The alteration in power dynamics has significantly transformed the nature of ransomware attacks. In the past, these attacks were primarily opportunistic, employing worm-like behavior (e.g., WannaCry) to swiftly exploit vulnerabilities and profit from their actions. However, the landscape has shifted towards a profit-sharing model, with threat actors adopting tactics, techniques, and procedures reminiscent of advanced persistent threat (APT) groups. The objective now centers around maximizing damage and coercion rather than the sheer speed of the attack. As a result, attackers invest weeks or even months in meticulous preparation before executing their assaults.
Consequently, contemporary ransomware has become nothing more than an additional payload, strategically deployed during the concluding phase of the kill chain following thorough preparations. The defense-in-depth architecture has proven its effectiveness, where the utmost protection is achieved through robust prevention security controls, complemented by superior detection and response capabilities, emphasizing swift reaction times and minimizing false positives.
Allow us to examine the various components of the contemporary ransomware kill chain.
Initial Access
The method of initial infection frequently relies on the size and security readiness of the target. Typically, smaller companies face automated scalable attacks, whereas corporations become targets of spear-phishing campaigns. The level of effort threat actors put into the attack is directly related to the potential earnings they expect to gain.
Phishing and social engineering continue to serve as the primary infection vectors for larger corporations with well-established security controls and processes.
One of the most common attack vectors for small and medium companies is inadequate protection of remote access.
Staging
Once initial access is acquired, threat actors must establish a staging environment for the attack, with two primary objectives in mind: escalating privileges and establishing persistence, all while evading detection. Privilege escalation often entails utilizing exploits or penetration tools such as Mimikatz or Cobalt Strike.
Expansion
During the expansion phase, further reconnaissance and lateral movement take place across the network. While tools like BloodHound may be employed at this stage, sophisticated attackers strive to maintain a low profile by utilizing tools and commands native to the environment. This tactic is commonly known as “Living off the Land” (LOL) and involves the use of tools like WMIC or PowerShell. Additionally, attackers often identify and leverage tools used by system administrators, such as PsExec or popular remote-control software like TeamViewer or AnyDesk.
Extortion
In their pursuit of astronomical ransoms, far surpassing those of just a few years ago, threat actors are determined to apply maximum pressure on their victims. Simple encryption of random data is no longer sufficient; instead, double or triple extortion has become the prevailing norm. Ransomware attacks now often involve additional tactics, such as data exfiltration for blackmail purposes, denial of service attacks, or even harassment of executives, partners, and customers.
During the extortion phase, threat actors exhibit a deeper comprehension of business and corporate financials, enabling them to understand the repercussions of their actions. They are well-versed in identifying valuable information, familiar with incident response procedures, and knowledgeable about cyber insurance coverage.
The combination of these factors contributes to the alarming escalation in ransom amounts and the severity of the consequences faced by the victims.
Source: Ransomware Technical Whitepaper from Bitdefender
President / Network Architect
Mark Kolean always had a fascination with technology from the time he was 3 and his gift of the Atari 2600 to current. In 1990 at the age of 14 Mark got his first job in customer support for a mail order business supporting Tandy TSR-80 computer software shipped on cassette tape. A few years later Mark was building hundreds of 286, 386, and 486 computers for the new emerging DOS & Windows 3.1 computers that had exploded on the market.
After a college career studying business and technology Mark Started Shoreline Computer Systems in 1999 at the height of the dot.com boom with the looming crisis of the year2k bug just around the corner. In the early 2000’s a lot of work was done with early network systems including Lantastic, Novell, and Windows NT Server. Mark became a community contributor to the Small Business Specialist community that revolved around Small Business Server 2000-2011 which focused on single or dual server environments for businesses up to 50 in size. Networks during this time frame mostly had a break fix relationship in which work was billed only when a problem occurred.
In the 2010’s Microsoft released their first cloud based software called Microsoft BPOS which would in later become known as Microsoft Office 365. This introduced a new model in technology with pay as you go subscription services. Starting in 2013 Mark’s team at Shoreline Computer System rebranded as Shoreline Technology Solutions to focus on the transition to become proactive and less reactive to data backup and security needs. Starting in 2018 all customers are required to have a backup management plan in place as a center point with the full understanding that if STS isn’t watching the customer’s data, then no one is.
Now in Mark’s 22 years of business he is building a company emphasis of how to help customers retire servers and build networks completely in the cloud.
Leave a Reply