Ransomware attacks take place in two phases: access development, then monetization. Stopping cyber attacks while they are still intrusions, and not ransomed data, can prevent data privacy disasters.
Cyber Crime Requires a Division of Labour
Cyber attackers take a specialized approach to ransomware development. First, the attacker develops access to a target. Second, the attacker passes the access to ransomware operators – for a fee. Understanding this fact helps you grasp where the best opportunities exist to detect and stop ransomware attacks before catastrophic consequences.
Recently, we detected a pretty severe infection on one of our clients’ computers. After completing the investigation, it turned out to be a SmokeLoader infection. According to Talos Intelligence, “SmokeLoader is malware primarily used to download and execute additional malware like ransomware or cryptocurrency miners. Actors using Smoke Loader botnets have posted on malware forums attempting to sell third-party payload installs.” [Emphasis added].
This gave me the idea to talk about the division of labour in ransomware attacks, and what it can mean for the defence.
It is very difficult to be an expert in every topic. Even when looking at cybersecurity expertise, it is very rare that a single person would be an expert in reversing x86 binaries, but also an expert in how to deploy a cloud service securely. So, people develop certain specialties to focus their expertise.
This is also true of cyber crime.
Do you think it’s efficient for a single individual to develop both the know-how to hack a database to exfiltrate credit card numbers and to develop a network of human money mules to launder the proceeds? Of course not. Those are two different skill sets.
One of the main ways labour is divided in cyber crime is between access development and monetization.
What is Access Development?
Access development is required to get access to victim machines.
The goal is to gain administrative access to the victim network so that the attacker can manage the network at their leisure. Notably, the attackers are particularly interested in the ability to load and run additional software on the victim devices.
This is the part that most people would consider “hacking”. The SmokeLoader infection that was mentioned earlier in this post is an example of this kind of attack.
What is Monetization?
Once access has been developed, attackers deliver the access to a monetization expert. These experts use a pay-per-install scheme or an affiliate program.
The pay-per-install scheme was particularly popular with botnet operators. These operators relied on a large number of commodity computers with no particular value. People could pay the operator to install a crypto miner for example. The attacker would get money for the installation (a few cents or fraction of cents per install), the miner operator would make money from the thousands or millions of machines mining crypto. Everybody could be happy. However, this business model is often not usable for ransomware. After all, once the machines are locked, botnet operators can no longer resell their services since the machine is bricked.
So, ransomware affiliate programs were developed.
Ransomware affiliate programs were developed by criminal groups that had the software development chops to develop (and operate) very good lockers. They developed relationships with people that were very good at getting into companies and offered a sure-fire way for these access development experts to make money off their compromise. Since this is essentially a one-time deal (ransomware remediation is likely to remove the access), they offer a larger slice of the pie to the access developer, even up to 70-80%.
Phases of a Ransomware Attack
The first stage of access development is gaining access to a machine. Nowadays, this is achieved via spear-phishing or password guessing on remote access. Occasionally, a remotely exploitable vulnerability pops up, but that is usually patched quickly.
Once the attackers get a foothold on the network, they use a variety of attack techniques. These techniques probe the network to gain control of as many machines as possible and remove the victim’s ability to recover without paying the ransom. Since they are getting a cut of the ransom, rather than a fee for installation, all their work is for no reward if the victim doesn’t pay.
Technical documents from the Conti/Ryuk ransomware affiliate program leaked by a disgruntled affiliate provide key details about the expansion phase of access development. You see ‘How To’ guides to exfiltrate data via Megaupload (now MEGA), configure remote access software, delete volume shadow copy backups, steal passwords, compromise domain controllers, and so on. None of these activities are linked with the locker per se. They would be the same type of activity you would see in an espionage campaign.
Once these preliminary steps are completed, the attacker deploys the locker. The Conti team takes care of the rest (processing the payment, managing decryption keys, taking calls from ransomware negotiators, etc.) from there.
Access Development the Best Point to Stop Ransomware Attacks
Once the locker is dropped, it is already too late. Detecting file encryption, even if it is with the use of file canaries, is a lagging indicator of a ransomware attack. The most likely scenario is that someone compromised your network and provided administrative access to a 3rd party. The best time to stop the attack is at the access development stage.
There are, in fact, many more opportunities to detect the attack in the access development phase. After all, the attackers have to dwell in the network to exfiltrate data, steal passwords and do all the other things they need to do to force you to pay the ransom. Furthermore, most of these activities are extremely abnormal. Nobody should be dumping passwords from memory, or requesting a bunch of service tickets from the Active Directory.
Cyber Hygiene Critical to Cyber Defence
The better your cyber hygiene, the more opportunities you will have to detect an attack.
If the attacker developing access initially gets on your machine from an exposed RDP (remote desktop protocol) service with the domain admin account because the password was Admin123, the time between the initial access and the ransomware payload drop will be very short and will require very few detectable steps. If the attacker developing access gets on a limited privileged account and they need to do really suspicious stuff and jump through a lot of hoops to gain domain admin credentials, you have a very good chance to catch them.
Only if you’re looking, of course.
Ransomware Attack Remediation Support from CYDEF
If your company has fallen victim to a ransomware attack, CYDEF can help. Our team of analysts expertly tracks down the course of the attack and takes effective recovery actions. Learn more about our professional services, or contact our team.