Ransomware 101: How Ransomware Works

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• M-Trends 2022: Mandiant Special Report
• State of Ransomware – Survey and Report (2021)
• Even the Most Advanced Threats Rely on Unpatched Systems – The Hacker News
• Behind the Curtains of the Ransomware Economy – The Victims and the Cybercriminals – Check Point Research
• Ransomware Encrypts Nearly 100,000 Files in Under 45 Minutes – Splunk
• Experts Analyze Conti and Hive Ransomware Gangs’ Chats with Their Victims – The Hacker News

Episode Transcript

Ryan: Welcome to the Fearless Paranoia podcast where we do our best to demystify the exciting field of cybersecurity. I am Ryan, a cybersecurity specialist. And this is Brian, a cybersecurity attorney.

Brian: This is episode two of the Fearless Paranoia podcast, season one, episode two. In fact, today we are talking about ransomware. How does it work? We previously discussed ransomware 101, if you haven’t listened to our first episode, you can go back to our website Fearless Paranoia.com. Take a look at that you can also listen to it through any of your favorite podcast subscription services. Today, we’re gonna be talking about what got us to this point, you see that ransomware screen you see right in front of you a couple really bad options, losing all your data, having private data exposed, or paying money you may not have. How did we get to this? Well, there are a couple of things we’re gonna be going over. First, and most interestingly, among them, to me is the fact that ransomware is how we got here. Ransomware was simply the last step in a chain that usually involves more than one bad actor. We’ll be talking about how they get into your system, what they do once they’re in your system, and how about their motives and their actions are different depending on the size of your company, and what their actual goals are.

The thing I want to talk about today, Ryan, you’ve had a history of experience dealing with different types of ransomware. And you, you’ve kind of seen how they function and operate. Walk us through what happens to your system when you get hit with ransomware. And I know that different ransomware families have different approaches. But there is kind of a basic structure to how these attacks occur. Walk us through that.

Ryan : Ransomware is usually not the first stage of an infection or an impact to a customer, usually there is some sort of initial vector of compromise. So the ransomware typically starts with either a mix of one really sophisticated group, in a lot of cases that actually starts with two different distinct groups working together. And they work together in a in a form of business relationship in the cases where one group is doing this. So we can just assume that this next example is the same group performing both halves of this task, because in some cases, the groups are sophisticated enough to do that. But usually, there’s two different stages involved, usually at the initial compromise vector, which is usually one group in particular, that just goes around. And a lot of these are considered access brokers, most of these folks. So these are guys that go through and are experts at scanning the internet looking for exploits doing vulnerability assessments, general Red Team type activities, looking for exploitable systems available on the internet, and then use known tools to either exploit those or use known zero days or whatever they can they find unpatched systems, and then they use that known exploit to try and gain entry to those systems. There’s usually some sort of initial compromise there. In some cases, again, it’s straight attack. In some cases, it’s social engineering could be something as simple as a phishing attack or spear phishing, you get a hold of someone who’s got privileged access inside a company, or at least enough access to get you in the door. And if you can get them to click on a link, head smack to a malicious website, downloads a small tool to their browser or something to that effect. Even worse, still, you get them to download a Word doc or an Excel doc, it’s got a really heavily loaded macro with all sorts of variety of malicious nonsense. In any case, the whole major goal with whatever those different means are is to gain some sort of system level access to your system so that they can then use that.

Brian: It’s an interesting thing to note that talking about ransomware before you ever see that ransom before that file that I when I clicked on that brought up that ransom screen before any of that happens. A vulnerability has been identified, it has likely been a beachfront has been established, at the very least there’s, for lack of better word putting a toehold in the system. They’re not necessarily, you know, immediately doing a fly by and dropping the ransomware right away their first attempting to establish you know, their way in multiple ways into the system so that you know, whatever access they get, if it’s restricted, they have another way in. And as you described, this actually would come from most frequently, and most likely from a group whose sole purpose is to identify these openings.

Ryan: Yeah, exactly. A lot of these access brokers, what they really do is they go through and they try and penetrate the system. And they’re not interested in providing a lot, a lot more attention back onto their own activities. And so what they typically will do is find ways to very discreetly enter into somebody’s system again via phishing, spear phishing, if they’re brought in from the inside or being able to find a way in from the outside by doing broad vulnerability scanning against public facing systems and trying to find one that’s got an exploitable holes, they get into the system, they start to pivot around and see how capable they are for moving around inside the system without triggering any alerts and they start to build that foothold you were talking about and then they turn around and they take that access, not wanting to bring any more attention on to themselves in particular, and they go on to the dark web forums and they start to sell that access to other games that are more interested in business compromised data, exfiltration ransomware, whatever those kinds of next stage efforts are. So in a lot of cases, you do have a variety of different gangs of different technical skill sets working together through formed business relationships on their side.

Brian: What happens once the toehold has been gained, the access has been confirmed or whatever the access broker has brokered, they have reached out, and they’ve provided that information to either whether it’s a partner within their own ransomware organization, or another organization with specializes in the actual ransomware? How does ransomware work in that phase? Talk about what happens once that group takes over.

Ryan: So to get past that initial compromise, we’ll just say I’m a ransomware gang at this point. So I’m running Ryan’s ransomware. I’ve gotten through to amazon.com on the dark web forums, and I’ve decided to pick up access into Brian’s law firm, because somebody managed to get access. So now you’ve got a foothold established inside your law firm that I’ve now purchased a key into. So effectively, I just purchased the key from your neighbor to get into your house. Great. So now I’ve got this known exploit that I don’t have to do anything to get all of other than pay a few dollars here and there. But now I’m sitting inside your company, I’m on your VPN, or I’m on servers, or I’ve got access to one of your workstations. From there, I’m going to take a look around and either go: I want a quick win, or I want a big win. If I want a quick win, I’m just gonna start looking for the quickest, dirtiest way that I can just, you know, deploy this ransomware around your network, make sure that I’ve got the highest level of access that I need to get as far as spreading and as far reaching as I can, and then just let it rip. And at that point, then you just started prepping the network. You read the message, you sit back and you wait for hopefully some money to roll in.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: So that seems like a good example of what you think of as a basic ransomware attack. Now if I’m remembering right when the ransomware that hit our company back in the day, they essentially deployed – and if I remember right – recognize that we had multipurpose copiers, it recognized that we had computer workstations, laser printers, and fax machines. So it created a new object on the network, it created a new fax machine. And from there it was launching instructions to encrypt. Am I describing that accurately?

Ryan: Yeah, that’s I mean, that’s one way of doing it. We didn’t spend an hour talking on how the different ransomware families actually enact those tools. A lot of them will just compromise a local device in the network and start to spray it out from there. Some of them will set up virtualized or, you know imposter devices like what you’re stating, which helps keep safe the initial point of compromise. If you want to make sure that your foothold is maintained afterwards, if you have you know, secondary plans after the ransomware you obviously wouldn’t want to compromise your your initial vector of access to prevent them from fully tracking down how you made it in the first place.

Brian: There’s a recent report. Now if I remember early on, when ransomware was relatively new, one of the most important things to do as soon as you discovered it, was to shut everything down. Because regardless of what happens your computer it’s not like someone flips a switch and everything on your computer is encrypted. If you’ve ever tried to simply encrypt your hard drive turning on a file locker or anything like that, you know, it takes time. However, there’s a recent report that came out and like always, anything we cite or discuss in our episodes, we will provide links to in the post accompanying but indicated that of the most popular ransomware groups now and they did a test on each of their basically available versions. 100,000 files were encrypted by an average of 42 minutes and 42 minutes on average. And the range was actually kind of stunning to me. The range was from one ransomware group it was about almost two hours. For one it was six minutes to encrypt 100,000 files. Now I don’t have a great look into their methodology, into what kind of files. I don’t know whether you know it would be overburdened if they were trying to encrypt larger files or files that were video or image files or if a PowerPoint is faster to encrypt the Excel file, but it does seem that that is getting faster now. So from the perspective of how does ransomware work, when they’re going in and encrypting files, what kind of files do they look for when they’re encrypting? Do they distinguish between, you know, big files that take forever and small files that could they can quickly? And is it still worthwhile like it used to be to try to interrupt that process?

Ryan: A lot of the more advanced and in a lot more events, are working to really refine how the ransomware operates now to target the more critical files. So in the past, a lot of ransomware would just go and it would start encrypting everything that’s not a system file on the system. And they would do that because they want the system to operate. So you want the operating system. Without it you can’t deliver the message, you can’t deliver the ransom, you can’t get the person to come back to you. You want it for the most part, you want to keep their internet access available, what you want to do is you want to get all the stuff they care about, you encrypt all of their PDF files, dark files, like cell pictures, text files, all of that kind of other stuff. And so there’s a lot of the ransomware tools are very, very highly focused and targeted on those user important files, rather than in the past where it was just kind of start encrypting everything that’s not the windows and just kind of run from there.

Brian: If you recall, I mean, we did mitigation on that infection, my company. And I think we kept it to three workstations and the server that were encrypted no other workstations out of 20 plus ended up getting encrypted because we managed to, for some reason be looking in the system at 8:30 on a Saturday night. These hackers, as you’ve discussed, they’re working a business. They’re not the hackers of the movie Hackers were the bunch of people who have no idea what it’s like to work any kind of a job in the middle of the night just chugging a jolt cola and living their life that way. These are people who understand business processes, they understand that people aren’t likely to be active on the system in the middle of the night on a weekend.

Ryan: Yep. And they actually do follow that schedule, just like you’re saying. That’s why in the cybersecurity industry, you know, Monday through Friday from 8pm to 5pm. insider threat, whether it’s intentional or not, is the main kind of day daytime focus. Most of the malicious ransomware activity tends to come when they are expecting cybersecurity professionals to not be working which is going to be middle of the night, not during normal business hours. They’re going to be looking at you from midnight to 4am because chances are you’re probably not online or they’re going to look during holidays great time to attack starting December 23 through January 4, that’s a huge volatile time because you’ve got a lot of people taking time off to go spend time with family you’ve got Christmas you’ve got New Year’s you’ve got Hanukkah, you’ve got all these different things that are normally taking people away from work and putting them back with their families which means they’re no longer sitting in front of their monitors their keyboards their systems. So now instead of fighting against a cybersecurity professionals and they’re too late now they’ve taken the person out of that mix. Now the all you have to do is get past the tooling, the policies, the procedures, and then you’ve got free rein until we come back from whatever has taken us away whatever vacation.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: So we talked about the quick hit attacks. I think that as we’ve seen lately, the big score several cybersecurity researchers have called 2020 and 2021, sort of the era of the big score where hackers have been looking to get big money from big companies. How do they act differently In that case? What’s different?

Ryan: Yep, so again, with the small businesses or individual private citizens, you’ve got just, it’s usually going to be very, very non-complex attacks. It’s going to be go in real quick grab anything that looks valuable, whether that’d be like a password file or something like that, and then just encrypt the system and hit him with the message. Try to get the quick win for a few dollars here and there and then move on when you’re working against larger businesses. It’s not going to be something as simple as like a couple of bullies walking in to one kid walking along the side of the street. Now what you’ve got is you’ve got a very well defended enterprise with lots of tooling, lots of people and lots of professionals that are working to keep these types of attacks out. So a couple things they have to keep in mind is that you have to be a lot quieter from the side of the malicious actor. What does that mean? What does it mean to be a lock, you have a lot of different alerting and a lot of different defense mechanisms that the larger businesses that a lot of smaller businesses don’t have, which makes it insanely more difficult to attack a major enterprise than it would to attack a small business or a private person.

Brian: Okay. so it’s more than just the access, like you were saying, If required, or both and how you get in, and then also once you’re in…

Ryan: When you get into larger businesses, eventually they’re going to run across some of these different footholds that you’ve put in place. And so it becomes more critical that you provide a greater number of footholds in different areas, but again, you have to work quietly under the alerting and under the radar to get these in place. But you also have to watch out that as a couple footholds start to get knocked out here and there. And ultimately, that you’re not only maintaining a foothold and maintaining persistence in the network, but you’ve got your own monitoring to watch as those footholds disappear. So you can see and identify the countermeasure activity that’s happening inside and make sure that as the threat actor that you’re trying to stay one step ahead of it as well. So you don’t eventually lose your foothold in that company. Because again, as soon as you get the last of your footholds knocked out, you’ve lost your money train as far as that business is concerned.

Brian: In addition to the compromise, one of the big features of the modern ransomware movement has been mass exfiltration of data. I mean, I remember, as recently as four or five years ago, most businesses that experienced ransomware did not consider the breach to be something that triggered any of their notification requirements under various state breach notification laws. And the basis for that was that those laws said there had to be evidence of access to or exfiltration of data in a usable form. Now, what does that mean? That means that either they were able to read specific, personally identifiable information while they were in your system, or they took a bunch of the data out of your system, and it was in a form they could read (i.e. not encrypted). And because at the time ransomware was based primarily on simply removing your access to that information and selling that access back to you. It is now as I said, become more of a broader extortion where, where they take your information. How does ransomware work in that context?

Ryan: Roughly the same way, but what it happens, it happens as part of that multistage attack chain that I kind of alluded to earlier. Where as it starts with the initial compromise and gaining foothold in the system, but then before you deploy the ransomware, if you have the time, and you’re working with a less sophisticated target that doesn’t have a lot of layers of defense monitoring and alerting setup, you’ve got ample time to really just poke around, start looking around, start checking what type of shares are open, what type of access is open between different systems start to really do some good discovery inside the business of what data is there? How many people are accessing it? And what can I get a hold of so it could be something as simple as let’s look through the primary File Share, and see if there’s anything in there that is useful, you know, either an Excel spreadsheet full of account numbers, customer list, maybe source code, maybe bank accounts, it could be anything along those lines. So they will do their best identify really high quality assets that are inside this target network first package those up in a way where they can exfiltrate those out so that now they’ve got this little care package back on their side before they deploy the ransomware. Now what you have in ransomware deployed, and they will start with the typical, please send us Bitcoin, and we will give you the tool to decrypt all your stuff. And a lot of times the messages will just stop right there. They are very well aware of the fact that there’s a second piece to this game, they will usually come to you and they’ll make the determination of either they’re gonna get money or they’re not in a lot of cases they do. There’s a lot of people that pay these ransoms.

Brian: Yeah, there is recent reporting suggesting maybe as high as 40%. And actually, it’s been remarkably consistent over about the past decade, 40% of people pay these ransoms. We want to thank you all for joining today. Now that you have a better idea of how does ransomware work, what exactly it looks like from inside your system when one of these ransomware attacks happen. We’ve talked about ransomware 101, we’ve talked about the events that lead up to that moment when you get the ransom note that appears on your screen. In the future, we will be tackling the interesting and thorny issue of negotiating for ransom: How does it work? Can it be done effectively? Can it be done legally? There’s a lot of interesting questions and some new laws that have been coming into effect recently that have an impact in that area. If you enjoyed this episode, please subscribe to us. You can subscribe on any of your favorite podcast apps or subscription systems. You can also visit our website and sign up for our RSS feed, follow us on Facebook or Twitter, and you know whatever else comes along once again want to thank you for tuning in. On behalf of Ryan I’m Brian for Fearless Paranoia. Have a good one!