The topic of ransomware has been covered in the headlines regularly over the past few years as an increasing number of organizations are seeing ransomware emerge as a critical threat against company assets. The concept of holding computers ransom is not new and has been around for some time. Issues that ransomware operators faced in the early stages of holding systems ransom were due to difficulties in collecting payment from those who fell victim to their malicious download. It was not until the 2000’s that the emergence of cryptocurrencies, such as Bitcoin in 2010 provided attackers an easy and somewhat anonymous method for receiving payment from their victims. As virtual currencies become more apparent to attackers, the opportunity for ransomware slowly formed into the lucrative business it is today.
Recent ransomware attacks
As the monetization portion of ransomware operations changed, so did the tactics, techniques, and procedures. Early in the lifecycle of ransomware, threat actors would target a single user or a smaller group. This former method does not have a high monetary return and is a much slower method of infecting systems and earning money. In more recent years, threat actors have aimed to conduct attacks on a larger scale by attempting to phish employees in hopes of gaining a foothold on an internal system, bypassing requirements such as multi-factor authentication a VPN in the process. After obtaining a foothold in a company’s network, the crafted payload could use the initially infected computer to conduct “spray and pray” style tactics in an attempt to laterally move from one system to another, infecting computers in the process.
Depending on how the ransomware is developed, operators may also conduct more sophisticated actions. Typically, these actions follow the same methodology as a penetration test. Once the ransomware is on the initial system, an operator may both passively and actively scan to directly interface with specific systems that may be vulnerable on the network. Once the attacker identifies a weakness in the network, the attacker will then attempt to leverage the identified issue to escalate their privileges and/or laterally move. As the operator gains further access to the network, they will begin establishing persistence and infecting systems.
How to mitigate ransomware attacks
Netragard offers services such as realistic social engineering and internal network assessments to emulate sophisticated ransomware operators. Netragard’s Real Time Dynamic Testing™ can help you improve your security posture and reduce the attack surface to help secure your network. If you are interested in knowing more about penetration testing or to schedule a penetration test, Contact Us!
Noah Tongate, Netragard
Offensive Security Engineer