How Does Ransomware Work? A Step-by-Step Breakdown

In this article, you’ll learn what ransomwares are, how they work and how attackers use ransomwares to lock out Business devices.

Watch the Video

https://www.youtube.com/watch?v=Q_ZFVfDSilI&ab_channel=GrantCollins

00:02

this video is sponsored by kemp floman a

00:04

network intelligence tool capable of

00:06

advanced monitoring and threat detection

00:08

more information about my thoughts on

00:09

kempfloman's advanced monitoring and

00:11

prevention offerings in a few moments

00:13

you open up your computer to find this

00:16

screen in front of you yes indeed

00:18

ransomware you've heard about it you've

00:20

seen it it's a security nightmare and

00:23

well it sustains itself in a very

00:24

profitable

00:26

vicious cycle but do you know how

00:28

ransomware propagates what steps it

00:30

takes to get started within the process

00:33

before you get to a screen like the one

00:36

in front of me in today's video topic i

00:38

will be investigating exactly this

00:40

question the general steps ransomware

00:42

takes to a compromised computer and

00:45

network

00:47

[Music]

00:48

right now i'm in isolated environment

00:50

via a virtual machine as you can see in

00:52

front of me i have this ransomware

00:54

strain from an open source project which

00:56

contains a whole bunch of malware it's a

00:58

github repository called the zoo there's

01:00

a link in the description below now of

01:02

course this is made for educational

01:04

purposes and this malware is very much

01:07

so live so don't do this on your regular

01:10

machine i'm using the server ransomware

01:12

variant which is a relatively older

01:15

ransomware strain server was one of the

01:18

two ransomware operations at the time

01:21

which pioneered what we now know as the

01:24

new monetization model ransomware as a

01:26

service so the machine is now infected

01:29

as you can display here with the

01:31

ransomware notes what the heck happened

01:33

and how did we get to this state well

01:35

there's obviously many scenarios this

01:37

can happen i'm just gonna be walking

01:39

through some of the general techniques

01:41

thread actors will use to get well this

01:45

right here in front of you

01:49

it all starts with performing some basic

01:51

reconnaissance or discovery on the

01:53

initial target so it could start with a

01:55

simple google search maybe looking at

01:57

the company's front-end website looking

01:59

at the employees

02:01

the c-suite of level executives and what

02:04

they do social media accounts and public

02:07

records are good ways to understand what

02:10

the company is doing in any given day so

02:12

many different ways but the first thing

02:14

to do is just gather your information

02:16

and discovery on the business what they

02:19

do most commonly attackers are going to

02:20

take the path of least resistance

02:22

because well laziness so they will

02:25

probably try the easiest methods first

02:27

and then go up the chain from there and

02:30

this usually is in the form of social

02:32

engineering social engineering is a

02:34

factor that can't be minimized social

02:37

engineering is usually through the form

02:39

of what you've known probably by now is

02:41

a phishing email about 78 ransomware

02:44

attacks starts out with a phishing email

02:47

such as this one right here

02:51

here i have a seemingly harmless email

02:54

with an attachment included in a real

02:56

world environment absent of my humor

02:58

thank goodness you would find that a

03:01

email contains some documents or maybe

03:04

some important information leading to a

03:07

website for more detail on what's going

03:10

on maybe it's an attachment representing

03:12

a banking information statement or

03:15

updating the billing info of an employee

03:17

or it's an urgent email from a ceo

03:20

causing that sense of urgency or

03:22

anything that really truly relates to

03:24

business and yeah personal environment

03:26

as well here in this email as an example

03:29

we receive a phishing statement talking

03:32

about how we need to go ahead and update

03:34

our information for a vendor management

03:38

company and as you can see there is an

03:40

updated billing info dot documents which

03:44

in this case will probably include

03:46

something malicious such as a macro

03:48

which leads us into

03:50

the next exact situation

03:54

[Music]

03:55

so let's say this user is tricked into

03:57

updating the billing information in this

03:59

case for a vendor management company

04:01

clicks the download button and saves the

04:03

file the attachment could include a

04:06

common file type such as a pdf with a

04:08

back door maybe a word document with an

04:11

embedded macro in this case or an

04:14

executable that looks like it's a

04:16

legitimate software program it could

04:18

also leverage the power of a command

04:21

interpreter such as powershell or

04:24

windows command prompt which will supply

04:26

a list of commands to run in the

04:28

background via powershell or windows

04:30

command prompt and that will query for a

04:33

payload to be downloaded perhaps it's

04:35

through the use of a javascript a python

04:38

or an rdb connection server there are

04:40

many tactics used to achieve execution

04:43

and the goal is to execute the payload

04:45

now the payload itself may not be

04:48

ransomware or malware it could be an

04:51

exploitation technique used to gain

04:54

further foothold inside a network

04:56

further communication connection may

04:59

occur down in the chain and oftentimes

05:02

will so this leads us into the next step

05:05

of well compromised network

05:10

so after the payload has been executed

05:12

it's time to perform some additional

05:14

discovery establish persistence and get

05:17

a back door with elevated privileges

05:19

into the network network discovery

05:21

allows an attacker to understand more

05:24

about the environment that they are in

05:27

the attacker will likely collect

05:29

information on hosts and network data

05:32

attackers will likely use built-in

05:36

native commands such as the net command

05:38

on the command prompt in this case with

05:41

the net command you can get a list of

05:43

users groups hosts and files you can

05:46

also query active directory if they're

05:48

within a domain network scanning and

05:50

enumeration gives attackers the

05:53

visibility into network topology the

05:55

host operating systems and the possible

05:58

vulnerabilities that these hosts may be

06:00

you know subject to next is persistence

06:02

persistence allows an attacker to gain a

06:05

continuous foothold inside a network in

06:08

the case that the attacker were to lose

06:10

the first initial way of access they

06:13

could get into the network from a

06:15

different way the attacker may establish

06:17

persistence through creating additional

06:19

computer user accounts that maybe look

06:21

very similar to other accounts dll

06:24

hijacking abusing the windows registry

06:27

system or using a web shell this is an

06:30

example of just a few ways that they

06:32

will do this once persistence has been

06:34

established it's time to escalate those

06:36

privileges and move laterally across the

06:39

network this step may coincide with the

06:41

discovery phase depending on the

06:44

priority privilege escalation can be

06:45

achieved through credential dumping

06:47

bypassing user access controls process

06:50

injection exploiting a known

06:52

vulnerability and there's many more

06:54

tactics of course the overall goal is to

06:56

achieve domain admin or system level

06:58

privileges which is the highest

07:00

privileged account in a windows domain

07:02

system

07:05

the next step is to establish a

07:07

communication line with a set of

07:10

computers on the network to connect back

07:13

to an attacker-controlled command and

07:15

control serp or c2 server attackers will

07:19

try to mimic normal traffic activity and

07:22

avoid detection controls the purpose of

07:25

a command and control or c2 server is to

07:29

exfiltrate sensitive data and send

07:31

further instructions uh to the victim

07:34

computers now a c2 server will commonly

07:37

be used to establish this connection and

07:40

traffic can be impersonated on the

07:42

application layer protocol such as dns

07:45

email protocols data streaming once a

07:47

communication line has been set up it's

07:49

finally trying to exfiltrate data it's

07:52

been more of a novel or newer technique

07:53

within the past couple of years where

07:56

they will exfiltrate the data first to

07:59

blackmail the victim into paying the

08:01

ransom now this is where the actual

08:03

ransomware executable or payload can be

08:07

sent through

08:08

[Music]

08:10

once the attacker has accomplished all

08:12

of these steps you will see the screen

08:14

that we started with in the beginning of

08:16

the video a ransomware notes oftentimes

08:19

they will have a little file or html

08:21

document

08:22

saying hey this is where you can get

08:24

your decryption key you have to send

08:26

bitcoin to this address as you can see

08:28

the files are now encrypted this is a

08:31

sample file on my desktop here

08:33

ransomware deployments can occur from

08:35

scheduled tasks they could be from

08:37

scripted deployments gpo policy

08:40

implementation updates really depends on

08:42

the attacker's technical you know

08:45

ability and what they want to do these

08:47

are just a few examples of how

08:49

ransomware has been deployed in the past

08:51

and there you have it the computer has

08:54

been compromised and you can only hope

08:56

that the company has sufficient backups

08:58

and that the data has not been

09:00

exfiltrated by the attackers before

09:03

deploying the ransomware as you can see

09:05

many companies fall victim to attacks

09:07

like these in any given week and month

09:09

so what happens now three words

09:11

prevention detection and recovery and

09:14

then you also have education and there's

09:16

also other strategies strategies can be

09:18

implemented through policy awareness and

09:20

effectively being handled by a security

09:24

team there are strategies technologies

09:26

tools and frameworks anywhere from

09:28

endpoint detection response to

09:30

implementing email gateways there are so

09:33

many different tools an enterprise or

09:35

company has in today's environment so

09:37

today i want to talk about one

09:39

particular technology and that is called

09:41

network detection response or ndr

09:44

network detection response is a solution

09:46

which continuously monitors and analyzes

09:49

raw enterprise traffic when suspicious

09:53

activity or normal traffic patterns

09:56

deviate from the norm an ndr tool will

09:59

alert the security teams of the

10:01

potential threats within their

10:03

environment so backtracking to the

10:05

previous scenario that we went through

10:07

an ndr tool would be able to analyze

10:10

network traffic patterns and alert on

10:12

any suspicious activity going on and i'm

10:14

gonna go ahead and break this down very

10:16

quickly i'm gonna go ahead and use a

10:19

tool as an example in this case it is

10:21

today's sponsor and you may be thinking

10:23

you're just promoting some random tool

10:26

um and that's really it but ultimately

10:29

kemp flomon is a great example of a

10:32

network detection response technology

10:34

out there let's go all the way back to

10:37

the beginning of each of the steps and

10:39

i'm going to be using this tool as an

10:41

example when it comes to reconnaissance

10:43

and discovery the first phase of

10:45

ransomware flowmod detects enumeration

10:48

in active neighbor hosts on the network

10:51

and it performs detection scans against

10:54

discover targets then step two when the

10:56

attacker is looking for initial axis

10:58

maybe the attacker is trying to break a

11:00

password within an account while kem

11:02

flaumon can detect brute forcing

11:05

techniques on those users credentials

11:07

and report that to the proper team then

11:10

when you get into execution an attacker

11:12

maybe is explaining rdp credentials as

11:14

we talked about flowmon detects the use

11:17

of rdp credentials but it also can

11:19

detect other installations of a

11:22

malicious software such as key loggers

11:25

or even the connection to a c2 server

11:27

when it comes to the discovery

11:30

persistence and privilege escalation

11:32

phase what's going to happen next is the

11:34

attacker is going to split data into

11:36

smaller chunks to simulate what normal

11:38

corporate network

11:40

traffic would look like right well they

11:42

may be doing that through splitting up

11:43

icmp traffic using the proper encryption

11:46

flowmod can detect high amounts of data

11:49

transfer this is a critical step and

11:51

flowmon can actually show

11:54

what is going outside your network when

11:56

it comes to those command and control

11:58

servers c2 servers and these connections

12:01

flowmon can detect botmat commands and

12:05

the commands that are sent to the c2

12:07

server finally when the attacker deploys

12:09

the ransomware

12:10

and the attacker is encrypting the

12:13

information as we saw in the beginning

12:14

of the video bluemon can detect network

12:17

activity which in this case would be

12:19

high amounts of encryption and alert the

12:22

proper security team and throughout each

12:24

of those steps a tool such as an ndr

12:27

tool kem flowmon can help you prevent

12:30

detect

12:31

recover and respond against those

12:35

attacks within the chain so that is the

12:38

steps of a prolific ransomware variant

12:42

so i appreciate kev floman for

12:44

sponsoring today's video i also hope

12:45

that you've learned something new about

12:47

the steps that it takes for a ransomware

12:50

variant to go through and compromise a

12:53

network so that they can get a

12:54

sufficient amount of data out and then

12:57

they can encrypt your files so thank you

12:59

very much for watching if you've enjoyed

13:01

that's all i care to really ask for and

13:04

yes until the next video have a good day