Ransomware: An Attacker’s Perspective

By Randy Watkins, Critical Start Chief Technology Officer

Ransomware is rampant, with more than two-thirds of respondents (68.5%) to a Statista survey indicating their company was victimized in 2021, up from 55% in 2018. Though ransomware is not a new tactic, the techniques behind its use continue to evolve. Though there are many lists of controls that can be put in place to mitigate some of the risk, there isn’t much analysis of the attacker’s incentive structure and strategy. Let’s sit on the other side of the table for this post.

The Motivation

Money. Plain and simple. While I used to target consumers with social media posts and massive emails blasts, it turns out I can get a lot more leverage on a business than an individual. The stakes are a bit higher, but so are the payouts.

The Target

Quantity or Quality? It’s the whole “opportunity vs. interest” conversation. Attacking multiple smaller companies might be easier, but if I can hit a business that’s considered “Critical Infrastructure”, they’ll almost certainly have to pay up; it’s worked before. Hospitals, refineries, power plants, food producers: all fair game, and likely to pay out an inflated ransom to get back to business or protect their data.

Aside from industry, I also like to see who has paid a ransom before. Payment may be a philosophical debate, but if someone has recently paid a ransom, they likely have a user base I can attack, endpoints I can infect, and money to pay the ransom.

The Attack

A quick search for the company logo and a scrape of employees from LinkedIn and I’m ready to rock. While I can use other methods of entry, why? Emailing your users is still the most effective way for me to gain entry, and the lowest risk. With a set of credentials being the goal, I’ll use a Microsoft password reset template, customize the Subject and Body, and blast it across the company (staggered, of course).

The email isn’t perfect: the url is slightly off, the “from” name and email address are different, but with many organizations failing to create a culture of security, someone will click the link.

Occasionally the target has user awareness training, and I won’t get a 100% click rate, but as long as they don’t report the campaign and burn my template, someone always clicks.

The Backup Plan

If the phish aren’t biting, I’ll probably turn away, but if I think there’s more potential, I’ll find another way in. Using freemium tools like Shodan to find externally facing assets, bonus points for known vulnerabilities, extra bonus for vulnerabilities with available exploits. There’s a strong chance these haven’t been patched, so I should be able to get access here.

The Spread

With access and creds, I’m ready to go! Ransomware used to worm the network automatically, but it was a bit noisy, and usually got picked up before I could finish the attack. Luckily, Microsoft has plenty of lolbins to use, which usually only set off low and medium alerts, which aren’t monitored by security teams. I’ll move laterally to establish some persistence and increase my attack scope.

The Ransom

If you don’t know I’m here by now, you will soon. Unless you’re patched with a properly deployed and configured (nothing is funnier than an Endpoint Protection Product in “Alert Only” mode), this shouldn’t take long.

The Haul

All your data are belong to ME! Seriously, just pay the ransom. I know what I have, and I know it’s worth money. Hire your negotiator, call your insurance, I’ll knock down the price a little, but just pay up. If you have any issues, just chat with tech support.

Trying to play games and restore your data? That’s great, but once you check the outbound traffic logs, it should be pretty clear how much data I brought back before I wrapped it up. Sure would be a shame if that leaked.

Don’t care about a leak? Well maybe a couple of competitors would benefit from the information and be interested in receiving an anonymous “tip”. If competitors aren’t a threat, I’m sure your customers and investors would be thrilled to hear about this. If you won’t pay me, I can make it off the market.

The Cleanup

Well, hopefully you got your data back. It was a pleasure doing business with you.Please leave a five-star rating for support, and do visit again. Now, I’m going to make some more money by selling my initial access to someone else and letting them know you have deep pockets. Unless you want to relive this nightmare, you’ll probably need to perform some root cause analysis, change some passwords, patch some assets, update your endpoint protection, and perhaps warn your users about phishing attacks 😀

Initial compromise is difficult to prevent, but if you had been looking at the Medium and Low alerts I generated with PowerShell, you probably wouldn’t be in this mess. If you don’t have the resources to look at all of those alerts, you should check out Critical Start.