Otto background

The Anatomy of a Ransomware Attack

Ransomware has become a household name ever since WannaCry hit the headlines back in 2017 – and it’s only picking up speed. Given the lucrative nature of extortion-type malware, new variants will undoubtedly continue to evolve and threaten to cripple businesses. With the release of exploits like EternalBlue (via the Shadow Brokers leak), the commoditization of Bitcoin currency, and the advent of self-service Ransomware-as-a-service (RAAS) from groups like REvil and DarkSide, advanced adversaries and script kiddies are equipped to easily spread and infect an entire environment and profit.

The impact is not limited to just enterprises. Given the far-reaching nature of ransomware, the negative impacts are trickling into the lives of everyday consumers. With the recent Colonial Pipeline ransomware attack resulting in temporary gas shortages and consequential impulse buying on the East Coast, the economic and personal ramifications are far-reaching. Ransomware attacks on hospitals have caused delayed treatments and in one case, was associated with the death of a woman seeking treatment at a hospital in Düsseldorf, Germany.

Earlier this month, the Steamship authority, which ferries passengers to and from Martha’s Vineyard in Massachusetts, was hit by a ransomware attack that disrupted its ticketing and reservation process, causing delays for passengers. The average layman may not know that ransomware is behind these disruptions, but is nonetheless directly experiencing the consequences.

What is a Ransomware Attack?

Ransomware is an evolving form of extortion malware designed to encrypt or lock critical files on a machine, rendering them inaccessible and unusable. Ransomware authors demand a ransom, typically in Bitcoin, and may additionally threaten to leak these files if organizations do not pay the ransom to decrypt. Some common tactics include deleting backups and shadow copies and overwriting the master boot record (MBR) to force the organization’s hand in paying the ransom.

There are a few ways enterprises can properly detect and defend against this rampant threat.

Ransomware Attack Indicators

Note that historically, the majority of ransomware targets Microsoft Windows machines, though variants targeting macOS and Linux have emerged in recent years. As a result, we will primarily focus on MS Windows for the purpose of this post.

Initial Access

There are a plethora of ways for an attacker to gain access to a victim’s network. Adversaries can establish their initial foothold via a combination of exploiting bad security hygiene or misconfigured settings, overly broad access, unpatched vulnerabilities, and socially engineering click-happy end users.

Remote Desktop Protocol (RDP)

RDP continues to be the bane of security professionals’ existence as one of the most frequently exploited vectors for ransomware according to Recorded Future. Companies may have overly broad permissions and access, allowing systems or resources to be internet-accessible. Whether it’s a misconfigured system, a broadly open server for ease of access, or an asset that IT did not maintain proper inventory of, attackers will abuse these lapses in security hygiene. Malicious actors scan the internet for these RDP endpoints, brute forcing passwords against these systems to crack credentials. Worse, RDP systems that leverage weak username and password combinations can not only be compromised, but the credentials (and therefore access) can also be put up for sale for cyber criminals like ransomware authors to choose from a la carte.

Additionally, cyber attackers may also exploit unpatched vulnerabilities in RDP, resulting in malicious remote code execution and lateral movement of ransomware. Given the shift to remote work due to the COVID-19 pandemic, the use of RDP by administrators has undoubtedly increased, giving rise to a larger surface area for attackers to exploit. The importance of continuous patching cannot be emphasized enough.

Poor Password Policies

Related to brute forcing RDP, in terms of low hanging fruit, IT administrators need to be wary of and enforce password complexity requirements. Passwords like “password123” should be a thing of the past. Brute forcing of simple, weak passwords only takes milliseconds, or just a few seconds, for password cracking tools like John the Ripper to crack. Automated enforcement of password complexity and regular password rotation can be enabled using scripts such as the Automox Password Policy Worklet, available from the Automox Alive Community.

Virtual Private Networks (VPN)

In the same vein as RDP being a huge vector for malicious actors to gain access, a few severe vulnerabilities in VPN appliances have been disclosed in the past two years, including but not limited to household names like F5, Fortinet, Citrix, and Pulse Secure. These vulnerabilities have opened the door to malicious activity such as remote code execution, reconnaissance, and/or lateral movement. Once again, unpatched vulnerabilities in these VPN appliances have proved instrumental as initial access points for adversaries. This trend will likely increase as companies shift to a hybrid or completely remote workforce. With many important assets located behind a VPN, companies need to employ an in-depth defense strategy to mitigate VPN vulnerabilities being a single point of failure.

Spear Phishing

Alas, the Layer 8 Human will undoubtedly click links and open email attachments. Email content filtering and user education are instrumental for decreasing the exploitation of this vector. Though not super common, occasionally ransomware is coupled with malicious macros delivered through spear phishing, invoking malicious PowerShell commands to install the ransomware and begin encryption. As a general best practice, macros should be disabled across the organization.

Anatomy of a Ransomware Attack

Once the adversary gains an initial foothold, ransomware authors will typically enumerate and stop security software and antivirus providers, typically Windows Defender, which comes preinstalled on Windows machines. Next, the ransomware will encrypt important files, in most cases skipping critical executables and directories in order to leave the system usable for payment of ransom. For instance, database applications (for Windows servers) and internet browsers will be left intact, the latter to allow for bitcoin payment and other general communication.

Post-encryption, ransomware typically has a few tricks up its sleeve. Below are the usual suspects:

Prevent System Recovery

Ransomware authors will primarily target deletion of volume shadow copies to prevent recovery post-encryption. On Windows, ransomware authors may leverage Vssadmin.exe to delete or resize shadow copies, both of which may effectively delete the shadow copies.

vssadmin.exe delete shadows /all /quiet

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

In conjunction with (or sometimes in lieu of) Vssadmin, adversaries may also use Windows Management Instrumentation (wmic) or even PowerShell for this purpose.

wmic shadowcopy delete

Get-WmiObject Win32_ShadowCopy | ForEach-Object {$_.Delete();}

Additionally, bcdedit.exe can be weaponized to disable Windows recovery post-encryption, and wbadmin.exe similarly is used to purge the Windows Backlog Catalog.

bcdedit /set {{default}} bootstatuspolicy ignoreallfailures

bcdedit /set {{default}} recoveryenabled no

wbadmin.exe delete catalog -quiet

Adversaries can disable backup settings via various Windows registries as well.

Overwriting the Master Boot Record

Ransomware such as Petya will overwrite the master boot record (MBR), which renders the hard disk inaccessible and prevents the operating system from reconstructing the unencrypted files.

Ransomware Mitigation Strategies

It is a general best practice for enterprises to maintain regular backups. However, the truth of the matter is that many enterprises are failing to reduce their attack surface area by leaving their critical vulnerabilities unpatched. In addition to the software vulnerabilities detailed earlier in this article relating to VPNs and and RDP, EternalBlue, despite being leaked back in April 2017, is still one of the most commonly exploited vulnerabilities in ransomware and other malware attacks alike. The vulnerability resides in the Windows Server Message Block V1, which is a protocol allowing inter-machine communication and file transfer. In a nutshell, attackers are able to exploit SMB to remotely execute their malicious code, thereby enabling rapid lateral movement of their ransomware across the environment.

Patch Your (Eternal)Blues!

Microsoft released their security update to address Windows SMB to prevent remote code execution via SMBv1, thereby gutting EternalBlue. However, many IT shops have been slow or unable to patch this critical vulnerability months and years later, supporting legacy systems that Microsoft has long end-of-lifed, and leaving themselves wide open to ransomware and other attacks.

Remote Work and Ransomware

Additionally, with the rapid onset of the COVID-19 pandemic, working remotely has introduced a new set of problems as IT and security teams adapt to securing a remote, distributed workforce and increasing cloud infrastructure. Many unpatched internet-facing servers are prime targets for attackers to gain their initial foothold into unsuspecting organizations. According to Forbes, the recent Colonial Pipeline ransomware attack attributed to the DarkSide group “exploited ‘critical’...vulnerabilities that were known for more than 90 days.” In the cyber world, 3 months is an eternity for attackers to identify and exploit vulnerabilities. According to Tenable Research, an attacker on average has 7 days to exploit a vulnerability before a company is able to properly identify it. In the case of the DarkSide ransomware, attackers had a 3-month head start, and for many companies globally, a 4-year headstart on EternalBlue.

As the US government moves to treat ransomware hacks in the same severity as acts of terrorism, companies need to make the same shift in prioritizing vulnerability patching to reduce their attack surface area. A defense in depth strategy is necessary, but it requires every application in the security stack to be up-to-date and patched in order to be wholly effective. Therefore, to adequately defend against ransomware and other attacks, organizations need to leverage automated patching systems and aim to remediate critical vulnerabilities within 72 hours and zero-day vulnerabilities within 24 hours. To find out more, check out our endpoint hardening and patch management cheat sheet.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.