Threat Research

Evolving Recovery Disruption Techniques in Ransomware

Ahnlab

Summary:

Ransomware attacks are increasingly prevalent in 2024, with threat actors leveraging various methods to infiltrate systems and extort victims. The anonymity provided by cryptocurrency payments complicates law enforcement efforts. The Ransomware-as-a-Service model has further facilitated these attacks, allowing even those with limited technical skills to engage in ransomware activities.

Keypoints:

  • Ransomware attacks are on the rise in 2024.
  • Threat actors profit significantly from ransom payments.
  • Cryptocurrency payments hinder law enforcement tracking.
  • Ransomware can be easily distributed and infiltrate systems.
  • Recent attacks exploit legitimate tools and drivers.
  • The Ransomware-as-a-Service model lowers the barrier for entry for attackers.

MITRE Techniques

  • Reconnaissance (T1087): Threat actors collect information about the victim system, including network structure and vulnerabilities.
  • Initial Access (T1078): Gaining access to the victim system through various means, including exploiting IoT devices.
  • Persistence (T1543): Installing backdoor malware to maintain continuous access after the initial breach.
  • Lateral Movement (T1021): Spreading ransomware to other systems within the network to access more confidential data.
  • Data Encryption (T1486): Encrypting important data and deleting recovery options to hinder system recovery.
  • Data Breach (T1040): Threatening to leak sensitive information as part of a double-extortion strategy.

Ransomware attacks are still on the rise in 2024. Threat actors continue to launch ransomware attacks because victims infected with ransomware often pay a ransom to recover their data, allowing the attackers to gain profit significantly. Threat actors maintain their anonymity by demanding ransom payments through cryptocurrency, making it difficult for law enforcement agencies to track their activities.

In terms of the ease of attack, ransomware can be relatively easily distributed and can infiltrate systems in various ways. Recent methods that bypass detection involved exploiting legitimate tools or drivers. Moreover, the spread of ransomware attacks has been exacerbated by the Ransomware-as-a-Service (RaaS) model, which allows threat actors with a lack of technical knowledge to easily use ransomware.

 

1. Reconnaissance and Initial Access

Through reconnaissance activities, threat actors collect information about the victim system. This includes understanding the victim network structure, vulnerabilities, and software in use. Threat actors may also use Shodan to search for Internet of Things (IoT) devices. While general search engines like Google index webpages, Shodan can index various devices connected to the Internet, such as webcams, medical devices, and smart TVs. Through Shodan, threat actors can conduct port scanning on randomly generated IPv4 addresses and explore the running services. By repeating this process, they can discover IoT devices that use default passwords or run on outdated software versions.

2. Securing Foothold and Internal Propagation

Threat actors install backdoor malware or gain administrator privileges to maintain continuous access to the victim system after a successful initial breach. If the ransomware attack is limited to infecting a single PC, the victim may not have to pay up to billions of dollars in ransom. However, attackers do not limit the damage to the initially breached system and instead try to spread it to the entire victim organization to obtain more confidential data. In this process, the ransomware uses the lateral movement technique to spread to other systems within the network.

3. Executing Ransomware

Threat actors prepare to identify and encrypt important data within the affected system. The encryption targets include various file formats such as databases, documents, and images. The attackers then execute the ransomware to encrypt the files. In this process, they delete system restore points, disable recovery tools, and damage backup files to make system recovery more difficult. At this stage, the victim becomes aware of the ransomware attack, and they experience business interruption and data loss as they are unable to access the encrypted files.

4. Data Breach and Ransom Demand

In addition to encrypting data, ransomware threat actors adopt a double-extortion strategy by threatening to leak sensitive information externally. Threat actors demand a ransom from victims to decrypt the data, usually requiring payment through cryptocurrency and threatening to release the data if the ransom is not paid.

This report focuses on the trend of ransomware attacks in the stage where actual damages occur, which is explained in the step “3. Executing Ransomware”.

Source: Original Post

Tags: BREACH, BACKUP, INITIAL ACCESS, PERSISTENCE, IOT, BACKDOOR, RAAS, LEAK