Understanding the adversary: How ransomware attacks happen

IBM Security X-Force Incident Response (IR) has responded to hundreds of ransomware incidents across every geography and industry. As we have taken time to analyze these incidents, a clear pattern has emerged. Although we observe dozens of ransomware groups in operation across the globe, many with multiple affiliate groups working under them, most ransomware actors tend to follow a similar attack flow and set of standard operating procedures. It is possible that ransomware actors are cross-training and sharing with each other their most effective techniques, which are becoming standard practices for many ransomware groups and affiliates. But whatever forces are bringing ransomware actors together, security defenders can use knowledge of these attacks to their advantage to better defend networks against ransomware attacks and catch attackers before they accomplish their final objectives.

The X-Force IR team has observed that most ransomware attacks occur in a predictable pattern that we break down into five stages: Initial Access, Post-Exploitation Foothold, Reconnaissance/Credential Harvesting/Lateral Movement, Data Collection and Exfiltration, and Ransomware Deployment.

While no two ransomware incidents are exactly the same, by analyzing the behaviors of the adversaries across various engagements, operators, and geo-locations, X-Force IR has created this generalized attack graph which can be used to identify logical control and detection opportunities that are applicable to a majority of ransomware operators.

Figure 1: Standard Attack Flow for Ransomware Attacks, As Observed by X-Force Incident Response (Source: X-Force)

The most common access vectors for ransomware attacks continue to be phishing (MITRE ATT&CK Technique 1566), vulnerability exploitation including Exploitation of a Public Facing Application (T1190), and External Remote Services (T1133) such as exploiting remote desktop protocol. The vast majority of phishing campaigns that result in a ransomware incident are distributing an access trojan such as Bazar, TrickBot, QakBot, or Valak.

Depending on the initial access vector, the second stage may involve an intermediary remote access tool (RAT) or malware prior to establishing interactive access with an offensive security tool such as Cobalt Strike or Metasploit. For example, X-Force IR has observed NetSupport Manager being loaded by the access trojan. NetSupport Manager would then be used to spawn a Cobalt Strike beacon.

During the third stage of the attack, attackers have consistently focused on understanding the local system and domain that they currently have access to and acquiring credentials to enable lateral movement. Local system reconnaissance is often achieved through built-in tools such as net, whoami, and tasklist.

To facilitate domain reconnaissance, ransomware operators continue to leverage the open-source utility “AdFind”. Out of all ransomware incidents X-Force IR responded to in 2020, AdFind was used in 88% of the attacks. X-Force IR has also observed ransomware operators using the nltest command to acquire a list of domain controllers and privileged accounts prior to performing a more comprehensive Active Directory reconnaissance through AdFind. On several occasions, X-Force IR has observed ransomware operators redirecting the output of AdFind to a series of text files which are then added to an archive and exfiltrated.

While credentials can be harvested by many access trojans, X-Force IR has observed ransomware operators usually leveraging Mimikatz, ZeroLogon, and PrintNightmare to acquire credentials to be used in the remainder of the attack.

In most ransomware attacks X-Force has observed, exploitation of Active Directory is a key linchpin in the attack and presents an opportunity for security defenders to catch and stop ransomware attackers or frustrate their success. Several recommendations for securing Active Directory are included at the end of this blog.

Following Active Directory reconnaissance, ransomware operators commonly move laterally via server message block (SMB) or remote procedure call (RPC) protocols. Credential harvesting may continue on additional systems as required with the goal of acquiring domain administrator privileges.

Almost every ransomware incident X-Force IR has responded to since 2019 has involved the “double extortion” tactic of data theft and ransomware. During Stage 4 of the attack, the focus of the ransomware operators switches primarily to identifying valuable data and exfiltrating it.

Ransomware operators will usually move laterally to additional systems during Stage 4 through SMB, RPC and remote desktop protocol (RDP) to identify data for exfiltration. X-Force IR has observed ransomware operators leveraging one or two staging systems to collect data prior to exfiltration, which they continually access via a tunneled RDP connection. While we have observed certain ransomware operators access and exfiltrate data from databases, the majority of data collection is performed over SMB.

Data exfiltration is an area of the attack lifecycle where X-Force IR has observed moderate variance across ransomware operators. Tools such as WinSCP and RClone continue to be the most common tools; however, X-Force IR has responded to several ransomware incidents where the adversaries leveraged custom data exfiltration tools or living off the land tools like BitsAdmin.

While innovation within the ransomware developers’ community continues to create new variants of malware, distribution of the ransomware payload to the target systems remains fairly common across ransomware operators.

In almost every single ransomware incident X-Force IR has responded to, the ransomware operators targeted a domain controller as the distribution point for the ransomware payload.

To distribute the ransomware, adversaries most often leverage SMB from a share on the domain controller and execute the payload either with PsExec, WMIC, RunDll32, or by creating a scheduled task with tools like CrackMapExec.