In this article, you’ll learn what ransomwares are, how they work and how attackers use ransomwares to lock out Business devices. Watch the Video https://www.youtube.com/watch?v=Q_ZFVfDSilI&ab_channel=GrantCollins 00:02 this video is sponsored by kemp floman a 00:04 network intelligence tool capable of 00:06 advanced monitoring and threat detection 00:08 more information about my thoughts on 00:09 kempfloman's advanced monitoring and 00:11 prevention offerings in a few moments 00:13 you open up your computer to find this 00:16 screen in front of you yes indeed 00:18 ransomware you've heard about it you've 00:20 seen it it's a security nightmare and 00:23 well it sustains itself in a very 00:24 profitable 00:26 vicious cycle but do you know how 00:28 ransomware propagates what steps it 00:30 takes to get started within the process 00:33 before you get to a screen like the one 00:36 in front of me in today's video topic i 00:38 will be investigating exactly this 00:40 question the general steps ransomware 00:42 takes to a compromised computer and 00:45 network 00:47 [Music] 00:48 right now i'm in isolated environment 00:50 via a virtual machine as you can see in 00:52 front of me i have this ransomware 00:54 strain from an open source project which 00:56 contains a whole bunch of malware it's a 00:58 github repository called the zoo there's 01:00 a link in the description below now of 01:02 course this is made for educational 01:04 purposes and this malware is very much 01:07 so live so don't do this on your regular 01:10 machine i'm using the server ransomware 01:12 variant which is a relatively older 01:15 ransomware strain server was one of the 01:18 two ransomware operations at the time 01:21 which pioneered what we now know as the 01:24 new monetization model ransomware as a 01:26 service so the machine is now infected 01:29 as you can display here with the 01:31 ransomware notes what the heck happened 01:33 and how did we get to this state well 01:35 there's obviously many scenarios this 01:37 can happen i'm just gonna be walking 01:39 through some of the general techniques 01:41 thread actors will use to get well this 01:45 right here in front of you 01:49 it all starts with performing some basic 01:51 reconnaissance or discovery on the 01:53 initial target so it could start with a 01:55 simple google search maybe looking at 01:57 the company's front-end website looking 01:59 at the employees 02:01 the c-suite of level executives and what 02:04 they do social media accounts and public 02:07 records are good ways to understand what 02:10 the company is doing in any given day so 02:12 many different ways but the first thing 02:14 to do is just gather your information 02:16 and discovery on the business what they 02:19 do most commonly attackers are going to 02:20 take the path of least resistance 02:22 because well laziness so they will 02:25 probably try the easiest methods first 02:27 and then go up the chain from there and 02:30 this usually is in the form of social 02:32 engineering social engineering is a 02:34 factor that can't be minimized social 02:37 engineering is usually through the form 02:39 of what you've known probably by now is 02:41 a phishing email about 78 ransomware 02:44 attacks starts out with a phishing email 02:47 such as this one right here 02:51 here i have a seemingly harmless email 02:54 with an attachment included in a real 02:56 world environment absent of my humor 02:58 thank goodness you would find that a 03:01 email contains some documents or maybe 03:04 some important information leading to a 03:07 website for more detail on what's going 03:10 on maybe it's an attachment representing 03:12 a banking information statement or 03:15 updating the billing info of an employee 03:17 or it's an urgent email from a ceo 03:20 causing that sense of urgency or 03:22 anything that really truly relates to 03:24 business and yeah personal environment 03:26 as well here in this email as an example 03:29 we receive a phishing statement talking 03:32 about how we need to go ahead and update 03:34 our information for a vendor management 03:38 company and as you can see there is an 03:40 updated billing info dot documents which 03:44 in this case will probably include 03:46 something malicious such as a macro 03:48 which leads us into 03:50 the next exact situation 03:54 [Music] 03:55 so let's say this user is tricked into 03:57 updating the billing information in this 03:59 case for a vendor management company 04:01 clicks the download button and saves the 04:03 file the attachment could include a 04:06 common file type such as a pdf with a 04:08 back door maybe a word document with an 04:11 embedded macro in this case or an 04:14 executable that looks like it's a 04:16 legitimate software program it could 04:18 also leverage the power of a command 04:21 interpreter such as powershell or 04:24 windows command prompt which will supply 04:26 a list of commands to run in the 04:28 background via powershell or windows 04:30 command prompt and that will query for a 04:33 payload to be downloaded perhaps it's 04:35 through the use of a javascript a python 04:38 or an rdb connection server there are 04:40 many tactics used to achieve execution 04:43 and the goal is to execute the payload 04:45 now the payload itself may not be 04:48 ransomware or malware it could be an 04:51 exploitation technique used to gain 04:54 further foothold inside a network 04:56 further communication connection may 04:59 occur down in the chain and oftentimes 05:02 will so this leads us into the next step 05:05 of well compromised network 05:10 so after the payload has been executed 05:12 it's time to perform some additional 05:14 discovery establish persistence and get 05:17 a back door with elevated privileges 05:19 into the network network discovery 05:21 allows an attacker to understand more 05:24 about the environment that they are in 05:27 the attacker will likely collect 05:29 information on hosts and network data 05:32 attackers will likely use built-in 05:36 native commands such as the net command 05:38 on the command prompt in this case with 05:41 the net command you can get a list of 05:43 users groups hosts and files you can 05:46 also query active directory if they're 05:48 within a domain network scanning and 05:50 enumeration gives attackers the 05:53 visibility into network topology the 05:55 host operating systems and the possible 05:58 vulnerabilities that these hosts may be 06:00 you know subject to next is persistence 06:02 persistence allows an attacker to gain a 06:05 continuous foothold inside a network in 06:08 the case that the attacker were to lose 06:10 the first initial way of access they 06:13 could get into the network from a 06:15 different way the attacker may establish 06:17 persistence through creating additional 06:19 computer user accounts that maybe look 06:21 very similar to other accounts dll 06:24 hijacking abusing the windows registry 06:27 system or using a web shell this is an 06:30 example of just a few ways that they 06:32 will do this once persistence has been 06:34 established it's time to escalate those 06:36 privileges and move laterally across the 06:39 network this step may coincide with the 06:41 discovery phase depending on the 06:44 priority privilege escalation can be 06:45 achieved through credential dumping 06:47 bypassing user access controls process 06:50 injection exploiting a known 06:52 vulnerability and there's many more 06:54 tactics of course the overall goal is to 06:56 achieve domain admin or system level 06:58 privileges which is the highest 07:00 privileged account in a windows domain 07:02 system 07:05 the next step is to establish a 07:07 communication line with a set of 07:10 computers on the network to connect back 07:13 to an attacker-controlled command and 07:15 control serp or c2 server attackers will 07:19 try to mimic normal traffic activity and 07:22 avoid detection controls the purpose of 07:25 a command and control or c2 server is to 07:29 exfiltrate sensitive data and send 07:31 further instructions uh to the victim 07:34 computers now a c2 server will commonly 07:37 be used to establish this connection and 07:40 traffic can be impersonated on the 07:42 application layer protocol such as dns 07:45 email protocols data streaming once a 07:47 communication line has been set up it's 07:49 finally trying to exfiltrate data it's 07:52 been more of a novel or newer technique 07:53 within the past couple of years where 07:56 they will exfiltrate the data first to 07:59 blackmail the victim into paying the 08:01 ransom now this is where the actual 08:03 ransomware executable or payload can be 08:07 sent through 08:08 [Music] 08:10 once the attacker has accomplished all 08:12 of these steps you will see the screen 08:14 that we started with in the beginning of 08:16 the video a ransomware notes oftentimes 08:19 they will have a little file or html 08:21 document 08:22 saying hey this is where you can get 08:24 your decryption key you have to send 08:26 bitcoin to this address as you can see 08:28 the files are now encrypted this is a 08:31 sample file on my desktop here 08:33 ransomware deployments can occur from 08:35 scheduled tasks they could be from 08:37 scripted deployments gpo policy 08:40 implementation updates really depends on 08:42 the attacker's technical you know 08:45 ability and what they want to do these 08:47 are just a few examples of how 08:49 ransomware has been deployed in the past 08:51 and there you have it the computer has 08:54 been compromised and you can only hope 08:56 that the company has sufficient backups 08:58 and that the data has not been 09:00 exfiltrated by the attackers before 09:03 deploying the ransomware as you can see 09:05 many companies fall victim to attacks 09:07 like these in any given week and month 09:09 so what happens now three words 09:11 prevention detection and recovery and 09:14 then you also have education and there's 09:16 also other strategies strategies can be 09:18 implemented through policy awareness and 09:20 effectively being handled by a security 09:24 team there are strategies technologies 09:26 tools and frameworks anywhere from 09:28 endpoint detection response to 09:30 implementing email gateways there are so 09:33 many different tools an enterprise or 09:35 company has in today's environment so 09:37 today i want to talk about one 09:39 particular technology and that is called 09:41 network detection response or ndr 09:44 network detection response is a solution 09:46 which continuously monitors and analyzes 09:49 raw enterprise traffic when suspicious 09:53 activity or normal traffic patterns 09:56 deviate from the norm an ndr tool will 09:59 alert the security teams of the 10:01 potential threats within their 10:03 environment so backtracking to the 10:05 previous scenario that we went through 10:07 an ndr tool would be able to analyze 10:10 network traffic patterns and alert on 10:12 any suspicious activity going on and i'm 10:14 gonna go ahead and break this down very 10:16 quickly i'm gonna go ahead and use a 10:19 tool as an example in this case it is 10:21 today's sponsor and you may be thinking 10:23 you're just promoting some random tool 10:26 um and that's really it but ultimately 10:29 kemp flomon is a great example of a 10:32 network detection response technology 10:34 out there let's go all the way back to 10:37 the beginning of each of the steps and 10:39 i'm going to be using this tool as an 10:41 example when it comes to reconnaissance 10:43 and discovery the first phase of 10:45 ransomware flowmod detects enumeration 10:48 in active neighbor hosts on the network 10:51 and it performs detection scans against 10:54 discover targets then step two when the 10:56 attacker is looking for initial axis 10:58 maybe the attacker is trying to break a 11:00 password within an account while kem 11:02 flaumon can detect brute forcing 11:05 techniques on those users credentials 11:07 and report that to the proper team then 11:10 when you get into execution an attacker 11:12 maybe is explaining rdp credentials as 11:14 we talked about flowmon detects the use 11:17 of rdp credentials but it also can 11:19 detect other installations of a 11:22 malicious software such as key loggers 11:25 or even the connection to a c2 server 11:27 when it comes to the discovery 11:30 persistence and privilege escalation 11:32 phase what's going to happen next is the 11:34 attacker is going to split data into 11:36 smaller chunks to simulate what normal 11:38 corporate network 11:40 traffic would look like right well they 11:42 may be doing that through splitting up 11:43 icmp traffic using the proper encryption 11:46 flowmod can detect high amounts of data 11:49 transfer this is a critical step and 11:51 flowmon can actually show 11:54 what is going outside your network when 11:56 it comes to those command and control 11:58 servers c2 servers and these connections 12:01 flowmon can detect botmat commands and 12:05 the commands that are sent to the c2 12:07 server finally when the attacker deploys 12:09 the ransomware 12:10 and the attacker is encrypting the 12:13 information as we saw in the beginning 12:14 of the video bluemon can detect network 12:17 activity which in this case would be 12:19 high amounts of encryption and alert the 12:22 proper security team and throughout each 12:24 of those steps a tool such as an ndr 12:27 tool kem flowmon can help you prevent 12:30 detect 12:31 recover and respond against those 12:35 attacks within the chain so that is the 12:38 steps of a prolific ransomware variant 12:42 so i appreciate kev floman for 12:44 sponsoring today's video i also hope 12:45 that you've learned something new about 12:47 the steps that it takes for a ransomware 12:50 variant to go through and compromise a 12:53 network so that they can get a 12:54 sufficient amount of data out and then 12:57 they can encrypt your files so thank you 12:59 very much for watching if you've enjoyed 13:01 that's all i care to really ask for and 13:04 yes until the next video have a good day