Ransomware: How hackers find their way in

It’s shaping up to be a vintage year for ransomware attackers. Deployment of the most feared form of malware – used by everyone from lone hackers to criminal gangs – has skyrocketed in recent years, with more attacks reported in the first quarter of 2022 than in the whole of 2021 according to research by cyber security supplier WatchGuard.

And, unlike lightning, ransomware attacks are more than capable of striking twice – with a recent Veeam ransomware trends report revealing that 75% of organisations have suffered two or more ransomware attacks in the past.

In the first part of our Ransomware Report we focussed on the enemy’s camp  – ransomware attackers and the marketplace in which they operate. For the second part we shift our focus to attack surfaces – ways in which the enemy is likely to infiltrate your networks.

The most like entry point for an attack, according to most of the experts we spoke with, involves phishing emails designed to trick employees into clicking malicious links or downloading infected attachments.

The reason this method is so prevalent, according to Hugh Raynor, cloud security lead at SureCloud, is because “for all of the benefit of the additional controls, updates, network monitoring and software we apply to the network, humans remain predictable, easy-to-fool bags of flesh.”

While humans continue to be the weak link in most firms’ security plans, malicious actors are also getting more sophisticated in their phishing attempts and some scams are very hard to distinguish from legitimate emails.

Cian Heasley, security consultant at Adarma, explains that the larger ransomware groups are also shifting away from “scatter gun methods” of phishing, opting for  more strategic ways to target victims.

“As such, we’re  seeing a trend towards spear phishing – which targets high value victims who are more likely to have the type of access ransomware operators seek, perhaps because of their job title,” Heasley notes.

While firms can educate their staff to become more aware of these digital social engineering techniques, some other, more aggressive forms of ransomware, can exploit security holes to infect computers without needing to trick users.

Remote danger

Working from home has also exacerbated the number ransomware attacks – in part thanks to the rise in use of external remote services.

According to Ioan Peters, managing director and coleader EMEA of Cyber Risk at security services firm Kroll, in Q2 of 2022 there was a 700% increase in the use of external remote services for initial access by attackers.

Keegan Keplinger at eSentire’s Threat Response Unit, notes that stolen Virtual Private Network (VPN), Remote Desktop Protocol (RDP), and AD credentials are now extremely popular ways for cybercriminals to gain access to a victim’s IT environment.

Raynor adds that firms are open to danger when – deliberately or otherwise – they expose their remote desktop protocol services to the internet, to enable connectivity.

“Attackers conduct massive scans of the internet looking for the ports associated with these RDP servers,” he warns, “and once they find one, they will send thousands of login attempts to these devices using arbitrary username and password combinations that they have collated from breaches, or had success with before.”

Roger Grimes, a data driven defence evangelist at KnowBe4 adds that the biggest surprise for him has been the abuse of  unpatched VPN software, both server and the client side – “…the very thing that companies were told they needed to keep them safe is now being used against them.

Patch-and-mouse

Another entry point for attackers which ransomware authors are keen to cash in on is security flaws in software, with many releasing malware and zero-day attacks to exploit software vulnerabilities before vendors and defenders have had a chance to react.

Cyril Noel Tagoe, Netacea’s principal security researcher, claims that often with zero day attacks, criminals will reverse engineer critical security updates to identify the vulnerability being patched and exploit unpatched machines.  “Many organisations are slow to apply these patches, giving the ransomware authors a decent window of opportunity for exploitation” he explains.

Recent vulnerabilities have been reported in Atlassian’s developer tools Confluence; SonicWall’s legacy firmware product; in Microsoft Exchange; filetransfer appliance Accellion as well as in VMware’s  ESXi servers.

Jamie Smith, director and head of cybersecurity at  S-RM adds that he’s still seeing well-known vulnerabilities such as Log4Shell (a flaw in popular Java logging framework Log4j) and ProxyShell (an attack chain that exploits three known vulnerabilities in Microsoft Exchange) being actively exploited.

“This indicates that opportunistic threat actors are targeting organisations with gaps in their vulnerability and patch management processes,” he adds.

Macro attack

Another reported cyber security concern is the use of macros to automate common tasks in Microsoft Office such as spreadsheets or invoices. In industries such as finance, banking, insurance and retail – being able to control spreadsheets with macros is useful, but, because it’s code essentially,  it’s something that cyber criminals are taking advantage of

Macro malware (usually delivered via a phishing or spear phishing email or a  malicious Zip which the user unwittingly clicks on) hides inside Microsoft Office files.

“Because MS software such as Word, Excel  go back many generations the Microsoft suit is vulnerable – and nine out of 10 targets are likely have this software installed,” says Kevin Bocek vice president of security strategy and threat intelligence at Venafi.

“A Word or Excel doc might target someone in sales but in engineering you might plant code in a PowerShell  to execute a code which includes ransomware,” he adds.

While it appears that a lot of legacy Microsoft products are to blame for the recent spate of zero day attacks, Qualys UK CTSO Paul Baird believes that the onus should be on firms to update software and keep an asset list.

“It’s very easy to point the finger at Microsoft but any software with the right vulnerabilities could potentially allow cyber criminals access to your corporate network. It could be an Apache Web Server, Microsoft Exchange server or an obscure FTP server most people have never heard of,” he says.

“Companies must know all the software that they have, and how up to date that software is. With this asset list in place and continuously updated, teams can be sure that they are protected against all potential threats, “he adds.

Baird’s point hammers home the point that knowing yourself (your own organisations’ vulnerabilities and software inventory) is as crucial as knowing how your enemy (the ransomware attackers) operate.

Supply pains

The SolarWinds supply chain breach proved how suppliers and business partners can also potentially be another weak link in an organisation’s security.

It’s not unusual for companies to allow third-party vendors or partners to connect to their networks, either in-house or via a secured remote connection. The connection typically only authenticates the external user; once they have proven their identity, communication can flow freely, and ransomware/malware can be delivered.

According to Muhammad Yahya Patel, security evangelist at  Check Point, it’s key that a supply chain can demonstrate how it’s making itself secure and this should be a two-way agreement. “Too often it’s a one-sided conversation but to work best, both companies need to vet each other to ensure they’re as secure as possible,” he adds.

Baird points out that small businesses are a target because often they don’t have the resources to spend on security, and have weaker defences. “Attacking a weaker supplier or business partner could be an easier stepping stone into multiple targets all from one hack. The potential pay-out is much higher, so it has become an area of focus,” he warns.

Remote access

Once they’ve broken into a company’s network an attacker will often go into stealth mode –  ‘living off the land’ – making a silent entry to observe what the business does and what its activities are, before they deciding on what course to take.

“They will read financial statements and cybersecurity insurance policies. They will exfiltrate data and passwords in 90% of all cases,” Grimes warns.

Lateral movement can be facilitated by ransomware tools, existing software vulnerabilities or via misconfigured networks where attackers can escalate privileges and obtain more sensitive credentials.

In tandem with escalating their level of privilege, hackers also examine the type of security tools that are in place and how they can best spread ransomware throughout the company’s computers. They will try and delete back up files to make decryption harder. They will also seek out other networks they can gain access to.

To remain hidden, hackers might try to disable security tools to some extent and use obfuscation techniques to hide their malicious payloads.

“They tend to use pen testing tools that are explicitly trusted in the environment, such as Cobalt Strike and Ngrok, but also misuse Git repositories,” says Filip Verloy, tech evangelist at API security platform Noname.

Cyber criminals are also known to use legitimate services such as TeamViewer to mask their presence in the network. Another detection-avoidance technique is to try and learn the method used for remote access by the admins, and only use that method to log in remotely.

Dwell time before an attack, according to our experts, is now down to several weeks or a month at most (compared to 6-8 months a few years ago) thanks to the way the  business models and ransomware gangs have evolved.

“Members of ransomware gangs are paid based on successful attacks, it is in their best interest to get in, secure the access they need, exfiltrate data and then execute their ransomware so that they can move on to the next target and keep chasing those commissions,” Heasley explains.

The use of automation in an attack or the ability to deploy a blanket encryption has also speeded things up more.

As new Ransomware-as-a-service (RaaS) models emerge, it could be that several groups are involved at different points along the way. An initial access broker may gain access to a network, then sell that to a RaaS affiliate that uses a malware dropper from one group and a ransomware from another.

Locked out

The endgame for most ransomware attacks is to get into an organisation, encrypt files or devices and lock everyone out of their systems.

Encrypting files involves accessing files, encrypting them with an attacker-controlled key and replacing the originals with the encrypted versions. At the end of the process, the files cannot be decrypted without a key, known only by the attacker.

The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment (or other cryptocurrency) to the attacker.

But is paying out ever the way out? This is Part 2 of our Ransomware Special Report. To read the other parts, please click on the links below:

Part 1: The hackers and their marketplace

Part 2: How hackers find their way in

Part 3: You’ve been hacked – so what’s the plan?

Part 4: How to protect your firm from ransomware