The ransomware hacker’s toolkit

appgate
Mike Sentonas, CTO at CrowdStrike looks at the ransomware hacker’s toolkit and how it is vital that companies understand more about the modus operandi of cyber criminals.

Ransomware remains one of the most lucrative forms of cybercrime around. Even with ransomware attacks and breached databases a daily occurrence, unless you’ve been through an attack it’s hard to appreciate how difficult it is. And ransomware threat actors are continually updating and improving their intrusion and cybersecurity evasion techniques. It is vital that companies understand more about the modus operandi of cyber criminals, allowing them to tighten their defenses in turn.

What happens during a ransomware attack?

There are several vectors cyber criminals can take to access an organization’s systems. One of the most tried, tested and effective methods is phishing. The aim of phishing is to lure employees, the more senior, the better, into believing that they are receiving an email or message from a legitimate organization. From here, the goal is to convince the victim to volunteer their login details.

This is the perfect scenario for the attacker, when they log into a company system using stolen but genuine credentials, their opportunity to traverse the network undetected is immense.

Cyber criminals will then begin to increase their access across the company’s system until they reach their target. This means that all of the company’s data and files can be observed, analyzed and when threat actors come across valuable information such as essential databases, exfiltrated. Having stolen this data, they’ll encrypt the disk so that the victim has no access to their own files.

Adversaries will then contact the victim and threaten to release the organization’s sensitive information to the public and/or competitors unless their payment demands are met. This approach is sometimes referred to as extortionware.

However, as malicious and sophisticated as this sounds, ransomware bad actors have actually developed a variety of new and even more difficult to detect techniques.

The new tools and techniques deployed by cyber criminals

One of the main reasons ransomware has continued to run rampant for over 15 years is its ever-evolving nature. Cyber criminals are constantly adapting – and ‘bad files’ downloaded by incautious users are no longer the main danger to be concerned about. Today’s sophisticated attacks involve human cyber criminals, using a blend of specialist tools, network utilities that are already installed and everyday apps. Some of the tools used to compromise systems and exfiltrate valuable data were even originally designed to help guard networks.

Ingress tool transfer is a method commonly used after the criminal has compromised a system and granted themselves access. This process is used to expand the criminal’s foothold by transferring files or tools from external sources into the company’s system. The notable aspect of this technique is that criminals will prefer to use legitimate, native tools that allow them to carry out their operation without triggering security software detection. For example, some cyber criminals have transferred over the windows version of the ‘wget’ utility that allowed them to download a web shell and a scanning tool to aid in their data exfiltration process.

Phishing and other email-based attacks are a fairly well-known phenomenon to IT staff. The idea that an email attachment can result in a damaging cascade of cyber events is rudimentary knowledge. Adversaries will also research the target in advance to learn which communication methods are available or likely to succeed.

These details are then used to craft a tailored and convincing message. In some cases, bad actors will even use verbal communications – referred to as “vishing”. The reason for this is because many cyber security solutions focus on the email phishing threat so, to avoid detection, bad actors are now using other, less monitored communication channels.

Once the threat actors have located an enterprises’ valuable data, they need to find a way to collect this information without arousing suspicion or detection. The screen capture technique allows ransomware criminals to capture sensitive information from a victim’s system by taking a single screenshot at one point in time or scheduling them at regular intervals.

Similar to the techniques used above, screen capture can be done by using existing, native and legitimate system features, making them difficult to detect. To view documents and screenshots, criminals are happy to use the humble and venerable Notepad and MS Paint apps. Tools that are guaranteed to be present on targeted computers are much preferred to risking detection through the introduction of new software.

How to combat the ever-evolving ransomware threat

Knowing and understanding the new tools and techniques adversaries are using is just the first step to protecting a company from a ransomware attack. The key is to have the right tools for the job. Enterprises need to be adopting new-age protective measures and cybersecurity practices. 

As a baseline, enterprises need to establish control over the software running in their environment, eliminate unneeded software and keep their environment up-to-date with the latest patches. In addition, it is crucial that full endpoint protection, including next-generation antivirus (NGAV) and endpoint detection and response (EDR), is deployed across all endpoints.

NGAV uses machine learning intelligence and data analysis to detect patterns of behavior used by threat actors, which means that unknown threats can be anticipated and prevented. Also, EDR is the process of continuously recording and analyzing any action on the endpoint, creating a complete data model and allowing any indicators of attack to be spotted and stopped.

The next and most crucial stage is the human element. EDR should then be passed over to specialized threat hunting teams that can detect hidden attacks and new techniques, as mentioned above, that may have been missed during the automated process. 

READ MORE:

Ransomware threat actors are constantly evolving. Organizations that remain at a standstill and refuse to move with the times to keep up with the criminals will continue to fall victim to these ever-changing and devastating attacks. Practicing good cyber security hygiene and upgrading to the latest cybersecurity solutions is crucial to safeguarding against these new ransomware methods of attack. 

About Mike Sentonas

Mike Sentonas is CrowdStrike’s Chief Technology Officer. Previously, he served as Vice President, Technology Strategy at CrowdStrike. With over 20 years’ experience in cybersecurity, Mike’s most recent roles prior to joining CrowdStrike were Chief Technology Officer – Security Connected and Chief Technology and Strategy Officer APAC, both at McAfee (formerly Intel Security). Mike is an active public speaker on security issues and provides advice to government and business communities on global and local cyber security threats.

He is highly sought-after to provide insights into security issues and solutions by the media including television, technology trade publications and technology centric websites. Michael has spoken around the world at numerous sales conferences, customer and non-customer conferences and contributes to various government and industry associations’ initiatives on security. Michael holds a bachelor’s degree in computer science from Edith Cowan University, Western Australia and has an Australian Government security clearance.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Mike Sentonas

Mike Sentonas is the CTO at CrowdStrike

In this together: how the crowd can help.

Matt Cooper • 22nd November 2022

Matt Cooper, the Chief Commercial Officer at Crowdcube, explains that if businesses can communicate their purpose and vision clearly, founders can mobilise a passionate community of investors to help them on their journey.