[BreachExchange] Inside a ransomware attack: From the first breach to the ransom demand

Mon Jul 6 10:15:50 EDT 2020

https://www.zdnet.com/article/inside-a-ransomware-attack-from-the-first-breach-to-encrypting-a-network-in-just-two-weeks/

Security researchers have revealed the anatomy of a ransomware attack,
showing how cyber criminals gained access to a network and deployed
ransomware  -- all in the space of just two weeks.

Researchers from tech security company SentinelOne examined a server
that was used by criminals in October last year to turn a small
security breach in a corporate network into a damaging Ryuk ransomware
attack. This sort of data can be vital in helping understand the
tactics and techniques used by attackers.

The network was initially infected with the Trickbot malware.

Once the network was breached by the Trickbot malware, the hackers
started to hunt around to find out what they had gained access to –
and how to make money out of it.

"Over the course of some time they dig around in the network and they
attempt to map it out and understand what it looks like. They have an
endgame, and their endgame is to monetise the data, the network, for
their illicit gain," SentinelOne researcher Joshua Platt told ZDNet.
"They already understand there is the potential for making money and
are looking to expand that leverage."

Once the hackers decided to exploit the network breach, they used
tools like PowerTrick and Cobalt Strike to secure their hold on the
network and explored further, searching for open ports and other
devices to which they could gain access. Then they moved on to the
ransomware phase of the attack.

>From the initial TrickBot infection, through profiling the network, to
finally initiating the Ryuk malware attack took around two weeks, said
SentinelOne. "Going by the timestamps, we can guess the time period of
two weeks for dwell time," the company's blog post said.

Ryuk was first seen in August 2018 and has been responsible for
multiple attacks globally, according to the UK's National Cyber
Security Centre advisory from last year.

It's targeted ransomware: the ransom is set according to the victim's
perceived ability to pay, and it can take days or even months from the
initial infection to the ransomware being activated, because the
hackers need time to identify the most critical network systems. But
the NCSC said this delay also gives defenders a window of opportunity
to stop the ransomware attack from being triggered, if they can detect
that first infection.

According to the FBI, Ryuk is an extremely lucrative project for its
criminal developers, generating roughly $61m in ransom between
February 2018 and October 2019.

The success of Ryuk in forcing companies to pay ransoms means that the
crooks have a bulging war chest with which to hone their attacks.
"It's obviously going to increase; they have more money and more
ability now to hire even more talent," said Platt.

Ransomware also continues to evolve, Platt said: "When you look at the
beginning of ransomware, they would ransom personal computers for
$300, and now we are into the millions of dollars".

The next step, he said, would be more sophisticated extortion
attempts: "These guys are digging around in the networks they are
looking for the biggest possible thing they can extort companies
with."