Cisco Talos analyzed the top 14 ransomware groups from 2023 to 2024 to expose their attack chain and highlight interesting tactics, techniques, and protocols. The security firm also exposed the vulnerabilities most exploited by ransomware actors.
Ransomware attack chain: What Cisco Talos researchers learned
Almost all ransomware actors use the same attack chain.
First step for ransomware actors
The first step that the threat actor must take is to gain access to the targeted entity. To achieve that goal, ransomware actors use different techniques; one of the most common techniques is social engineering their targets by sending emails containing malicious files or links that will execute malware on the targeted system. The malware will then allow the attacker to deploy more tools and malware to achieve their goals. Multi-factor authentication can be bypassed at this point by a variety of techniques, either by poor MFA implementation or by possessing valid credentials.
Talos also reported that an increasing number of ransomware affiliates are scanning internet-connected systems for vulnerabilities or misconfigurations that could allow them to compromise the system. Legacy or unpatched software is a particularly high risk.
Second step for ransomware actors
The second step is to achieve persistence in case the initial attack vector is discovered; such persistence on systems is usually achieved by modifying Windows registry keys or enabling automatic execution of the malicious code at system startup. Local, domain, or cloud accounts can also be created to achieve persistence.
Step three for ransomware actors
In the third step, the threat actor scans the network environment to better understand the internal parts of the infrastructure. This step identifies valuable data that can be used to demand ransom. To successfully access all parts of the network, attackers often use tools to elevate their privileges to the administrator level, in addition to using tools that enable network scanning. Popular tools for these tasks are Living Off the Land binaries, also known as LOLbins, because they are executable files native to the operating system and less likely to generate alerts.
Step four for ransomware actors
The attacker is ready to collect and steal sensitive data, which he often compresses with utilities (such as 7-Zip or WinRAR) before exfiltrating the data to attacker-controlled servers using remote administration and monitoring tools or more custom-built ones, such as StealBit or Exabyte, for example, created by the LockBit and BlackByte ransomware groups.
Possible fifth step for ransomware actors
If the goal is data theft or extortion, the operation is over. If the goal is data encryption, the attacker must test the ransomware in the environment (i.e., test the distribution mechanisms and communications between the ransomware and the C2 server) before executing it to encrypt the network and notify the victim that they have been breached and must pay the ransom.
The three most abused vulnerabilities
Cisco Talos reported that three vulnerabilities in public applications are commonly exploited by ransomware threat actors.
- CVE-2020-1472 Also known as Zerologon, it exploits a flaw in the Netlogon remote protocol that allows attackers to bypass authentication and change passwords of computers within a domain controller’s Active Directory. This exploit is widely used by ransomware actors because it allows them to gain access to a network without authentication.
- CVE-2018-13379A Fortinet FortiOS SSL VPN vulnerability, allows traversal of paths that allow an attacker to access system files by sending specially crafted HTTP packets. This allows access to VPN session tokens, which can be used to gain unauthenticated access to the network.
- CVE-2023-0669a GoAnywhere MFT vulnerability, allows attackers to execute arbitrary code on a targeted server running GoAnywhere Managed File Transfer software. This is the latest vulnerability Cisco Talos includes in its report.
All of these vulnerabilities allow ransomware actors to gain initial access and manipulate systems to execute more malicious payloads, install persistence, or facilitate lateral movement within compromised networks.
DOWNLOAD: Cybersecurity benefits and best practices from TechRepublic Premium
Notable TTPs from 14 ransomware groups
Cisco Talos looked at TTPs used by 14 of the most prevalent ransomware groups based on their attack volume, customer impact, and atypical behavior.
One of the key findings regarding TTPs is that many of the most prominent groups prioritize establishing initial engagement and evading defenses in their attack chains.
Ransomware threat actors often hide their malicious code by compressing it and modifying the system registry to disable security alerts on the endpoint or server. They may also block certain recovery options for users.
Cisco Talos researchers highlighted that the most common credential access technique is dumping the contents of LSASS memory to extract plaintext passwords, hashed passwords, or authentication tokens stored in memory.
Another trend in C2 activities is the use of commercially available tools, such as RMM applications. These applications are usually trusted by the environment and allow the attacker to blend in with corporate network traffic.
How to mitigate the threat of ransomware
For starters, it is mandatory to patch and update all systems and software; this constant maintenance is necessary to reduce the risk of being compromised by an exploit.
Strict password policies and multi-factor authentication should be implemented. Complex and unique passwords should be set for each user and multi-factor authentication should be enforced so that an attacker with valid credentials cannot access the target network.
Best practices should be applied to harden all systems and environments. Unnecessary services and functions should be disabled to reduce the attack surface. In addition, exposure to the Internet should be reduced by limiting the number of public services as much as possible.
Networks should be segmented using VLANs or similar technologies. Sensitive data and systems should be isolated from other networks to prevent lateral movement by an attacker.
Endpoints should be monitored by a security information and event management system, and endpoint detection and response or extended detection and response tools should be implemented.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.
