Ransomware: How Attackers are Breaching Corporate Networks

Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most frequently employed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding of how ransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.

Symantec, a division of?Broadcom Software, tracks various ransomware threats; however, the following three ransomware families are being observed in the majority of recent attacks:

• Hive
• Conti
• Avoslocker

Similar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service (RaaS) business model. In the RaaS model, the ransomware operators hire affiliates who are responsible for launching the ransomware attacks on their behalf. In most cases, affiliates stick to a playbook that contains detailed attack steps laid out by the ransomware operators.

Once initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to help the operators achieve the following:

• Gain persistence on the network
• Escalate privileges
• Tamper with and evade security software
• Laterally move across the network

Initial Access

Affiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial foothold on victim networks. Some of these techniques include:

• Spear phishing leading to the deployment of malware, including but not limited to:

1. IcedID
2. Emotet
3. QakBot
4. TrickBot

• Taking advantage of weak RDP credentials
• Exploiting vulnerabilities such as:

1. Microsoft Exchange vulnerabilities – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855
2. FortiGate firewall vulnerabilities – CVE-2018-13379 and CVE-2018-13374
3. Apache Log4j vulnerabily – CVE-2021-44228

In most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros that lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use this malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware threats are then used to distribute ransomware onto compromised computers.

Persistence

After gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party software such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to victim networks. They also enable default Remote Desktop access in the firewall.

Actors are also known to create additional users on compromised systems to maintain access. In some instances, we have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted.

Discovery

During the discovery phase, the ransomware actors try to sweep the victim’s network to identify potential targets. Symantec has observed the aforementioned ransomware actors using tools such as the following:

• ADRecon – Gathers Active Directory information and generates a report
• Netscan – Discovers devices on the network

Credential Access

Mimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have observed them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also instances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories.

In addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll combination to dump the LSASS memory.

Adversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. On rare occasions, they have also been observed using taskmgr.exe to dump the LSASS memory and later using the dump to extract valuable credentials.

Lateral Movement

Attackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on victim networks. We have also observed the attackers using several other techniques to laterally move across networks.

Defense Evasion

As with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security products that interfere with their goal. We have observed them meddling with security services using the net, taskkill, and sccommands to disable or terminate them. In some cases, they also use tools like PC Hunterto end processes. They have also been seen tampering with various registry entries related to security products, since changes to the registry entries can make those products inoperative.

Disabling the default Windows firewall is also one of the techniques we have seen being used by these ransomware families.

Impact

Adversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators to recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption process. They perform this task by using tools like Vssadmin or WMIC.

Exfiltration

Attackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the stolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following cloud services to exfiltrate data:

• https://anonfiles.com
• https://mega.nz
• https://send.exploit.in
• https://ufile.io
• https://www.sendspace.com

We have also seen attackers use the following tools for data exfiltration:

• Filezilla
• Rclone

Conclusion

The TTPs used by these threat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver their targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security approach.