Exposing What's Under the Hood of Ransomware Attacks

Ransomware is devastating to a company because it damages critical data. During an attack, ransomware scans for important files, encrypts them, and destroys backups. This can cripple an organization faster than other malicious applications. In this second part of a blog series about ransomware, we’ll discuss well-known cybercriminals and the harm they do.

800x418 blog feature images (11)

The first article in this ransomware blog series, Hacker Procedure, described the three main phases of an attack. In this blog article we’ll examine these details of ransomware crime:

  • What industries are affected by ransomware?
  • Who are the criminals and how do they succeed?
  • What types of data are stolen?
  • How much is a typical ransom?

What industries are affected by ransomware?

Attackers tend to focus on managed service providers in particular. A managed service provider is a business that takes over a range of IT services for several of its customers, such as email, data storage, and software-as-a-service applications. These services are critical to their customers’ day-to-day operations.

Source: https://www.linkedin.com/posts/cyber-rescue-alliance_cybersecurity-activity-6922448424487329792-qLdZ

When hackers take over an IT service provider, they simultaneously gain access to the service provider's customers. This is an efficient and scalable way to work; through a single attack, the cybercriminals gain access to multiple victims.

Managed service providers and their customers aren’t the sole targets of ransomware attacks. Almost all industry sectors, including health, manufacturing, finance, government, and automotive, are affected.

Who are the criminals holding systems for ransom?

We know ransomware attackers by the work that they do. Worldwide, there are about 62 ransomware groups that have successfully attacked a total of over 4400 companies.

Source: https://twitter.com/darktracer_int/status/1492066263715430405/photo/1

The most successful ransomware groups are Conti, LockBit and Pysa. Two formerly effective groups are no longer operating: The Sodinokibi (Revil) group has been arrested and the Maze group has retired.

The number of attacks doubles approximately every year. IT organizations should no longer wonder whether cybercriminals will seize and ransom their infrastructure—they should wonder when it will happen.

A close look at one ransomware group

Some of the Conti ransomware group’s internal data has been published over time. Mostly written in Russian, the leaked documents contain the group's procedures.

Warning: I recommend looking at Conti’s data in a separate virtual machine. The leaks contain some executables, which might contain a backdoor. As a general rule, don’t run exploits from just anyone—there’ve been enough examples in the past of files containing a backdoor.

You can view a translation of the Conti playbook here.

The Conti playbook starts when the group already has gained initial access. I described this in the previous article in this series as the solidify access phase. You’ll recall that, in this phase, the goal of the ransomware group is to gain the highest privileges in the organization.

The following points are covered in detail in the Conti Playbook:

  • Initial exploration:some text
    • What rights do the attackers have with the captured user?
    • Which local administrators exist?
    • Which domain administrators exist?
  • Privilege escalation techniques:some text
    • Kerberos attacks
    • Mimikatz tool to to capture credentials
    • Read passwords from the group policy object (GPO)
  • Lateral movement by exploiting vulnerabilities:some text
  • Anchoring (installation of backdoors)some text
  • Hunting administratorssome text
    • How to search for administrators in a domain in order to take them over
  • Uploading datasome text
    • How to steal company data
    • How to upload data to mega.io using rclone
  • Stage lockingsome text
    • How to encrypt all of a company’s data and applications with a few one-liners at the Windows and Hypervisor (VMWare) level

As you can see in the Conti playbook, most successful attacks are based on one or both of these system issues:

  • Software vulnerabilities that could have been addressed by updating versions
  • Systems without secure configuration (hardening)

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

What types of data are stolen?

Ransomware groups mainly target corporate data, such as financial reports, patented construction drawings, customer data, and credit card data. However, they do not shy away from private  individuals’ data, and sometimes publish private photos of company employees, for example. With this strategy, cybercriminals increase the pressure on their targets so that they are more willing to pay.

What is the average ransom amount?

The average ransom amount in 2021 was half a million US dollars. This figure doubles every year.

Source: https://unit42.paloaltonetworks.com/2022-ransomware-threat-report-highlights/

The ransom itself isn’t the only cost of a ransomware incident, however. These factors also can have a financial impact:

  • Days of lost operations
  • Leaked proprietary data
  • Damage to customer trust

Preventing ransomware attacks

In my career as a pentester and incident response consultant, I’ve identified two main reasons why attackers are so successful in compromising companies:

  • The systems are not up to date with the latest patches
  • The systems do not have secure configurations

Most organizations are not aware of how vulnerable they are. Time and time again, when I’ve seen companies become victims due to one or both of these risks, it’s because the system versioning and configurations are not visible across their entire infrastructure. Without that visibility, they can’t perform an appropriate risk assessment.

That's why we founded Mondoo, to help companies see their vulnerabilities and to provide them with concrete recommendations for action.

Mondoo provides a risk score per system across your complete infrastructure (Windows, Linux, AWS, Azure, M365, GCP, Kubernetes, CI/CD, Container, Docker, and more).

Mondoo risk score

Identify which updates are missing on each system.

Mondoo dashboard - missing updates

Receive clear instructions on how to fix individual problems.

Mondoo policies dashboard - instructions on how to fix problems

The next article in this ransomware blog series show what it’s like to experience an attack and how to respond. Subscribe to our blog to learn when we publish new articles.

Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

Letha Dunn

Letha has been writing about technology for more than thirty years. During the past decade, she’s focused on educating engineers about identity and access management, security, CI/CD, and project velocity. Letha lives in the Pacific Northwest, where she rescues and rehabilitates abused and neglected horses and dogs.

You might also like

Mondoo May 2024 Release Highlights
Mondoo April 2024 Release Highlights
Exploring the Latest Security Features in Ubuntu 24.04