Cisco Talos analyzed the highest 14 ransomware teams between 2023 and 2024 to show their assault chain and spotlight fascinating Ways,Strategies and Protocols. The safety firm additionally uncovered probably the most leveraged vulnerabilities being triggered by ransomware actors.
Ransomware assault chain: What Cisco Talos researchers discovered
Ransomware actors almost all use the identical assault chain.
The 1st step for ransomware actors
Step one for the menace actor consists of getting access to the focused entity. To realize that purpose, ransomware actors use totally different methods — one of the vital widespread methods is to social engineer their targets by sending emails containing malicious recordsdata or hyperlinks that may run malware on the focused system. The malware will then enable the attacker to deploy extra instruments and malware to succeed in their targets. Multifactor authentication may be bypassed right now utilizing varied methods, both due to poor MFA implementation or due to proudly owning legitimate credentials already.
Talos additionally reported that an growing variety of ransomware associates scan internet-facing programs for vulnerabilities or misconfigurations that would enable them to compromise the system. Unpatched or legacy software program is a very excessive threat.
Step two for ransomware actors
The second step is to realize persistence in case the preliminary vector of compromise will get found; that persistence on programs is often achieved by modifying Home windows registry keys or enabling autostart execution of the malicious code upon system boot. Native, area and/or cloud accounts may additionally be created for persistence.
Step three for ransomware actors
Within the third step, the menace actor scans the community setting to get a greater understanding of the internal components of the infrastructure. Information of worth that can be utilized for ransom is recognized at this step. To efficiently entry all components of the community, attackers typically use instruments to raise their privileges to administrator stage, along with utilizing instruments that enable community scanning. Standard instruments for these duties are Residing Off the Land binaries AKA LOLbins, as a result of they’re executable recordsdata native to the working system and fewer inclined to boost alerts.
Step 4 for ransomware actors
The attacker is able to acquire and steal delicate knowledge, which they typically compress with utilities (similar to 7-Zip or WinRAR) earlier than exfiltrating the information to attacker-controlled servers by utilizing Distant Monitoring and Administration instruments or extra customized ones, similar to StealBit or Exabyte for instance, created by LockBit and BlackByte ransomware teams.
Doable step 5 for ransomware actors
If the purpose is knowledge theft or extortion, the operation is over. If the purpose is to encrypt knowledge, the attacker wants to check the ransomware within the setting — that’s, checking the supply mechanisms and the communications between the ransomware and the C2 server — earlier than launching it to encrypt the community and notify the sufferer they’ve been breached and must pay the ransom.
Three most abused vulnerabilities
Cisco Talos reported that three vulnerabilities on public-facing purposes are generally exploited by ransomware menace actors.
- CVE-2020-1472 AKA Zerologon exploits a flaw within the Netlogon Distant Protocol that permits attackers to bypass authentication and alter laptop passwords inside a website controller’s Energetic Listing. This exploit is broadly utilized by ransomware actors as a result of it permits them to realize entry to a community with out authentication.
- CVE-2018-13379, a Fortinet FortiOS SSL VPN vulnerability, permits path traversal that permits an attacker to entry system recordsdata by sending specifically crafted HTTP packets. VPN session tokens may be accessed this manner, which can be utilized to realize unauthenticated entry to the community.
- CVE-2023-0669, a GoAnywhere MFT vulnerability, permits attackers to execute arbitrary code on a focused server that makes use of the GoAnywhere Managed File Switch software program. That is the latest vulnerability listed by Cisco Talos in its report.
All these vulnerabilities enable ransomware actors to get preliminary entry and manipulate programs to run extra malicious payloads, set up persistence or facilitate lateral actions inside compromised networks.
DOWNLOAD: Cybersecurity’s Advantages and Finest Practices from TechRepublic Premium
Notable TTPs of 14 ransomware teams
Cisco Talos noticed the TTPs utilized by 14 of probably the most prevalent ransomware teams primarily based on their quantity of assault, affect to clients and atypical habits.
One of many key findings relating to the TTPs signifies lots of the most outstanding teams prioritize establishing preliminary compromise and evading defenses of their assault chains.
Ransomware menace actors typically obfuscate their malicious code by packing and compressing it and modify the programs registry to disable safety alerts on the endpoint or server. They may additionally block sure restoration choices for the customers.
The Cisco Talos researchers highlighted that probably the most prevalent credential entry approach is the dumping of the LSASS reminiscence contents to extract plaintext passwords, hashed passwords or authentication tokens saved in reminiscence.
One other pattern in C2 actions is the usage of commercially accessible instruments similar to RMM purposes. These purposes are typically trusted by the setting and permit the attacker to mix in with the company community site visitors.
Easy methods to mitigate the ransomware menace
For starters, it’s necessary to use patches and updates to all programs and software program; this fixed upkeep is important to scale back the danger of being compromised by an exploit.
Strict password insurance policies and MFA should be carried out. Advanced and distinctive passwords should be set for each person and MFA enforced, so an attacker possessing legitimate credentials remains to be not capable of entry the focused community.
Finest practices to harden all programs and environments have to be utilized. Pointless providers and options must be disabled to scale back the assault floor. Additionally, publicity to the web should be decreased by limiting the variety of public-facing providers as a lot as doable.
Networks must be segmented utilizing VLANs or related applied sciences. Delicate knowledge and programs should be remoted from different networks to forestall lateral actions from an attacker.
Endpoints should be monitored by a Safety Info and Occasion Administration system, and Endpoint Detection and Response or Prolonged Detection and Response instruments have to be deployed.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.
