To proactively prevent ransomware, it’s important for organizations to understand the tactics and characteristics of common ransomware attacks.
WannaCry is ransomware that spreads on its own. The attack leveraged the EternalBlue exploit, developed by the NSA, used to compromise machines, load malware, and propagate to other machines. Specifically, it took advantage of a vulnerability in Microsoft Server Message Block (SMB) used for tasks like file sharing between Windows computers. EternalBlue would then install DoublePulsar to execute malicious code on an infected system.
Microsoft had released patches at the time of the attack. However, many organizations targeted had not patched these older systems past their end-of-life.
Given its ability to spread, it is estimated to have infected more than 200,000 systems globally.
With the world still reeling from WannaCry, NotPetya made an appearance in late June 2017, and became the most devastating attack the world had seen to date.
NotPetya appeared to be ransomware at first glance, but turned out to be wiper malware designed only to destroy, with irreversible encryption. The attack began by bad actors compromising the Ukrainian tax accounting software called MeDoc. MeDoc had hundreds of thousands of customers, primarily in Europe, who used the software to do business in Ukraine. Like all software, MeDoc pushed out an unknowingly compromised update to customers, who implicitly trusted this vendor update. This was a supply-chain attack, exploiting trust between software vendors and customers, that leveraged a compromised piece of software, MeDoc, as a beachhead on systems. The attack was then launched with an updated version of the Petya ransomware, dubbed NotPetya.
The attack spread laterally using EternalBlue and EternalRomance for unpatched systems or stolen credentials via password harvesting techniques to enable the use of tools like PsExec and WMI to spread to more systems. Total global damages tied to NotPetya, now seen as a geopolitical cyber weapon, have been estimated to be in the $10 billion dollar range.
What does Lady Gaga have to do with new ransomware attack techniques?
Her unsuspecting role in double extortion.
Ransomware attacks have become even nastier as some attacks may now add additional extortion. First, attackers will gain a foothold, find sensitive data, and exfiltrate it to their own servers. With sensitive data stolen, attackers then proceed to encrypt systems. Not only are systems locked up, but the sensitive information can be leaked publicly unless victims pay up, amounting to additional pressure for organizations to pay ransoms.
Recently, attackers targeted an entertainment law firm, stealing data related to high-profile clients like Lady Gaga, Bruce Springsteen, and Christina Aguilera. They initially released contracts related to Lady Gaga as proof of their possession of sensitive information.
The group behind the attack threatened to release more celebrity data if the law firm declined to pay the ransom ask, which reached some $42 million.
The Business Impact of Ransomware
Ransomware has a massive impact on business productivity. Attackers will blackmail companies by threatening to release sensitive data if the company doesn’t pay the ransom quickly. In 2016, SamSam ransomware gave the world an unpleasant surprise when it unveiled a new fearsome capability: built-in lateral movement or self-propagation. Why? Attackers can effectively target entire enterprise networks to encrypt vast amounts of mission-critical data and, in turn, demand larger ransom payments. In the case of SamSam, attackers found their way in via exploitation of a dated server vulnerability. Once inside, SamSam moved laterally by seeking out additional network connected systems in order to encrypt them.
How is Ransomware Spreading?
Ransomware that is capable of spreading on its own has generated considerable attention, however, many recent ransomware attacks seem to be more methodical and attacker-controlled.
These attacks don’t move as quickly as ransomware with lateral movement built-in, but they are just as devastating due to long dwell time for surveilling an environment. US municipalities have reported a wave of attacks in recent years – and many more were likely not reported at all. In most cases, attackers case environments for weeks prior to the ransomware encryption.
These attacks gain a foothold, via phishing or brute-forcing poorly-configured services like Remote Desktop Protocol (RDP), used for remote access to Windows. Once inside, attacks are methodical, attempting peer to peer lateral movement via open ports, for example exploiting RDP or WMI, to ideally reach a domain controller.
Credential harvesting, also present in NotPetya, is also used to move laterally. Tools like Mimikatz facilitate this, allowing for privilege escalation, so attackers have greater levels of permission in the network.
Either way, attackers often reach domain controllers, making them an IT admin in the company they are attacking.
At this point, they “live off the land,” using existing IT admin frameworks like PsExec, used to execute processes on other systems, or PowerShell, used to automate tasks operating system management tasks, to drop malicious files onto systems.