Part 1: The Blueprint

Ransomware is a term that by now is known to just about anyone with an internet connection. Perhaps less widely known are the different types of ransomware attacks. Or their inner workings, ‘what’s under the hood’.

What are they? Blueprint of a ransomware attack

The first concept to wrap our heads around is the following: A ransomware attack doesn’t just happen. Multiple steps are needed for a ransomware attack to be successful.

There are two types of ransomware attacks: Opportunistic vs Targeted.

Opportunistic ransomware attacks are fairly self-explanatory: they are “opportunistic”. Not as elaborate, not as profitable.  It can take the form of distributing ransomware in bulk, using ‘spray and pray’ tactics (such as phishing, social engineering and exploit kits). A good example of an opportunistic ransomware attack was 2017’s WannaCry .

Random attacks also mean that there are less guarantees for attackers, which is why one of the main differences between Opportunistic vs Targeted is the amount of the ransoms involved; for WannaCry, hackers were asking between USD 300-600$.

On the other hand, they are very cheap to attempt. A recent study found that it costs attackers less than 200$  to attempt 100 000 Account TakeOvers (ATO).

Targeted attacks are far more profitable, and far more devastating to organizations. Read on to find out how the cookie crumbles.

What is a targeted ransomware attack?

Targeted attack definition (Trend Micro) :  A targeted attack refers to a type of threat in which threat actors actively pursue and compromise a target entity’s infrastructure while maintaining anonymity. These attackers have a certain level of expertise and have sufficient resources to conduct their schemes over a long-term period. They can adapt, adjust, or improve their attacks to counter their victim’s defenses. (…)

Most of these attacks use the Ransomware-as-a-Service (RaaS) model:  the main criminal gangs behind almost all ransomware attacks offer their ransomware and personalization services to a network of affiliates whose only job is to distribute the malicious code to infect the greatest number of systems. They will then retain a fraction of the ransom for themselves, normally 10%-25% of the ransom paid by victims.

There is also another business model in play here: Access-as-a-Service (AaaS).

At the heart of the AaaS model are markets for “remote access”, online stores that allow their customers to sell / buy / exchange access credentials to compromised web sites and services. This is where a group of affiliates of a RaaS model can purchase the credentials to access an organization previously compromised by another criminal group.

By combining the RaaS models with AaaS, it becomes very easy for a criminal group with no special skills to buy a ransomware, which is then implanted in the networks of a company for which the login credentials were available in the criminal underground world. 

How do they actually work?

Sometimes referred to as ‘big game hunting’, this type of attack really is closer to a hunter vs prey relationship.

Attackers are very creative. They will go to great lengths to understand a victim’s technology stack so they can identify and exploit vulnerabilities, while pinpointing the most valuable data to encrypt and hold for ransom.

They’re also extremely patient, escalating privileges to circumvent security systems and evading detection During this time, attackers often target data backups (if they exist) so the organization cannot restore files after they’ve been encrypted.

Properly executed Targeted ransomware attacks can take weeks, or even months to be delivered after the initial intrusion. The first characteristic of targeted ransomware attack is that it takes time. These do not happen overnight and that is because victims go through a selection process.

Attackers will start by finding a way into an organization’s system using valid credentials. This is often achieved through a phishing scheme or through social engineering.

Criminals enter a network with compromised, valid credentials. This is the easy part.

Once inside, an attacker will then move laterally, finding ways to exploit vulnerabilities that will allow for privilege escalation.

Once the desired level of access is achieved, the next step is to exfiltrate the data they deem valuable to the targeted organization. Based off of the estimated value of this data, they will then proceed to deploy the actual ransomware to encrypt files and demand hefty ransoms.

They would not be able to expect such ransoms to be paid had they not carefully selected their victim. Not only do they know all of the organization’s defense mechanisms, they also have access to financial information, thus knowing an organization would have the means to pay the ransom.

This process can happen over weeks, if not months. All the while, business continues as usual, security personnel too often none the wiser, while attackers watch and strategize.

Follow @AbileneAdvisors to make sure you don’t miss part two of this 4-part series!

If you need help immediate assistance with a ransomware attack, please click here to get in touch with a member of our team!

We are happy to present a 4-part blog series on Targeted Ransomware!

@Alexis Hirschhorn dives into Ransomware attacks, what they are, who the victims are, what you can do if you’ve been hit, but more importantly, how to limit your exposure!