Showing us just how criminals gain access to a network and deploy ransomware, security researchers have revealed a close examination of a ransomware attack. These attackers can gain access in and demand a ransom, in only a matter of two weeks. So, time is of the essence.
In October last year, criminals used a server to turn a small security breach in a corporate network into a damaging Ryuk ransomware attack. And the researchers from tech security company SentinelOne were able to examine the server that was used by these criminals. The ability to use the server to investigate the data is so beneficial in helping discover the techniques and tactics used by attackers.
Initially the network was infected with Trickbot malware. Subsequently, once inside the breached network the attackers looked around to see how to make some money.
SentinelOne researcher Joshua Platt says, “over the course of some time they dig around in the network and they attempt to map it out and understand what it looks like. They have an endgame, and their endgame is to monetise the data, the network, for their illicit gain.” He stressed that attackers “already understand there is the potential for making money and are looking to expand that leverage.”
So, once the hackers decide to take advantage of their network breach, they go to work. Firstly they use tools such as PowerTrick and Cobalt Strike to enable the to explore further and to secure their hold on the network. Secondly, they search for open ports and other devices that they can gain access to. Lastly, they move to the money- making phase of the attack, ransomware.
SentinelOne said “going by the timestamps, we can guess the time period from the initial TrickBot infection, through profiling the network to finally initiating the Ryuk malware attack. It took only 2 weeks.
According to the UK’s National Cyber Security Centre advisory from last year, Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally.
The ransom amount is calculated based on the victim’s perceived ability to pay the said amount. Most importantly it can take days or perhaps months from start to finish. That’s to say, that hackers need time from their initial network breach to identify the most critical network systems prior to sending the ransomware. Therefore this gives defenders a window of opportunity to stop the ransomware attack being triggered, says the NCSC. Above all, its important companies get better at detecting that initial breach, the first infection.
Ryuk is an extremely lucrative project for its criminal developers, according to the FBI. And no wonder when, between February 2018 and October 2019, Ryuk generated about $61 million in ransoms.
The ransom funds raised are a testament to the success of Ryuk who now have a treasure chest of cash at their disposal. This enables them to continue to hone- in on their attacks. Platt warns, it’s obviously going to increase; they have more money and more ability now to hire even more talent.”
Most importantly says Platt, firstly, “when you look at the beginning of ransomware, they would ransom personal computers for $300, and now we are into the millions of dollars”. Secondly, he warns the next step will be even bigger with more sophisticated extortion attempts. “These guys are digging around in the networks they are looking for the biggest possible thing they can extort companies with.”
Researchers give us some food for thought regarding a ransomware attack and just how quickly attackers move.
