| |
HB1NOS > TECH 23.11.19 11:01l 36 Lines 3459 Bytes #999 (0) @ WW
BID : 4231_HB1BBS
Read: GAST
Subj: Understanding how ransomware attacks breach and ma
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 191122/2021Z 4231@HB1BBS.ZL.NLD.EU BPQ6.0.19
Understanding how ransomware attacks breach and maintain control over their targets
November 18, 2019 | Malware and Vulnerabilities
Understanding how ransomware attacks breach and maintain control over their targets
Modern ransomware strains use a combination of AES and RSA encryption method to prevent any recovery attempt.
Attackers sign the ransomware with a fake or stolen Authenticode certificate to avoid detection by existing anti-malware tools.
An individual or a group of people experiencing slowdown of a system followed by forbidden access to docs and files that were earlier available is likely to be under a ransomware attack. The other symptom of a ransomware attack is when there is a complete hijack of a network or system and a ransom message is displayed validating your fear.
If youâ€Öre a curious personality witnessing the event, youâ€Öd hear yourself questioning, for once, how did they do it?
How do they do it?
Ransomware attacks target firms of all sizes depending upon what their motives are; blackmailing, extortion, reputation damage, revenge, etc. The steps in a typical ransomware attack include infections, security key exchange, encryption, extortion, and unlocking, in that order.
Recently, research by Sophos highlighted the common bypass techniques of prominent crypto-ransomware families that we are going to discuss below. Also, these attacks are typically timed in the middle of the night (when the IT staff is unavailable) for uninterrupted deployment of malware.
Malicious code signing
Actors sign their ransomware with an Authenticode certificate, which could be either by stolen from a Certificate Authority or be a duplicate one. This helps disguise the ransomware as a safe legitimate program and avoid detection by an anti-malware program or the Windows operating system.
Privilege escalation and lateral movement
Attackers first exploit vulnerabilities at endpoints and abuse existing Windows tools, as well as open-source security or penetration testing tools to conduct reconnaissance.
Then, adversaries attempt to elevate their privileges to reach high-value targets. For that, they use post-exploitation tools to harvest a local domain administratorâ€Ös credentials.
It is now an easy-peasy task to map the Active Directory domain and determine the location of valuable targets and file servers used for data backups, for which a victim is more likely to agree to pay a ransom.
Also, attackers leverage malicious scripts to automatically distribute ransomware to other endpoints and servers in a network, thereby making the attack even more severe.
Network first
As noted by the researchers, the ransomware typically targets one or more compromised endpoints and often it also infects the file servers. The objective here is to encrypt as many documents as possible.
Therefore, attackers first encrypt the network drives as it provides access to various business documents stored on one or more central file servers.
File renaming and file encryption
Renaming a document or a file is an important step in the attack as it helps prevent double encryption of files and gives visibility to the attack.
Renaming can be done either prior to encryption or post encryption; it depends on the family of the ransomware.
Many modern ransomware such as Petya, WannaCry, Locky, and others, use a combination of AES and RSA encryption method to secure their malware against the victimsâ€Ö recovery attempts.
Lese vorherige Mail | Lese naechste Mail
| |