paint-brush
How Does Ransomware Work? A Step-by-Step Breakdownby@grantcollins
239 reads

How Does Ransomware Work? A Step-by-Step Breakdown

by Grant CollinsFebruary 26th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - How Does Ransomware Work? A Step-by-Step Breakdown
Grant Collins HackerNoon profile picture


In this article, you’ll learn what ransomwares are, how they work and how attackers use ransomwares to lock out Business devices.

Watch the Video

https://www.youtube.com/watch?v=Q_ZFVfDSilI&ab_channel=GrantCollins


00:02

this video is sponsored by kemp floman a

00:04

network intelligence tool capable of

00:06

advanced monitoring and threat detection

00:08

more information about my thoughts on

00:09

kempfloman's advanced monitoring and

00:11

prevention offerings in a few moments

00:13

you open up your computer to find this

00:16

screen in front of you yes indeed

00:18

ransomware you've heard about it you've

00:20

seen it it's a security nightmare and

00:23

well it sustains itself in a very

00:24

profitable

00:26

vicious cycle but do you know how

00:28

ransomware propagates what steps it

00:30

takes to get started within the process

00:33

before you get to a screen like the one

00:36

in front of me in today's video topic i

00:38

will be investigating exactly this

00:40

question the general steps ransomware

00:42

takes to a compromised computer and

00:45

network

00:47

[Music]

00:48

right now i'm in isolated environment

00:50

via a virtual machine as you can see in

00:52

front of me i have this ransomware

00:54

strain from an open source project which

00:56

contains a whole bunch of malware it's a

00:58

github repository called the zoo there's

01:00

a link in the description below now of

01:02

course this is made for educational

01:04

purposes and this malware is very much

01:07

so live so don't do this on your regular

01:10

machine i'm using the server ransomware

01:12

variant which is a relatively older

01:15

ransomware strain server was one of the

01:18

two ransomware operations at the time

01:21

which pioneered what we now know as the

01:24

new monetization model ransomware as a

01:26

service so the machine is now infected

01:29

as you can display here with the

01:31

ransomware notes what the heck happened

01:33

and how did we get to this state well

01:35

there's obviously many scenarios this

01:37

can happen i'm just gonna be walking

01:39

through some of the general techniques

01:41

thread actors will use to get well this

01:45

right here in front of you

01:49

it all starts with performing some basic

01:51

reconnaissance or discovery on the

01:53

initial target so it could start with a

01:55

simple google search maybe looking at

01:57

the company's front-end website looking

01:59

at the employees

02:01

the c-suite of level executives and what

02:04

they do social media accounts and public

02:07

records are good ways to understand what

02:10

the company is doing in any given day so

02:12

many different ways but the first thing

02:14

to do is just gather your information

02:16

and discovery on the business what they

02:19

do most commonly attackers are going to

02:20

take the path of least resistance

02:22

because well laziness so they will

02:25

probably try the easiest methods first

02:27

and then go up the chain from there and

02:30

this usually is in the form of social

02:32

engineering social engineering is a

02:34

factor that can't be minimized social

02:37

engineering is usually through the form

02:39

of what you've known probably by now is

02:41

a phishing email about 78 ransomware

02:44

attacks starts out with a phishing email

02:47

such as this one right here

02:51

here i have a seemingly harmless email

02:54

with an attachment included in a real

02:56

world environment absent of my humor

02:58

thank goodness you would find that a

03:01

email contains some documents or maybe

03:04

some important information leading to a

03:07

website for more detail on what's going

03:10

on maybe it's an attachment representing

03:12

a banking information statement or

03:15

updating the billing info of an employee

03:17

or it's an urgent email from a ceo

03:20

causing that sense of urgency or

03:22

anything that really truly relates to

03:24

business and yeah personal environment

03:26

as well here in this email as an example

03:29

we receive a phishing statement talking

03:32

about how we need to go ahead and update

03:34

our information for a vendor management

03:38

company and as you can see there is an

03:40

updated billing info dot documents which

03:44

in this case will probably include

03:46

something malicious such as a macro

03:48

which leads us into

03:50

the next exact situation

03:54

[Music]

03:55

so let's say this user is tricked into

03:57

updating the billing information in this

03:59

case for a vendor management company

04:01

clicks the download button and saves the

04:03

file the attachment could include a

04:06

common file type such as a pdf with a

04:08

back door maybe a word document with an

04:11

embedded macro in this case or an

04:14

executable that looks like it's a

04:16

legitimate software program it could

04:18

also leverage the power of a command

04:21

interpreter such as powershell or

04:24

windows command prompt which will supply

04:26

a list of commands to run in the

04:28

background via powershell or windows

04:30

command prompt and that will query for a

04:33

payload to be downloaded perhaps it's

04:35

through the use of a javascript a python

04:38

or an rdb connection server there are

04:40

many tactics used to achieve execution

04:43

and the goal is to execute the payload

04:45

now the payload itself may not be

04:48

ransomware or malware it could be an

04:51

exploitation technique used to gain

04:54

further foothold inside a network

04:56

further communication connection may

04:59

occur down in the chain and oftentimes

05:02

will so this leads us into the next step

05:05

of well compromised network

05:10

so after the payload has been executed

05:12

it's time to perform some additional

05:14

discovery establish persistence and get

05:17

a back door with elevated privileges

05:19

into the network network discovery

05:21

allows an attacker to understand more

05:24

about the environment that they are in

05:27

the attacker will likely collect

05:29

information on hosts and network data

05:32

attackers will likely use built-in

05:36

native commands such as the net command

05:38

on the command prompt in this case with

05:41

the net command you can get a list of

05:43

users groups hosts and files you can

05:46

also query active directory if they're

05:48

within a domain network scanning and

05:50

enumeration gives attackers the

05:53

visibility into network topology the

05:55

host operating systems and the possible

05:58

vulnerabilities that these hosts may be

06:00

you know subject to next is persistence

06:02

persistence allows an attacker to gain a

06:05

continuous foothold inside a network in

06:08

the case that the attacker were to lose

06:10

the first initial way of access they

06:13

could get into the network from a

06:15

different way the attacker may establish

06:17

persistence through creating additional

06:19

computer user accounts that maybe look

06:21

very similar to other accounts dll

06:24

hijacking abusing the windows registry

06:27

system or using a web shell this is an

06:30

example of just a few ways that they

06:32

will do this once persistence has been

06:34

established it's time to escalate those

06:36

privileges and move laterally across the

06:39

network this step may coincide with the

06:41

discovery phase depending on the

06:44

priority privilege escalation can be

06:45

achieved through credential dumping

06:47

bypassing user access controls process

06:50

injection exploiting a known

06:52

vulnerability and there's many more

06:54

tactics of course the overall goal is to

06:56

achieve domain admin or system level

06:58

privileges which is the highest

07:00

privileged account in a windows domain

07:02

system

07:05

the next step is to establish a

07:07

communication line with a set of

07:10

computers on the network to connect back

07:13

to an attacker-controlled command and

07:15

control serp or c2 server attackers will

07:19

try to mimic normal traffic activity and

07:22

avoid detection controls the purpose of

07:25

a command and control or c2 server is to

07:29

exfiltrate sensitive data and send

07:31

further instructions uh to the victim

07:34

computers now a c2 server will commonly

07:37

be used to establish this connection and

07:40

traffic can be impersonated on the

07:42

application layer protocol such as dns

07:45

email protocols data streaming once a

07:47

communication line has been set up it's

07:49

finally trying to exfiltrate data it's

07:52

been more of a novel or newer technique

07:53

within the past couple of years where

07:56

they will exfiltrate the data first to

07:59

blackmail the victim into paying the

08:01

ransom now this is where the actual

08:03

ransomware executable or payload can be

08:07

sent through

08:08

[Music]

08:10

once the attacker has accomplished all

08:12

of these steps you will see the screen

08:14

that we started with in the beginning of

08:16

the video a ransomware notes oftentimes

08:19

they will have a little file or html

08:21

document

08:22

saying hey this is where you can get

08:24

your decryption key you have to send

08:26

bitcoin to this address as you can see

08:28

the files are now encrypted this is a

08:31

sample file on my desktop here

08:33

ransomware deployments can occur from

08:35

scheduled tasks they could be from

08:37

scripted deployments gpo policy

08:40

implementation updates really depends on

08:42

the attacker's technical you know

08:45

ability and what they want to do these

08:47

are just a few examples of how

08:49

ransomware has been deployed in the past

08:51

and there you have it the computer has

08:54

been compromised and you can only hope

08:56

that the company has sufficient backups

08:58

and that the data has not been

09:00

exfiltrated by the attackers before

09:03

deploying the ransomware as you can see

09:05

many companies fall victim to attacks

09:07

like these in any given week and month

09:09

so what happens now three words

09:11

prevention detection and recovery and

09:14

then you also have education and there's

09:16

also other strategies strategies can be

09:18

implemented through policy awareness and

09:20

effectively being handled by a security

09:24

team there are strategies technologies

09:26

tools and frameworks anywhere from

09:28

endpoint detection response to

09:30

implementing email gateways there are so

09:33

many different tools an enterprise or

09:35

company has in today's environment so

09:37

today i want to talk about one

09:39

particular technology and that is called

09:41

network detection response or ndr

09:44

network detection response is a solution

09:46

which continuously monitors and analyzes

09:49

raw enterprise traffic when suspicious

09:53

activity or normal traffic patterns

09:56

deviate from the norm an ndr tool will

09:59

alert the security teams of the

10:01

potential threats within their

10:03

environment so backtracking to the

10:05

previous scenario that we went through

10:07

an ndr tool would be able to analyze

10:10

network traffic patterns and alert on

10:12

any suspicious activity going on and i'm

10:14

gonna go ahead and break this down very

10:16

quickly i'm gonna go ahead and use a

10:19

tool as an example in this case it is

10:21

today's sponsor and you may be thinking

10:23

you're just promoting some random tool

10:26

um and that's really it but ultimately

10:29

kemp flomon is a great example of a

10:32

network detection response technology

10:34

out there let's go all the way back to

10:37

the beginning of each of the steps and

10:39

i'm going to be using this tool as an

10:41

example when it comes to reconnaissance

10:43

and discovery the first phase of

10:45

ransomware flowmod detects enumeration

10:48

in active neighbor hosts on the network

10:51

and it performs detection scans against

10:54

discover targets then step two when the

10:56

attacker is looking for initial axis

10:58

maybe the attacker is trying to break a

11:00

password within an account while kem

11:02

flaumon can detect brute forcing

11:05

techniques on those users credentials

11:07

and report that to the proper team then

11:10

when you get into execution an attacker

11:12

maybe is explaining rdp credentials as

11:14

we talked about flowmon detects the use

11:17

of rdp credentials but it also can

11:19

detect other installations of a

11:22

malicious software such as key loggers

11:25

or even the connection to a c2 server

11:27

when it comes to the discovery

11:30

persistence and privilege escalation

11:32

phase what's going to happen next is the

11:34

attacker is going to split data into

11:36

smaller chunks to simulate what normal

11:38

corporate network

11:40

traffic would look like right well they

11:42

may be doing that through splitting up

11:43

icmp traffic using the proper encryption

11:46

flowmod can detect high amounts of data

11:49

transfer this is a critical step and

11:51

flowmon can actually show

11:54

what is going outside your network when

11:56

it comes to those command and control

11:58

servers c2 servers and these connections

12:01

flowmon can detect botmat commands and

12:05

the commands that are sent to the c2

12:07

server finally when the attacker deploys

12:09

the ransomware

12:10

and the attacker is encrypting the

12:13

information as we saw in the beginning

12:14

of the video bluemon can detect network

12:17

activity which in this case would be

12:19

high amounts of encryption and alert the

12:22

proper security team and throughout each

12:24

of those steps a tool such as an ndr

12:27

tool kem flowmon can help you prevent

12:30

detect

12:31

recover and respond against those

12:35

attacks within the chain so that is the

12:38

steps of a prolific ransomware variant

12:42

so i appreciate kev floman for

12:44

sponsoring today's video i also hope

12:45

that you've learned something new about

12:47

the steps that it takes for a ransomware

12:50

variant to go through and compromise a

12:53

network so that they can get a

12:54

sufficient amount of data out and then

12:57

they can encrypt your files so thank you

12:59

very much for watching if you've enjoyed

13:01

that's all i care to really ask for and

13:04

yes until the next video have a good day