Site icon Sophos News

Inside a ransomware gang’s attack toolbox

If you’re a Naked Security Podcast listener, you’ll have heard Sophos’s own Peter Mackenzie telling some fairly wild ransomware stories.
Peter works in the Managed Threat Response (MTR) part of our business – in his own words, if your network’s on fire, he’s one of the people who will rush in to try to fix it.
As you can imagine, plenty of his deployments come in the aftermath of ransomware attacks.
A few years ago ransomware criminals typically used what’s called the “spray-and-pray” approach – or what might more appropriately be called “spray-and-prey”, given the entirely predatory nature of these attacks.
A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.
Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLocker, Locky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today.
But today’s ransomware criminals tend to pick entire organisations as victims.
The crooks break into networks one-at-a-time, learn the structure of the network, work out the most effective attack techique for each one, and then scramble hundreds or thousands of computers across an entire organisation in one go.
In cases like this, where an entire business may find its business operations frozen because all its computers are out of action at the same time, ransom demands aren’t just $300 or even $30,000 – they may be $3,000,000, or even more.


As you can imagine, this means that the ransomare part of today’s file scrambling attacks – the malware program at the heart of the scrambling process – is now just one piece in a much bigger toolbox of tricks that a typical ransomware gang will have up their sleeves.
Last week, for example, we wrote about an attack by the Ragnar Locker crew in which they wrapped a 49KB ransomware executable – a file created specifically for one victim, with the ransom note hard-coded into the program itself – inside a Windows virtual machine that served as a sort of run-time cocoon for the malware.
The crooks deployed a pirated copy of the Virtual Box virtual machine (VM) software to every computer on the victim’s network, plus a VM file containing a pirated copy of Windows XP, just to have a “walled garden” for their ransomware to sit inside while it did its cryptographic scrambling.
But that’s far from everything that today’s crooks bring along for a typical attack, as SophosLabs was able to document recently when it stumbled upon a cache of tools belonging to a ransomware gang known as Netwalker.
The Netwalker gang’s toolkit. Click on image for full report.
The columns are laid out to fit the MITRE ATT&CK matrix.

Above, taken from the SophosLabs report, is a chart showing the range of tools used by these crooks during a typical attack.
From left to right, the columns reveal the various activities that the crooks work on as the attack unfolds:

Data exfiltration

Perhaps the most important thing to take from this whole chart is the bottom-most box at the far right, labelled Data exfiltration.
When ransomware first became a serious problem about seven years ago, the idea of scrambling your files in place was a way for the crooks to “steal” your files – in the criminal sense of permanently depriving you of them – without having to upload them all first.
The average computer and the typical network just didn’t have the bandwidth to make that possible, and the average crook didn’t have enough storage to keep hold of it all.
But cloud storage has changed all that, and ransomware crooks are now commonly stealing some or all of your data first, before unleashing their ransomware.
They’re then using this stolen data to increase the pressure of their blackmail demands by threatening to leak or sell your data if you don’t pay up, thus giving them criminal leverage even if you have a reliable and efficient backup process for recovering your files.

What to do?

Here, we’re going to refer you to our April 2020 article entitled 5 common mistakes that lead to ransomware.
In quick form, our five tips are:

  1. Protect your system portals. Don’t leave RDP and other tools open where they aren’t supposed to be. The crooks will find your unprotected access points.
  2. Pick proper passwords. Don’t make it easy for crooks and their password guessing tools. Use 2FA wherever you can.
  3. Peruse your system logs. As the chart above shows, the crooks often use a lot of sysadmin tools that would probably show up as unusual in your logs if you were to look.
  4. Pay attention to warnings. Exploits that ran but failed could be reconnaissance for a future attack rather than an attack in their own right. (See 3.)
  5. Patch early, patch often. The Netwalker crooks wouldn’t bother with a CVE-2015-1701 exploit from five years ago if it never worked. Don’t be the network where it does!

Of course, don’t forget the obvious – make sure you are using anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version