IBM Security X-Force Incident Response (IR) has responded to hundreds of ransomware incidents across every geography and industry. As we have taken time to analyze these incidents, a clear pattern has emerged. Although we observe dozens of ransomware groups in operation across the globe, many with multiple affiliate groups working under them, most ransomware actors tend to follow a similar attack flow and set of standard operating procedures. It is possible that ransomware actors are cross-training and sharing with each other their most effective techniques, which are becoming standard practices for many ransomware groups and affiliates. But whatever forces are bringing ransomware actors together, security defenders can use knowledge of these attacks to their advantage to better defend networks against ransomware attacks and catch attackers before they accomplish their final objectives.
The Five Stages of a Ransomware Attack
The X-Force IR team has observed that most ransomware attacks occur in a predictable pattern that we break down into five stages: Initial Access, Post-Exploitation Foothold, Reconnaissance/Credential Harvesting/Lateral Movement, Data Collection and Exfiltration, and Ransomware Deployment.
While no two ransomware incidents are exactly the same, by analyzing the behaviors of the adversaries across various engagements, operators, and geo-locations, X-Force IR has created this generalized attack graph which can be used to identify logical control and detection opportunities that are applicable to a majority of ransomware operators.
Figure 1: Standard Attack Flow for Ransomware Attacks, As Observed by X-Force Incident Response (Source: X-Force)
Stage 1: Initial Access
The most common access vectors for ransomware attacks continue to be phishing (MITRE ATT&CK Technique 1566), vulnerability exploitation including Exploitation of a Public Facing Application (T1190), and External Remote Services (T1133) such as exploiting remote desktop protocol. The vast majority of phishing campaigns that result in a ransomware incident are distributing an access trojan such as Bazar, TrickBot, QakBot, or Valak.
Stage 2: Post-Exploitation
Depending on the initial access vector, the second stage may involve an intermediary remote access tool (RAT) or malware prior to establishing interactive access with an offensive security tool such as Cobalt Strike or Metasploit. For example, X-Force IR has observed NetSupport Manager being loaded by the access trojan. NetSupport Manager would then be used to spawn a Cobalt Strike beacon.
Stage 3: Understand and Expand
During the third stage of the attack, attackers have consistently focused on understanding the local system and domain that they currently have access to and acquiring credentials to enable lateral movement. Local system reconnaissance is often achieved through built-in tools such as net, whoami, and tasklist.
To facilitate domain reconnaissance, ransomware operators continue to leverage the open-source utility “AdFind”. Out of all ransomware incidents X-Force IR responded to in 2020, AdFind was used in 88% of the attacks. X-Force IR has also observed ransomware operators using the nltest command to acquire a list of domain controllers and privileged accounts prior to performing a more comprehensive Active Directory reconnaissance through AdFind. On several occasions, X-Force IR has observed ransomware operators redirecting the output of AdFind to a series of text files which are then added to an archive and exfiltrated.
While credentials can be harvested by many access trojans, X-Force IR has observed ransomware operators usually leveraging Mimikatz, ZeroLogon, and PrintNightmare to acquire credentials to be used in the remainder of the attack.
In most ransomware attacks X-Force has observed, exploitation of Active Directory is a key linchpin in the attack and presents an opportunity for security defenders to catch and stop ransomware attackers or frustrate their success. Several recommendations for securing Active Directory are included at the end of this blog.
Following Active Directory reconnaissance, ransomware operators commonly move laterally via server message block (SMB) or remote procedure call (RPC) protocols. Credential harvesting may continue on additional systems as required with the goal of acquiring domain administrator privileges.
Stage 4: Data Collection and Exfiltration
Almost every ransomware incident X-Force IR has responded to since 2019 has involved the “double extortion” tactic of data theft and ransomware. During Stage 4 of the attack, the focus of the ransomware operators switches primarily to identifying valuable data and exfiltrating it.
Ransomware operators will usually move laterally to additional systems during Stage 4 through SMB, RPC and remote desktop protocol (RDP) to identify data for exfiltration. X-Force IR has observed ransomware operators leveraging one or two staging systems to collect data prior to exfiltration, which they continually access via a tunneled RDP connection. While we have observed certain ransomware operators access and exfiltrate data from databases, the majority of data collection is performed over SMB.
Data exfiltration is an area of the attack lifecycle where X-Force IR has observed moderate variance across ransomware operators. Tools such as WinSCP and RClone continue to be the most common tools; however, X-Force IR has responded to several ransomware incidents where the adversaries leveraged custom data exfiltration tools or living off the land tools like BitsAdmin.
Stage 5: Ransomware Deployment
While innovation within the ransomware developers’ community continues to create new variants of malware, distribution of the ransomware payload to the target systems remains fairly common across ransomware operators.
In almost every single ransomware incident X-Force IR has responded to, the ransomware operators targeted a domain controller as the distribution point for the ransomware payload.
To distribute the ransomware, adversaries most often leverage SMB from a share on the domain controller and execute the payload either with PsExec, WMIC, RunDll32, or by creating a scheduled task with tools like CrackMapExec.
Explore ransomware protection solutions
Leveraging Knowledge of Ransomware Attacks for Defense
By understanding commonalities across most ransomware attacks, defenders have an advantage in identifying and focusing on assets heavily leveraged in the majority of attacks, including Active Directory and domain controllers. The following recommendations include specific measures network defenders can take to best defend against ransomware attacks, given what we know about the ransomware attack flow.
Limit Privileged Access
- Limit the number of domain administrator accounts at your organization to the absolute minimum and consider creating an automated process to regularly remove unnecessary members of the Domain Admins group.
- Remove local administrator rights from all user accounts and limit local administrator rights for service accounts to absolute minimum.
- Use of domain administrator accounts should be heavily audited and alerted upon, as this is the key mechanism by which ransomware operators obtain their objectives in most ransomware attacks X-Force observes today and as such organizations should develop automated alerts for modifications to the Domains Admins group.
Protect Privileged Accounts
- Add privileged accounts to the Protected Users Security Group to reduce the risk of credential exposure within an organization.
- Utilize Managed Service Accounts and Local Administrator Password Solution (LAPS) to enable automatic password management of commonly targeted accounts.
- Implement a privileged access management solution to manage and monitor privileged accounts and access.
Secure Active Directory
- Audit and eliminate any unnecessary domain trusts between organizations and ensure required cross-domain activity is properly managed and monitored.
- Configure a group policy to allow Domain Administrator (DA) login to domain controllers only and prohibit access to other domain-joined Windows systems.
- Implement rigid network segmentation policies and limit interactive access to high value resources to specific administrative networks or jump hosts.
- Deploy a Group Policy change management solution where changes to domain policies must be approved before being linked to the domain.
- Configure all systems within the enterprise to refuse authentication attempts via legacy protocols.
- Read how X-Force and Tenable are partnering to help organizations prevent active directory attacks.
Restrict Common Lateral Movement Pathways
- Eliminate lateral movement pathways via SMB, RPC, and RDP through network segmentation where possible.
Defend Against Phishing Threats:
- Employ a robust email software security solution that can detect phishing emails before they reach an end-user. Even if a solution is unable to detect all phishing and spear-phishing emails sent today, a solution that detects an appreciable percentage of phishing messages can decrease your organization’s exposure to phishing-based threats.
- Leverage user awareness training that addresses real-world email phishing techniques used by threat actors today. For example, teach end users that ransomware attackers are hijacking email accounts and inserting themselves into ongoing conversations to introduce malicious attachments or links into a conversation appearing to come from a trusted user.
- Caution vigilance for “reply all” emails that contain only an attachment or link with a very brief or no message.
- Emphasize that “unpaid invoices” is a very common phishing lure.
- Incorporate other real-world examples as appropriate.
Focus on Patch Management
Utilize a mature patch management program to prioritize patches that are most likely to be exploited and are most applicable given your network architecture. Use patch advisories and intelligence on vulnerabilities exploited in the wild to prioritize patches for implementation in your network. At a minimum, we recommend implementing patches for the following systems, as applicable, per CISA Alert AA21-209A last revised on August 20, 2021:
- Citrix CVE 2019-19781
- Pulse CVE 2019-11510
- Fortinet CVE 2018-13379
- F5 Big IP CVE 2020-5902
- MobileIron CVE 2020-15505
- Microsoft CVE 2017-11882
- Atlassian CVE 2019-11580
- Drupal CVE 2018-7600
- Telerik CVE 2019-18935
- Microsoft CVE 2020-0787
- Microsoft CVE 2020-1472
Detect and Hunt