Study brushes anatomy of ransomware attack

Anatomy of ransomware attack

Security researchers revealed the anatomy of a ransomware attack to illustrate how cyber criminals accessed a network to install ransomware, all in a matter of just two months. Researchers at technology security company Sentinel One examined a server used by cyber criminals in October 2019 to turn a small security flaw in an enterprise network into an attack based on Ryuk ransomware.

According to this valuable study, the network was initially infected by the Trickbot malware. Once the network was tapped by this malware, the hackers began scanning the surrounding area to find out what they had access to and how to take advantage of it. Over time, they dig into the network and try to map it and figure out what it looks like. They have a purpose, and their purpose is to monetize the data, the network, for their illicit gain,' explains Joshua Platt, Sentinel One researcher, interviewed by Zdnet.

"They already understand that there is a potential for making money and are looking to expand this leverage," the researcher says, detailing their motivations. Once the hackers have decided to exploit the breach in the network, they use tools like Powertrick and Cobalt Strike to secure their hold on the network and explore it further, searching for open ports and other devices they could access.

A particularly virulent ransomware

It is only at this moment that they decide to move on to the ransom demand phase. According to Sentinel One, it took about two weeks to go from the initial Trickbot infection to network profiling, then to the attack of the Ryuk malware. "Based on the time stamp, one can guess the two-week period for waiting time," the company says. As a reminder, Ryuk was first seen in August 2018 and was responsible for multiple attacks around the world, according to last year’s UK National Cyber Security Center opinion.

It is a targeted ransom software: the ransom is set according to the payment ability of the victim, and it may take several days, or even months, between the initial infection and the activation of the ransom software, because hackers need time to identify the most critical network systems. But the NCSC said that this delay also gives defenders a window of opportunity to prevent the triggering of the ransom software attack, if they can detect this first infection.

According to the FBI, Ryuk is an extremely lucrative project for its criminal promoters, generating approximately $61 million in ransom between February 2018 and October 2019. The fact that Ryuk managed to force companies to pay ransoms means that the crooks have a bombed war fund with which they can refine their attacks. This will obviously increase; they have more money and more capacity now to hire even more talent," Platt warns.