This article is a companion piece to a recent video blog our New York City team produced, which you can watch here.
Ransomware is on everyone’s mind. And for good reason – it’s difficult to combat and can cause significant business interruption. But what is it? In short, ransomware is a malicious software that attackers use to extort money from their victims. This type of software will encrypt files on a victim’s computer which blocks the victim from accessing their own data. Attackers then request that victims pay the ransom before they can access their files again.
How do criminals gain access to networks in the first place?
Cyber criminals commonly use two methods to gain access to their victim’s network to deploy ransomware:
- Through phishing emails. Attackers are becoming more sophisticated when creating phishing emails. A phishing email will typically prompt its recipient to click on a malicious attachment or navigate to a malicious website. The attachment or website then downloads a malicious script which automatically runs on the user’s computer. This may not yet be ransomware, it can be other malware which paves the way for a later deployment of ransomware. More on this method below.
- Through Remote Desktop Protocol (RDP). When RDP is enabled and internet facing, the attackers can brute force access or purchase compromised credentials from the dark web. With this access, the attackers can deploy the ransomware and potentially laterally move to other machines in the environment.
How do email compromises occur?
At Kivu we see multiple Business Email Compromise (BEC) cases each month (here’s a factsheet on how we investigate them). When a malicious link is clicked, it directs readers to a page that at first glance looks legitimate – threat actors can put a lot of effort into creating these websites. The websites can then be used to steal users’ credentials, which gives criminals an easy way into their network. A phishing email may also include a malicious attachment that installs what is known as a banking trojan. Banking trojans will harvest network credentials and identify vulnerabilities in a client environment. Once this malware is deployed, it goes to work laying the foundation for a later installation of ransomware. All of this happens automatically and without the user being aware of the nefarious activity going on in the background.
How do you protect your network?
Attackers are taking advantage of vulnerabilities to infect a company’s network with ransomware. If there are no vulnerabilities, criminals can’t find a foothold on the system. There are three ways to protect your network:
- Frequently back up files from all devices and save them offsite or in the cloud. If a ransomware attack occurs, the files can later be restored from backups and operations can continue.
- Disable Remote Desktop Protocol on all machines, especially servers. All remote access should occur behind a Virtual Private Network.
- Patch software and ensure an appropriate antivirus solution is in place. You should also make sure that all software and antivirus solutions are regularly updated with the latest threat definitions.
Fancy names for common variants: REvil/Sodinokibi, Dharma, and Ryuk
At Kivu, we deal with all sorts of different ransomware variants. Some of the most common variants are REvil/Sodinokibi, Dharma and Ryuk. These variants are very different, but the criminals behind them all want the same thing: to be paid their ransom demand. In April 2019, a newer strain of ransomware REvil/Sodinokibi was developed. This variant is stealthy when attacking its victims, and covers up its tracks by taking different measures to prevent detection by antivirus or other endpoint protection software. We often see the Sodinokibi group using key Windows server and Server Message Block (SMB) exploits to gain access and infect their victims. This variant is also known tothreaten their victims to publicly expose data if victims do not pay the ransom demand, a trend known as “doxxing”.
While Sodinokibi are experienced threat actors, Dharma can be the complete opposite. Dharma is known as a Ransomware as a Service (RaaS), meaning that it is available on the dark web to be purchased by anyone. We see Dharma compromising the victim’s network by using a port scanner to locate any open RDP ports.
The last variant is Ryuk, which is one of the most common. Ryuk actors ask for higher ransom amounts than others – we have seen demands in the million-dollar range. The reason for this is that the group will often conduct detailed research on their victims, giving them information on the company’s finances and employee headcount – essentially, they know how much money is in the bank. In Ryuk cases, we normally see the initial compromise performed through a banking trojan, such as Emotet and Trickbot, which typically comes through a phishing email. We have also seen Ryuk take advantage of legitimate penetration testing tools and use them maliciously, for example Cobalt Strike. Using this tool makes it harder for networks to detect the threat, potentially reducing the chances of interruption before or during the execution of an attack.
If you want to find out more about how Kivu can help you prevent ransomware attacks, visit our Enterprise Protection services page. For more details on how we can help organizations that have been hit by ransomware, head on over to our Incident Response services page.