Table of Contents
What is Ransomware and What is RaaS?
Ransomware is a type of malware that is designed to encrypt a victim's files or lock them out of their computer, rendering their data inaccessible, and then demand payment (usually in cryptocurrency) in exchange for the decryption key or access to the data. The attacker typically threatens to destroy or permanently delete the data if the ransom is not paid within a specific timeframe. Ransomware can be delivered to a victim's computer through various means, including email attachments, phishing emails, malicious websites, or by exploiting vulnerabilities in software or systems. Ransomware attacks can cause significant damage to individuals or organizations by disrupting operations, causing data loss, and exposing sensitive data to unauthorized parties.
Ransomware-as-a-Service (RaaS) is a type of cybercrime in which the operators of ransomware offer their malicious software as a service to other attackers, who use it to launch ransomware attacks against targets. RaaS allows even inexperienced attackers to launch sophisticated attacks, as the operators of the service provide the ransomware and the necessary infrastructure to conduct the attack.
The main difference between conventional ransomware and RaaS is the business model.
- Conventional ransomware attacks are typically carried out by a single attacker or group of attackers who develop the malware, select the targets, and conduct the attack themselves.
- In contrast, RaaS provides a platform for multiple attackers to use the same malware, often with different configuration options, and share the profits with the operator of the service.
The steps involved when a malicious actor utilizes RaaS to attack an organization can vary depending on the specific service used, but the general process involves the following:
- Gaining a foothold: The attacker gains initial access to the target's network through phishing emails, vulnerable software, or other means.
- Lateral movement: The attacker moves laterally through the network, seeking out valuable assets, often using stolen credentials or known exploits to gain additional access.
- Persistence: The attacker establishes persistence on the network by creating backdoors or other methods to maintain access even if initial entry points are closed.
- Data exfiltration: The attacker identifies valuable data and exfiltrates it from the network, often using encryption or other methods to avoid detection.
- Ransomware deployment: The attacker deploys the ransomware on the target's network, often using automated tools to encrypt data and demand a ransom payment.
To evade detection and increase the chances of success, attackers who use RaaS employ various evasion techniques throughout the attack.
- One of the primary evasion techniques used by attackers is to make the ransomware file less detectable to antivirus software. Attackers do this by using various obfuscation techniques to hide the malware's true nature. They may change the file's name, encrypt the ransomware file, or insert it into an innocent-looking file or archive. The attacker may also split the ransomware file into smaller pieces to avoid detection by antivirus software.
- Another technique is to use legitimate software or tools during the attack. Attackers use these tools to move laterally throughout the network or steal data without setting off any alarms. By using these tools, the attackers can blend in with normal network traffic and avoid detection. For example, they may use tools such as Mimikatz to harvest credentials or Cobalt Strike to move laterally within the network.
- The use of multiple payloads is also a common technique used by attackers. By using several different ransomware payloads, the attacker increases the likelihood of success by bypassing security measures and increasing the chances of at least one payload successfully deploying. Additionally, the use of multiple payloads makes it more difficult for security teams to detect the specific ransomware variant used in the attack.
Double and triple extortion attacks are techniques used by attackers to increase their chances of receiving a ransom payment. In a double extortion attack, the attacker not only encrypts the victim's data but also threatens to release it publicly unless the ransom is paid. This puts additional pressure on the victim to pay the ransom to avoid damage to their reputation or legal consequences. In a triple extortion attack, the attacker adds a third element, threatening to contact regulatory agencies to report the data breach unless the ransom is paid. This is often effective because the victim is concerned about both financial and legal consequences, increasing the pressure to pay the ransom.
Overall, RaaS has made it easier for attackers to launch sophisticated attacks against organizations, and the use of double and triple extortion attacks has increased the effectiveness of ransomware as a tool for extortion.
General Ransomware Prevention Recommendations
- Develop a Comprehensive Incident Response Plan:
- The first and most important step is to develop an incident response plan that outlines the steps to be taken in the event of a ransomware attack. This should include roles and responsibilities of team members, communication channels, backup and recovery procedures, and incident escalation procedures.
- Implement Network Segregation:
- Use network segmentation to divide the network into smaller sub-networks, each with its own security controls
- Restrict access between sub-networks to prevent lateral movement of ransomware
- Implement firewalls, virtual local area networks (VLANs), and access controls to limit access to sensitive systems and data
- Implement Privileged Access Management:
- Implement a least privilege model for access control, limiting users to only the permissions they need to do their job
- Monitor and log privileged user activity, including the use of administrative tools and system changes
- Implement Multifactor Authentication:
- Implement multifactor authentication for all remote access to corporate resources
- Implement controls such as location additional context and number matching to help prevent MFA bypass attacks
- Utilize impossible travel notifications to detect and usual user logins
- Implement Security Information and Event Management (SIEM):
- Implement a SIEM system to monitor network traffic, log files, and system events
- Configure the SIEM to alert on suspicious activity, such as unusual login attempts or file access
- Use the SIEM to collect and analyze data to detect ransomware attacks in progress
- Conduct regular employee training:
- Employees are often the weakest link in a company's cybersecurity defenses.
- Conduct regular training sessions to educate employees about ransomware attacks, how to identify suspicious emails or links, SMS messages and phone calls and the importance of not opening unknown attachments or links.
- Ensure Helpdesk staff have an effective method for identifying staff members from malicious actors impersonation
- Keep systems up to date:
- Keep all systems and software up to date with the latest security patches and updates. This includes not only operating systems but also third-party software and applications.
- Use endpoint protection:
- Install and maintain endpoint protection software on all devices to detect and block ransomware attacks before they can infect the system.
- Back up critical data and test backups:
- Regularly back up all critical data to an offline, secure location that is not connected to the main network. Test backups regularly to ensure they can be restored in the event of an attack.
- Develop a recovery plan:
- Develop a recovery plan that includes the steps to restore data and systems in the event of an attack.
Helpful Open Source Blue Team Tools For Detection & Prevention of Ransomeware Attacks
There are many open source tools available that can be used by blue teams to detect and prevent ransomware attacks. Here is a small subset of some of the more popular tools.
- OSSEC: This host-based intrusion detection system can be used to monitor file system changes, detect rootkits and other malware, and alert security personnel when suspicious activity is detected.
- Snort: A popular network intrusion detection system, Snort can be used to monitor network traffic for signs of ransomware activity and trigger alerts when it detects potential threats.
- Bro/Zeek: A powerful network analysis framework, Bro/Zeek can be used to capture and analyze network traffic, detect anomalies, and identify potential ransomware attacks.
- Suricata: Another network intrusion detection system, Suricata is designed to detect a wide range of threats, including ransomware, and can be used to analyze network traffic in real-time.
- YARA: A pattern-matching tool, YARA can be used to search for specific patterns in files and directories for Indicators of Compromise (IOCs), making it useful for identifying ransomware or other malicious code.
- Process Hacker: This process monitoring tool can be used to monitor running processes on Windows systems, making it useful for identifying ransomware that may be running in the background.
- Wazuh: An open source security monitoring platform forked from OSSEC, Wazuh can be used to detect ransomware attacks, as well as other types of threats, on both hosts and networks.
- MISP: A threat intelligence platform, MISP can be used to share information about known ransomware threats and indicators of compromise (IOCs) with other security teams.
- TheHive: A security incident response platform, TheHive can be used to manage and respond to ransomware attacks, as well as other types of security incidents.
Typical Ransomware TTPs
TTPs, or Tactics, Techniques, and Procedures, are a set of methodologies and practices used by threat actors to conduct cyber attacks. TTPs are a critical component of understanding and defending against cyber threats because they provide insights into the behavior and techniques of threat actors. Resource: https://cybersecurityworks.com/blog/ransomware/all-about-lockbit-ransomware.html TTPs are typically classified into the following categories:
- Tactics: The overarching goals or objectives that an attacker seeks to achieve during a cyberattack, such as gaining access to a system, exfiltrating data, or disrupting operations.
- Techniques: The specific methods and tools used by an attacker to achieve their objectives, such as exploiting vulnerabilities, using social engineering tactics, or leveraging malware.
- Procedures: The detailed steps and processes used by an attacker to carry out their techniques and achieve their objectives, such as the order in which they execute commands, the specific tools they use, and the tactics they employ to evade detection.
MITRE ATT&CK is a framework that systematically outlines tactics and techniques used by threat actors during various stages of a cyberattack. The following is a list of common tactics and techniques utilized in a typical ransomware attack like LockBit, based on the MITRE ATT&CK framework:
- Tactic: Initial Access
- Technique: Spearphishing Link
- Technique: Spearphishing Attachment
- Technique: Drive-by Compromise
- Technique: Exploit Public-Facing Application
- Tactic: Execution
- Technique: Powershell
- Technique: Command-Line Interface
- Technique: Scripting
- Technique: Scheduled Task
- Tactic: Persistence
- Technique: Scheduled Task
- Technique: Service Registry
- Technique: New Service
- Tactic: Privilege Escalation
- Technique: Bypass User Account Control
- Technique: Exploitation for Privilege Escalation
- Technique: Hooking
- Technique: Service Registry Permissions Weakness
- Tactic: Defense Evasion
- Technique: Hidden Files and Directories
- Technique: Deobfuscate/Decode Files or Information
- Technique: Modify Registry
- Technique: Process Injection
- Tactic: Credential Access
- Technique: Brute Force
- Technique: Input Capture
- Technique: Windows Admin Shares
- Tactic: Discovery
- Technique: Query Registry
- Technique: System Information Discovery
- Technique: System Network Connections Discovery
- Technique: File and Directory Discovery
- Tactic: Lateral Movement
- Technique: Remote Services
- Technique: SMB/Windows Admin Shares
- Technique: Pass the Hash
- Technique: Remote Desktop Protocol
- Tactic: Collection
- Technique: Data Encrypted
- Technique: Data Compressed
- Technique: Data Staged
- Tactic: Command and Control
- Technique: Standard Application Layer Protocol
- Technique: Commonly Used Port
- Technique: Data Encoding
- Technique: Multi-hop Proxy
- Tactic: Exfiltration
- Technique: Data Encrypted
- Technique: Exfiltration Over Command and Control Channel
- Technique: Exfiltration Over Alternative Protocol
- Technique: Exfiltration Over Physical Medium
It's important to note that the specific tactics and techniques utilized in a ransomware attack like LockBit can vary, depending on the particular attack and the goals of the threat actor behind it.
What’s MITRE ATT&CK?
ATT&CK is largely a knowledge base of adversarial techniques — a breakdown and classification of offensively oriented actions that can be used against particular platforms, such as Windows. Unlike prior work in this area, the focus isn’t on the tools and malware that adversaries use but on how they interact with systems during an operation.
ATT&CK organizes these techniques into a set of tactics to help explain to provide context for the technique. Each technique includes information that’s relevant to both a red team or penetration tester for understanding the nature of how a technique works and also to a defender for understanding the context surrounding events or artifacts generated by a technique in use.
Tactics represent the “why” of an ATT&CK technique. The tactic is the adversary’s tactical objective for performing an action. Tactics serve as useful contextual categories for individual techniques and cover standard, higher-level notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data.
Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary may dump credentials to gain access to useful credentials within a network that can be used later for lateral movement. Techniques may also represent “what” an adversary gains by performing an action. This is a useful distinction for the Discovery tactic as the techniques highlight what type of information an adversary is after with a particular action. There may be many ways, or techniques, to achieve tactical objectives, so there are multiple techniques in each tactic category.
Another important aspect of ATT&CK is how it integrates cyber threat intelligence (CTI). Unlike previous ways of digesting CTI that were used primarily for indicators, ATT&CK documents adversary group behavior profiles, such as APT29, based on publicly available reporting to show which groups use what techniques.
ℹ️ More About MITRE ATT&CK
The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. We've designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques or anything else you want to do. The Navigator doesn't care - it just allows you to manipulate the cells in the matrix (color coding, adding a comment, assigning a numerical value, etc.). We thought having a simple tool that everyone could use to visualize the matrix would help make it easy to use ATT&CK.
Live Version: https://mitre-attack.github.io/attack-navigator/
The principal feature of the Navigator is the ability for users to define layers - custom views of the ATT&CK knowledge base - e.g. showing just those techniques for a particular platform or highlighting techniques a specific adversary has been known to use. Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator.
#1 Consider all ATT&CK techniques equal Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all techniques. You only have limited resources and should thus prioritize! #2 Misjudge your coverage Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block certain variations of a technique, but others not. Scoring should thus be fine-grained. #3 Consider ATT&CK as the “holy trinity” ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use cases, ATT&CK is not perfect. Furthermore, not everything is documented in ATT&CK.
🔧 MITRE ATT&CK Tools & Resources
Can Files From Ransomware Be Decrypted?
In some cases, it is possible to decrypt files that have been encrypted by ransomware. However, this depends on a number of factors, including the type of ransomware, the strength of the encryption used, and the availability of a decryption tool or key.
Some types of ransomware use weak encryption algorithms, which can be cracked by security researchers or decryption tools. However, more sophisticated ransomware may use strong encryption algorithms, such as AES-256, which cannot be easily decrypted without the decryption key.
While there are some solutions that may help with file decryption; decryption software or keys may not always be available or effective in recovering data. However, there are some resources can be use to try and find decryption solutions. Here are a few options:
- No More Ransom: This is a joint project between law enforcement agencies and cybersecurity companies that aims to provide free decryption tools and information for ransomware victims. Their website offers a range of decryption tools for various types of ransomware.
- ID Ransomware: This website allows you to upload a sample of the ransomware that has infected your system, and it will attempt to identify the type of ransomware and provide information about it, including whether there are any known decryption tools available.
- Emsisoft: This cybersecurity company has developed a number of ransomware decryption tools, which are available for free on their website. They also offer a service where you can submit encrypted files and receive a quote for a custom decryption tool.
Other Helpful Ransomware Prevention Resources
- The Cybersecurity and Infrastructure Security Agency (CISA) offers a Ransomware Guide that provides organizations with a comprehensive set of best practices and resources to help prevent, protect, and respond to ransomware attacks.
- The National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework Profile (CSF) that can be used to help organizations manage and reduce cybersecurity risk, including the risk of ransomware attacks.
- The Federal Trade Commission (FTC) has published a Ransomware Resource Page that provides information on how to prevent, respond to, and recover from ransomware attacks.
- The Multi-State Information Sharing and Analysis Center (MS-ISAC) has published a Ransomware Prevention Guide that provides practical tips and best practices to help organizations prevent ransomware attacks.
- The Center for Internet Security (CIS) offers a Ransomware Prevention Checklist that provides organizations with a list of actions they can take to prevent ransomware attacks.