How Does Ransomware Work? A Step-by-Step Breakdown by@grantcollins

How Does Ransomware Work? A Step-by-Step Breakdown

image
Grant Collins HackerNoon profile picture

Grant Collins

An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.

youtube social icon

In this article, you’ll learn what ransomwares are, how they work and how attackers use ransomwares to lock out Business devices.

Watch the Video


00:02
this video is sponsored by kemp floman a
00:04
network intelligence tool capable of
00:06
advanced monitoring and threat detection
00:08
more information about my thoughts on
00:09
kempfloman's advanced monitoring and
00:11
prevention offerings in a few moments
00:13
you open up your computer to find this
00:16
screen in front of you yes indeed
00:18
ransomware you've heard about it you've
00:20
seen it it's a security nightmare and
00:23
well it sustains itself in a very
00:24
profitable
00:26
vicious cycle but do you know how
00:28
ransomware propagates what steps it
00:30
takes to get started within the process
00:33
before you get to a screen like the one
00:36
in front of me in today's video topic i
00:38
will be investigating exactly this
00:40
question the general steps ransomware
00:42
takes to a compromised computer and
00:45
network
00:47
[Music]
00:48
right now i'm in isolated environment
00:50
via a virtual machine as you can see in
00:52
front of me i have this ransomware
00:54
strain from an open source project which
00:56
contains a whole bunch of malware it's a
00:58
github repository called the zoo there's
01:00
a link in the description below now of
01:02
course this is made for educational
01:04
purposes and this malware is very much
01:07
so live so don't do this on your regular
01:10
machine i'm using the server ransomware
01:12
variant which is a relatively older
01:15
ransomware strain server was one of the
01:18
two ransomware operations at the time
01:21
which pioneered what we now know as the
01:24
new monetization model ransomware as a
01:26
service so the machine is now infected
01:29
as you can display here with the
01:31
ransomware notes what the heck happened
01:33
and how did we get to this state well
01:35
there's obviously many scenarios this
01:37
can happen i'm just gonna be walking
01:39
through some of the general techniques
01:41
thread actors will use to get well this
01:45
right here in front of you
01:49
it all starts with performing some basic
01:51
reconnaissance or discovery on the
01:53
initial target so it could start with a
01:55
simple google search maybe looking at
01:57
the company's front-end website looking
01:59
at the employees
02:01
the c-suite of level executives and what
02:04
they do social media accounts and public
02:07
records are good ways to understand what
02:10
the company is doing in any given day so
02:12
many different ways but the first thing
02:14
to do is just gather your information
02:16
and discovery on the business what they
02:19
do most commonly attackers are going to
02:20
take the path of least resistance
02:22
because well laziness so they will
02:25
probably try the easiest methods first
02:27
and then go up the chain from there and
02:30
this usually is in the form of social
02:32
engineering social engineering is a
02:34
factor that can't be minimized social
02:37
engineering is usually through the form
02:39
of what you've known probably by now is
02:41
a phishing email about 78 ransomware
02:44
attacks starts out with a phishing email
02:47
such as this one right here
02:51
here i have a seemingly harmless email
02:54
with an attachment included in a real
02:56
world environment absent of my humor
02:58
thank goodness you would find that a
03:01
email contains some documents or maybe
03:04
some important information leading to a
03:07
website for more detail on what's going
03:10
on maybe it's an attachment representing
03:12
a banking information statement or
03:15
updating the billing info of an employee
03:17
or it's an urgent email from a ceo
03:20
causing that sense of urgency or
03:22
anything that really truly relates to
03:24
business and yeah personal environment
03:26
as well here in this email as an example
03:29
we receive a phishing statement talking
03:32
about how we need to go ahead and update
03:34
our information for a vendor management
03:38
company and as you can see there is an
03:40
updated billing info dot documents which
03:44
in this case will probably include
03:46
something malicious such as a macro
03:48
which leads us into
03:50
the next exact situation
03:54
[Music]
03:55
so let's say this user is tricked into
03:57
updating the billing information in this
03:59
case for a vendor management company
04:01
clicks the download button and saves the
04:03
file the attachment could include a
04:06
common file type such as a pdf with a
04:08
back door maybe a word document with an
04:11
embedded macro in this case or an
04:14
executable that looks like it's a
04:16
legitimate software program it could
04:18
also leverage the power of a command
04:21
interpreter such as powershell or
04:24
windows command prompt which will supply
04:26
a list of commands to run in the
04:28
background via powershell or windows
04:30
command prompt and that will query for a
04:33
payload to be downloaded perhaps it's
04:35
through the use of a javascript a python
04:38
or an rdb connection server there are
04:40
many tactics used to achieve execution
04:43
and the goal is to execute the payload
04:45
now the payload itself may not be
04:48
ransomware or malware it could be an
04:51
exploitation technique used to gain
04:54
further foothold inside a network
04:56
further communication connection may
04:59
occur down in the chain and oftentimes
05:02
will so this leads us into the next step
05:05
of well compromised network
05:10
so after the payload has been executed
05:12
it's time to perform some additional
05:14
discovery establish persistence and get
05:17
a back door with elevated privileges
05:19
into the network network discovery
05:21
allows an attacker to understand more
05:24
about the environment that they are in
05:27
the attacker will likely collect
05:29
information on hosts and network data
05:32
attackers will likely use built-in
05:36
native commands such as the net command
05:38
on the command prompt in this case with
05:41
the net command you can get a list of
05:43
users groups hosts and files you can
05:46
also query active directory if they're
05:48
within a domain network scanning and
05:50
enumeration gives attackers the
05:53
visibility into network topology the
05:55
host operating systems and the possible
05:58
vulnerabilities that these hosts may be
06:00
you know subject to next is persistence
06:02
persistence allows an attacker to gain a
06:05
continuous foothold inside a network in
06:08
the case that the attacker were to lose
06:10
the first initial way of access they
06:13
could get into the network from a
06:15
different way the attacker may establish
06:17
persistence through creating additional
06:19
computer user accounts that maybe look
06:21
very similar to other accounts dll
06:24
hijacking abusing the windows registry
06:27
system or using a web shell this is an
06:30
example of just a few ways that they
06:32
will do this once persistence has been
06:34
established it's time to escalate those
06:36
privileges and move laterally across the
06:39
network this step may coincide with the
06:41
discovery phase depending on the
06:44
priority privilege escalation can be
06:45
achieved through credential dumping
06:47
bypassing user access controls process
06:50
injection exploiting a known
06:52
vulnerability and there's many more
06:54
tactics of course the overall goal is to
06:56
achieve domain admin or system level
06:58
privileges which is the highest
07:00
privileged account in a windows domain
07:02
system
07:05
the next step is to establish a
07:07
communication line with a set of
07:10
computers on the network to connect back
07:13
to an attacker-controlled command and
07:15
control serp or c2 server attackers will
07:19
try to mimic normal traffic activity and
07:22
avoid detection controls the purpose of
07:25
a command and control or c2 server is to
07:29
exfiltrate sensitive data and send
07:31
further instructions uh to the victim
07:34
computers now a c2 server will commonly
07:37
be used to establish this connection and
07:40
traffic can be impersonated on the
07:42
application layer protocol such as dns
07:45
email protocols data streaming once a
07:47
communication line has been set up it's
07:49
finally trying to exfiltrate data it's
07:52
been more of a novel or newer technique
07:53
within the past couple of years where
07:56
they will exfiltrate the data first to
07:59
blackmail the victim into paying the
08:01
ransom now this is where the actual
08:03
ransomware executable or payload can be
08:07
sent through
08:08
[Music]
08:10
once the attacker has accomplished all
08:12
of these steps you will see the screen
08:14
that we started with in the beginning of
08:16
the video a ransomware notes oftentimes
08:19
they will have a little file or html
08:21
document
08:22
saying hey this is where you can get
08:24
your decryption key you have to send
08:26
bitcoin to this address as you can see
08:28
the files are now encrypted this is a
08:31
sample file on my desktop here
08:33
ransomware deployments can occur from
08:35
scheduled tasks they could be from
08:37
scripted deployments gpo policy
08:40
implementation updates really depends on
08:42
the attacker's technical you know
08:45
ability and what they want to do these
08:47
are just a few examples of how
08:49
ransomware has been deployed in the past
08:51
and there you have it the computer has
08:54
been compromised and you can only hope
08:56
that the company has sufficient backups
08:58
and that the data has not been
09:00
exfiltrated by the attackers before
09:03
deploying the ransomware as you can see
09:05
many companies fall victim to attacks
09:07
like these in any given week and month
09:09
so what happens now three words
09:11
prevention detection and recovery and
09:14
then you also have education and there's
09:16
also other strategies strategies can be
09:18
implemented through policy awareness and
09:20
effectively being handled by a security
09:24
team there are strategies technologies
09:26
tools and frameworks anywhere from
09:28
endpoint detection response to
09:30
implementing email gateways there are so
09:33
many different tools an enterprise or
09:35
company has in today's environment so
09:37
today i want to talk about one
09:39
particular technology and that is called
09:41
network detection response or ndr
09:44
network detection response is a solution
09:46
which continuously monitors and analyzes
09:49
raw enterprise traffic when suspicious
09:53
activity or normal traffic patterns
09:56
deviate from the norm an ndr tool will
09:59
alert the security teams of the
10:01
potential threats within their
10:03
environment so backtracking to the
10:05
previous scenario that we went through
10:07
an ndr tool would be able to analyze
10:10
network traffic patterns and alert on
10:12
any suspicious activity going on and i'm
10:14
gonna go ahead and break this down very
10:16
quickly i'm gonna go ahead and use a
10:19
tool as an example in this case it is
10:21
today's sponsor and you may be thinking
10:23
you're just promoting some random tool
10:26
um and that's really it but ultimately
10:29
kemp flomon is a great example of a
10:32
network detection response technology
10:34
out there let's go all the way back to
10:37
the beginning of each of the steps and
10:39
i'm going to be using this tool as an
10:41
example when it comes to reconnaissance
10:43
and discovery the first phase of
10:45
ransomware flowmod detects enumeration
10:48
in active neighbor hosts on the network
10:51
and it performs detection scans against
10:54
discover targets then step two when the
10:56
attacker is looking for initial axis
10:58
maybe the attacker is trying to break a
11:00
password within an account while kem
11:02
flaumon can detect brute forcing
11:05
techniques on those users credentials
11:07
and report that to the proper team then
11:10
when you get into execution an attacker
11:12
maybe is explaining rdp credentials as
11:14
we talked about flowmon detects the use
11:17
of rdp credentials but it also can
11:19
detect other installations of a
11:22
malicious software such as key loggers
11:25
or even the connection to a c2 server
11:27
when it comes to the discovery
11:30
persistence and privilege escalation
11:32
phase what's going to happen next is the
11:34
attacker is going to split data into
11:36
smaller chunks to simulate what normal
11:38
corporate network
11:40
traffic would look like right well they
11:42
may be doing that through splitting up
11:43
icmp traffic using the proper encryption
11:46
flowmod can detect high amounts of data
11:49
transfer this is a critical step and
11:51
flowmon can actually show
11:54
what is going outside your network when
11:56
it comes to those command and control
11:58
servers c2 servers and these connections
12:01
flowmon can detect botmat commands and
12:05
the commands that are sent to the c2
12:07
server finally when the attacker deploys
12:09
the ransomware
12:10
and the attacker is encrypting the
12:13
information as we saw in the beginning
12:14
of the video bluemon can detect network
12:17
activity which in this case would be
12:19
high amounts of encryption and alert the
12:22
proper security team and throughout each
12:24
of those steps a tool such as an ndr
12:27
tool kem flowmon can help you prevent
12:30
detect
12:31
recover and respond against those
12:35
attacks within the chain so that is the
12:38
steps of a prolific ransomware variant
12:42
so i appreciate kev floman for
12:44
sponsoring today's video i also hope
12:45
that you've learned something new about
12:47
the steps that it takes for a ransomware
12:50
variant to go through and compromise a
12:53
network so that they can get a
12:54
sufficient amount of data out and then
12:57
they can encrypt your files so thank you
12:59
very much for watching if you've enjoyed
13:01
that's all i care to really ask for and
13:04
yes until the next video have a good day
react to story with heart
react to story with light
react to story with boat
react to story with money
Grant Collins HackerNoon profile picture
by Grant Collins @grantcollins.An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.
Read my stories
L O A D I N G
. . . comments & more!