The Modern Ransomware Kill Chain

What would happen if an advanced attacker got into your network, took the time to move silently and explore until they found and gained access to your shared data, made and stole copies of it, and then encrypted it? How much might you have to pay in ransom and extortion fees? What would the operational and reputational costs of public downtime be? How much, if any, would your cyber insurance pay? Most importantly, how quickly would you detect it, what would be the blast radius if it happened, and how long would it take you to recover?

I’ve been part of ransomware discussions with organizations of all sizes and in every vertical for five or six years now. It’s been fascinating to see how these conversations have evolved over the years. Back then, we had to do a lot of education on just what ransomware was and how it worked. Attacks were indiscriminate and primarily relied on spray and pray—attackers hoped they’d be getting access to and encrypting anything valuable that would give them an opportunity to receive payment for the release of the data. The ransomware tools themselves were relatively primitive, which meant you could often get your data back with some googling if you were lucky or by just having good backups. It was disruptive but not often catastrophic. Varonis was in the middle of it since once attackers got past an endpoint and into the shared file servers, the data often had little to no protection or monitoring, a problem we are uniquely positioned to solve.

Why is ransomware different than five years ago?

The last year and a half or so has seen an explosion in big game cybercrime , where sophisticated threat actors have used ransomware as one part of a much more complex and dangerous kill chain . In these newer attacks, threat actors use a wide variety of complex techniques to get into a network and gain access to data. Encryption and ransom isn’t necessarily the primary goal—they’ll often hold data like PII or intellectual property hostage on top of encrypting it. “Pay me to get your data back and pay me again to prevent me from releasing it on the dark web.” Some companies have found that negotiating with criminals doesn’t work either. These attackers often have access to their internal financial records and know exactly how much a victim can pay. Prevention, detection, and effective remediation are all critical for the modern enterprise. The incentives, financial and otherwise, are so large that it’s not just script kiddies we’re defending against. It’s organized, sophisticated cybercriminal and nation-state actors using weapons and exploits built off valuable zero-day vulnerabilities to access vast amounts of enterprise data. If you’re only worried about the files on your company laptops, you’re years behind in this fight.

The modern ransomware kill chain looks, not surprisingly, much like the modern APT kill chain. Encrypting data is one of the last steps and not even necessarily the end goal. By the time your data gets encrypted, it might already be too late. Your data has probably already been copied by the attackers, and they’ve gotten to your backups too. Once the live data is locked down, the attackers are shouting at you that they’re there and ready to get paid. Since they want to make that as likely and profitable as possible, they’re not going to announce their presence until they’ve copied your data for themselves [AN1] ?and made it as hard as possible for you to recover without paying them. That means getting in, moving silently throughout your network, getting access to as many systems and as much data as possible, exfiltrating data without being detected, deleting, encrypting, or otherwise making backups useless, and finally, locking down your files and leaving ransom notes behind. By the time you see that they’re there, it’s too late to do anything.?

This means that the further up the kill chain you can detect a bad actor, the better off you are. Many organizations struggle to identify the actual encryption of data by a hijacked user or application account, let alone detect all the steps along the way that led to that account accessing that data in the first place. Some of these are easier to catch than others which is why defense in depth is so important. Let’s take a closer look at some of the phases of the kill chain.

Intrusion

To get access to data, an attacker first needs to get in. There are a few ways a modern threat actor can do this. We normally think first of phishing or spear phishing , where an attacker uses email or other means to trick an end-user into clicking a link and kicking off the attack. Email filtering and endpoint protection can be handy here, but it’s important to remember that it’s not the only way into your system. We’ve seen a lot of attacks avoid endpoints and end-user interaction entirely. Think of Sunburst from last year, where attackers leveraged a supply chain hack to get access to Solarwinds infrastructure without ever touching an endpoint. ProxyLogon, a few months later, similarly exposed on-premises Microsoft Exchange infrastructure. At the beginning of the pandemic, many organizations rushed to provide remote access to their employees and were forced into insecure methods like exposing Remote Desktop Protocol (RDP) on servers not normally exposed to the internet so that people could get to work.?

Some attacks entirely bypass the traditional perimeter as well . Attackers could go after your public cloud infrastructure, for instance, using a malicious Azure application, and then use that access to traverse to on-prem systems. The key is that your endpoints and users are one vector for attack, but not the only ones. Attackers will probe whatever they can to get in.

Command and control

Once an attacker has a foothold, they’ll often beacon out to establish command so they can direct the attack more effectively from the outside. Primitive ransomware mainly behaved like a virus or worm in a completely automated way. Modern attacks are human-operated, giving attackers the freedom to use a much more sophisticated array of tools and techniques. Command and control relies on a connection to the outside world and will leverage the protocols already in place - DNS and HTTP, both of which by definition, need to speak to the internet. We can’t turn off DNS without breaking our network, and while we can try to limit HTTP where possible, it’s still an effective command and control method in many attacks.?

Would you know if a server started making DNS requests to a new external DNS server ? What about HTTPS requests by a service account that had never made any? Both protocols are so inherently noisy that picking out a malicious signal can be incredibly difficult , even if you have the right kind of automated analysis in place.

Network recon

Once I’m inside and have control of a device, user, or system account, my next step as an attacker is to figure out what else I can gain access to. In the past, I might just encrypt that device and hope I get paid, but today, that’s ineffective, and if I’m in the network with command and control, I’ll use that to my advantage. What other servers can I potentially authenticate to? Where is there likely to be valuable data? What other accounts might present juicy targets?

DNS is useful here once again, since not only can it be used to turn a hostname into an IP address, I can go the other way and turn IP addresses into hostnames, which can often yield a lot of great recon for an attack. Are your file servers named something like fileserver01.companydomain.com? What about your domain controllers? If an attacked found NYDC01, they'd probably consider it a valuable target. How many would show up with a simple reverse DNS lookup of a subnet? Would you know if any device or account was making a series of DNS requests and returning hostnames?

Active Directory is another great tool here for an attacker. Are there any service accounts accessible to me? Hint: yes, there are. Are any of those service accounts also in privileges groups that give them admin access? Hint: yes, probably. Are any user accounts misconfigured through policy (or lack thereof) that means they might have weak passwords? Some simple queries to the domain controller will tell an attacker that pretty quickly. A hacker can glean this knowledge with relative ease by leveraging a few straightforward queries to the domain controller.

Privilege escalation

Getting access to sensitive data sometimes doesn’t require any privilege escalation at all—20% of the file data in the average enterprise is open to every user and service account. If I really want this attack to pay dividends, though, getting access to a privileged account like an administrator will make that a whole lot easier. The more accounts an attacker can access—or even create—the more persistent it can be. Here we often see techniques like password sprays where multiple login and password combinations for likely account targets are tried. Attackers often go low and slow here, being careful not to trip alarms that fire based on event thresholds or trigger account lockouts. One example of how damaging this can be was with a variant of the Qbot malware from a couple of years ago that used a relatively simple dictionary of 12 logins and 300 passwords to escalate privileges successfully in thousands of environments.

Lateral movement

Since the data an attacker wants probably isn’t sitting on the device they initially got control of, either a laptop or compromised server, they’ll want to move laterally and get access to the good stuff stored on shared repositories. This method highlights another key change in the last few years - in the past, there were often many highly valuable files on endpoint devices like laptops that were worth encrypting, and that data may have often not been backed up.

These days, two things have changed that make stopping at the laptop mostly pointless for an attacker. First, devices are usually backed up often, so encryption is now just an inconvenience. Users can hop to another device and get to work while their laptop is restored. That’s possible because of the second change - endpoint devices, like laptops, aren’t really data stores any more. Your laptop is much more like your phone: data is stored somewhere else, and your device is just an access point. While some data might sync to the laptop for convenience, an attacker needs to find the shared data?to do any real damage and get paid.

How much of your ransomware defense is focused on perimeters and endpoint defense? If an attacker can bypass your endpoint or use it as a stepping stone to other data, how quickly would you know about it?

Data access

Here’s where the rubber meets the road in these attacks. No one breaks into a bank to steal the pens—they’re after the money. Attackers are breaking into your network to get access to data. These days, the data that ransomware affects—files like documents, spreadsheets, and presentations that can contain important information like PII, intellectual property, and data critical to an application— are stored all over the place both on-premises and in the cloud.?

In the past, as soon as a ransomware worm got access to data, it would encrypt. That was still tricky to catch because so many of these files are often unmonitored, or it is hard to tell when someone is behaving strangely. These days, access is only the first step. Clever attackers go low and slow and silently find as much valuable data as they can. They work to understand what’s in the files so that when they encrypt, they can be sure a victim will need to pay. They’ll also use the information they find, like financial records, as part of the attack to help ensure they’ll get paid. If the attacker knows exactly how much cash you have on hand, it’s hard to claim you can’t afford the ransom. Would you know if an account, human or machine, started accessing data it had never seen before, especially if it was using some else’s device??

Exfiltration

In the past, encryption was the endgame. An attacker locks down your files and hopes they’ve hit something valuable enough, either because of what it contains or because of a process it breaks (or both) that you’ll pay them to get the keys to unlock your files. If you were lucky, you might have backups that would save you. These days, attackers will steal the data—sending themselves copies —first. That way, no matter what backups you might have, they still have leverage over you.

Exfiltration can happen in a variety of ways that can be tough to catch. Personal email services, cloud file applications, and DNS tunnels are all common. Sometimes we can catch this step, and often we cannot. And even if you do catch it, how quickly would you be able to figure out what the attackers have access to and where they are in your network?

Denial of service to data and backups

Here’s where an attacker puts the ransom in ransomware—locking down your files so they can force you to pay to get them back. These days, attackers will often go the extra mile to ensure that backups are useless as well. Because the encryption is on shared data on huge files servers, an attack can take out massive amounts of data and cause a considerable business disruption. Even if backups are available, it can take days or weeks to restore data, and even then, some data could still be lost as a result of restoring old backups.

How quickly would you know if an account started encrypting shared data? How confident are you that your backups would save you in the event of a real disaster? And how long would it take to recover? Often we don’t have a good record of what was actually touched, so we need to do huge restores even if we catch the attack in time and limit the blast radius.

Extortion

One last thing to keep in mind is that even if you can catch or quickly recover from the ransomware itself, that might not be the end of it. Many of these attacks , like the ones perpetrated by Darkside earlier this year, also involve extortion. Attackers will not only ask for money to let you decrypt the data, they’ll ask for more to prevent the release of some or all of it to the dark web or publicly. That means even if you can recover from the ransomware itself, you might still be the victim of a damaging data breach.

What’s next?

There’s a lot to unpack here and a lot I’m not even getting into. Ransomware has been an information security boogeyman for years now, but not everyone yet appreciates how it has evolved. Yes, perimeter and endpoint defenses matter, but preventing, detecting, and recovering from ransomware these days requires much more defense in depth. I’m curious what you all think. If you were hit with something like this, what do you think would work well? What wouldn’t?

• What’s easiest to catch? How quickly would you know about it if something gets past your perimeter, and what alarms would likely trigger?
• On the other hand, what’s the hardest? Where are our defenses often shallow?
• What are the best preventative measures from a cost/benefit standpoint? We can’t delete all the shared data, so what defenses give us the most bang for the buck?

?I hope all of this makes a bit of sense and I'd love to hear any thoughts or feedback.