts or other malicious content or Excel documents with macros.

These phishing emails are usually delivered in short campaigns. Over 60 days, Akamai observed more than 2,000 million unique domains associated with malicious activity. Of those, close to 90% had a lifespan of fewer than 24 hours, and 94% had a lifespan of fewer than 2 days. Therefore, it makes it extremely difficult to block using DNS protection services. Palo Alto also states that the majority of (close to 70%) Newly Registered Domains (NRDs), where there are an average of 140,000 domains created yearly that are associated with malicious or suspicious traffic.

The phishing emails and attachments either use malicious scripts or macros that typically contain the use of a vulnerability to be able to get access to the machine. In most cases, it requires that the end user opens the attachment and enables the content or triggers the macros. However, in August 2021, Microsoft identified a small number of attacks that were using a RCE vulnerability in MSHTML, which is the HTML engine built into Windows.

This specific vulnerability only required that the user viewed the file or document in Windows Explorer to trigger the payload to run.

Another example that I saw during COVID and with people working from home was that many employees would use their work machines directly connected to their home router, in doing so getting a public IP address on their machine from the ISP. This meant that they became susceptible to brute-force attacks if, for instance, RDP was enabled on their client machine. Make sure that RDP/SMB is not enabled and outbound firewall rules are in place unless they are specifically needed.

How does ransomware work?

The worst thing possible has happened – someone has managed to compromise your infrastructure and encrypted your data. How did it happen and how did they get in?

Let’s explore some of the mechanics behind some of the different ransomware types.

Diavol ransomware

Diavol was a type of ransomware that was presumably used by a group called Wizard Spider and was first discovered by FortiGuard Labs in June 2021. It used BazarLoader, which was known malware, to steal information and malware payloads.

The initial payload was delivered to an endpoint via a phishing attack, which included a link to a OneDrive URL. The reason behind using OneDrive is that it typically provides a URL that bypasses most firewalls and spam filters.

BazarLoader tends to use commonly known cloud services to be able to bypass security filters. Then, the user is instructed to download a ZIP file that contains an ISO file to allow it to bypass any security mechanisms in downloading the file. When the user mounts the ISO file on their filesystem, it will mount an LNK and DLL file. Once the user executes the LNK file, the BazarLoader infection is initiated.

Initially, as with BazarLoader, it starts by doing internal reconnaissance of the Windows environment using scripts and commands such as the following:

After performing reconnaissance, BazarLoader downloads a set of DLL files using Background Intelligent Transfer Service (BITS), which contains Cobalt Strike, and begins to communicate with the operator’s Cobalt Strike server. Then, from the compromised machine, they usually run the second stage of scripts, using tools such as AdFind, and then dump local credentials using a BAT script.

The attackers also tend to use tools such as Rubeus to perform a Kerberoast, which is used to harvest used Ticket Granting Server (TGS) tickets in the domain.

Once they manage to get access to file servers, they use tools such as AnyDesk and FileZilla to exfiltrate the data from the environment. Then, they move to more critical systems, such as backup servers and domain controllers.

Once they’ve performed data exfiltration and have access to the core parts of the infrastructure, including backup systems, they trigger the initial payload.

The final payload is usually done via RDP with scripts to trigger the encryption process. To maximize the effect, the ransomware terminates processes that can lock access to files, such as Office applications and database services. Also, they try and stop services that can also lock file access such as httpd.exe, sqlserver.exe, chrome.exe, and others.

They also use scripts to find all drives attached to the host machines. In addition, they stop the Volume Shadow Copy Service (VSS) and ensure that VSS snapshots are deleted before they run the encryption process.

For each machine that gets compromised, Diavol creates a unique identifier, which is then communicated back to the C2 address.

Figure 1.4 – Overview of the attack pattern for Diavol

This overview shows the different stages and attack patterns in a Diavol attack, where the final payload is typically distributed to all parts of the infrastructure using RDP.

Conti ransomware

Conti was first seen in May 2020 and was one of the most common ransomware variants in 2021. The main point of access was mostly through spear-phishing campaigns, which, in most cases, utilized malicious JavaScript code that would first drop a malware loader into the infrastructure using either TrickBot, IcedID, or BazarLoader.

They have also been known to use brute-force attacks using RDP.

Now, like with Diavol and BazarLoader, Conti uses a range of different scripts to do reconnaissance, such as nltest, whoami, and net.exe. Then, they use Cobalt Strike to escalate privileges to the local system and set up communication with C2 servers.

Then, the attackers use different tools to scan the network and collect information such as AdFind, Router Scan, SharpChrome, and Seatbelt. They also use tools such as Kerberoast and Mimikatz to collect admin hashes or extract passwords.

They spend time looking into local user account profiles in search of important data or files that can be used for leverage for the ransom, such as the following:

They were also known to use common Windows-based vulnerabilities such as Zerologon, PrintNightmare, and EternalBlue to gain elevated privileges within the environment.

Cisco Talos security researchers got a hold of leaked Conti documentation from a disgruntled insider that shows the attack patterns, scripts, and how to use the different tools. You can see a PDF file of the summary here: https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/639/original/Conti_playbook_translated.pdf?1630583757.

Once they have gotten elevated privileges, they use PsExec (part of the Sysinternals suite from Microsoft) to copy and execute Cobalt Strike Beacon on most of the systems in the network. Once they have gotten access to the domain controllers, they use built-in services such as Group Policy to disable Defender services to avoid detection.

Once that is done, the attackers run the final payload, which, as with Diavol, will stop a lot of different built-in services that can have locks on different files on the operating system, such as the following:

Most ransomware also has a built-in list of folders that it will whitelist during the encryption process. This is to ensure that the systems will continue to operate after data has been encrypted. This list is in most cases static and contains folders such as the following:

However, if you have a different partition layout or data such as the domain controller’s database stored on another partition, for instance, it will get encrypted. Conti also skips some file extensions such as .exe, .dll, .sys, and .lnk. After it is done with the encryption, all files have a .CONTI extension, and within each folder, it also creates a ransom note.

Sodinokibi/REvil ransomware

Sodinokibi/REvil is maybe the most prolific ransomware group on our list. They were the ones behind the infamous Kaseya VSA supply chain attack, and they were also behind the attacks on other large companies such as Travelex and JBS Foods. JBS Foods, which is also the world’s largest meat producer, ended up paying 11 million dollars to REvil to get access back to their data.

Like the other ransomware operators mentioned earlier, REvil has been known to use malware loaders such as IceID, as well as using different brute-force attacks and exploiting known vulnerabilities such as FortiOS VPN, Pulse VPN, BlueGate, Citrix, and Oracle WebLogic Server, to name a few.

They are also one of the ransomware operators that first started targeting VMware ESXi virtual machines. They used the built-in ESXCLI command line to force stop the virtual machines and then encrypt data directly at the VMware datastore level.

For one customer that I was working with that got hit with Sodinokibi, the initial point of entry was a compromised virtual machine (via RDP) in Azure, which was then used to access the virtual infrastructure.

Like the others, REvil also had a collection of scripts and utilities that they use to do reconnaissance of the network. One thing, however, that sets them a bit apart, is that they were able to restart virtual machines in safe mode with networking and still be able to run their payload. The advantage was that they were able to run their payload and disable any EDR services on the machines before rebooting back to default mode.

Fortunately, in early 2022, the Russian government arrested multiple key resources behind the REvil ransomware group on request from the US; you can read more about it here: https://www.wsj.com/articles/russia-says-it-raided-prolific-ransomware-group-revil-with-arrests-seizures-11642179589.

LockBit ransomware

One of the most common ransomware groups at the time of writing is LockBit, which has impacted a lot of large organizations since its emergence back in 2019, such as Accenture, which was hit in late 2021.

LockBit, in addition to the other Ransomware as a Service (RaaS) operators, used a well-known Russian-speaking website forum known as XSS to advertise their affiliate program. Then, the XSS operators banned all ransomware topics on their website and LockBit started to use its own infrastructure to advertise its affiliate program.

LockBit has been known to recruit insiders to gain access to infrastructure using their affiliate program, enticing them with millions of dollars in exchange for access to valuable company data:

Figure 1.5 – A screenshot showing the recruitment program for LockBit

LockBit advertised on their website that their method of encrypting data was a lot faster than other ransomware variants and that they have great pride in their programming in terms of encryption.

Also, their ransomware (like most other ransomware variants) does not function in Russian-language-speaking countries and infrastructure that has a system language set to Russian. There is, in some cases, a built-in detection mechanism that will inform the operators or stop the information collection process if the system is running Russian.

They use a similar modus operandi to the other groups we've talked about; however, they have also evolved a lot during the last year. In October 2021, there were also rumors that they have developed their first LockBit Linux-ESXi variant.

ESXi ransomware isn’t something new, but this new variant targets both vCenter and VMware ESXi while utilizing vulnerabilities to be able to gain access to the VMware environment.

The latest additions

Now, in 2023, we have seen new threat groups emerge that contain affiliates or members from older groups.

We have groups such as the following:

There are dozens more. On social media, we can see new victims being published daily. Some sources that can be used to follow these different threat groups are the following Twitter profiles:

Because of the frequency in which we're seeing new victims being impacted, it is important to use these sources to get a view on the current trends and understand which groups are the most active.

Looking at the big picture

Now that we have looked at some of the main attack vectors and more closely at some of the different ransomware variants, I wanted to paint a bigger picture and provide some important considerations.

Let us start by looking at the first phase of a ransomware attack where the initial compromise happens:

Once the attacker has managed to gain access, the second phase starts which is collecting information:

The following table summarizes some of the main tools and scripts that ransomware operators use to assess an environment and try and gain further access to the environment.

It should be noted that this is not a complete list; I have just specified some I have encountered in different customer scenarios. However, it gives a better view of the tooling that hackers are using to collect information:

ADFind

Atera

Invoke- SMBAutoBrute

Advanced IP Scanner

SharpView

BloodHound

Net-GPPPassword

MSSQLUDP Scanner

Net Use

DCSync

SharpChrome

Zero.exe

NetScan

Router Scan

BITSAdmin

Spashtop Remote

Esentutl

Mimikatz

Invoke-ShareFinder

SWLCMD

WMIC

Cobalt Strike

PowerView

UAC-TokenMagic

Nltest

WDigest

Process Hacker

Kerberoast

AnyDesk/TeamViewer

Getuin

FileZilla SFTP

Seatbelt

Figure 1.6 – Table overview of commonly used tools and scripts

In addition to some of the scripts/tooling mentioned in the preceding table, attackers use many built-in capabilities to navigate the environment. These can be features such as RDP and File Explorer. Some operators have also been known to use Group Policy Management to perform operations across multiple machines at the same time.

At the time of writing, the majority of ransomware is aimed at Windows-based environments, because the majority of all enterprises are running Windows in large parts of their data centers. This includes Active Directory, file servers, and SQL servers, as well as Windows endpoints. However, we have also seen ransomware operators moving to new target types. There are also new ransomware variants emerging that are aimed at other services, such as NAS services. One of these new variants is called Deadbolt, which is aimed at QNAP NAS appliances. There have also been some variants for Linux and Mac OS X, so this is something that we should all pay attention to.

Identity-based attacks

Now that we have taken a look at the different attack vectors and some of the different ransomware variants and their attack patterns, I want to look at some of the common attack vectors in more depth, starting with identity-based attacks.

Identity-based attacks are becoming more and more common with the move to public cloud services such as Microsoft 365.

SaaS services have a common property, which is that they are available from the internet, which means that anyone can access the services.