Introduction to Ransomware Families | Total Security

This blog describes different types of attacks and ransomware families, but the attacks we are discussing followed the same popular pattern, with minor variations. Attacks have evolved in a similar way, generally using the same techniques. And the choice of specific ransomware at the end of an attack depended almost entirely on the taste of the attackers.

Robinhood Ransomware

Operators of the ransomware RobbinHood have garnered attention for using vulnerable drivers to disable security software in the late stages of an attack. However, as in many similar attacks, they started with brute-force applied to RDP on an unprotected resource. As a result, attackers obtained credentials with high privileges, mainly from local admin accounts with shared or common passwords, as well as service accounts with domain administrator privileges. Robinhood operators, like Ryuk operators and other hyped hack groups, leave behind new local and Active Directory accounts in order to get access to the network again after removing their tools.

Bootloader Vatet

Attackers frequently change infrastructure, techniques, and tools to avoid a bad name that could attract the attention of law enforcement or security researchers. Often times, hackers hold back their tools, waiting for information security companies to consider the corresponding artifacts inactive in order to attract less attention. Vatet is a downloader for the Cobalt Strike framework that was used in attacks back in November 2018 and has surfaced again in recent events.

The loader operators likely intended to specialize in hospitals, healthcare facilities, insulin suppliers, medical device manufacturers, and other critical organizations. They are some of the most prolific ransomware operators, having been involved in dozens of attacks.

With the help of Vatet and Cobalt Strike, the hacking group installed various ransomware. They recently deployed an in-memory application that uses Alternate Data Streams (ADS) and shows simplified versions of ransom requests from older application families. Attackers gain access to networks using the CVE-2019-19781 vulnerability, brute-force endpoints with RDP, and mailing with .lnk files that run malicious PowerShell commands. Once on the network, hackers steal credentials, including credentials from the Credential Manager vault, and apply lateral bias until they gain domain administrator privileges. It has been observed that operators pull data from the network prior to deploying ransomware.

NetWalker Ransomware

NetWalker operators have gained notoriety for attacks on hospitals and medical facilities, during which they sent letters promising to provide information about COVID-19. The NetWalker program was contained in emails as a .vbs attachment, and this technique gained media attention. However, operators have also compromised the networks, using misconfigured IIS-based applications to launch Mimikatz and steal credentials. And then using this information, the attackers ran PsExec, and as a result, installed NetWalker.

PonyFinal Ransomware

This Java program is considered new, but attacks using it are not uncommon. Operators compromised web systems accessible from the Internet and obtained privileged credentials. To ensure the stability of their presence in the attacked network, the attackers use PowerShell commands to launch the mshta.exe system tool and configure a reverse shell connection based on the popular PowerShell attack framework. Also, hackers used legitimate tools like Splashtop to maintain remote desktop connections.

Maze Ransomware

One of the first ransomware campaigns to hit the headlines for selling stolen data. The maze continues to focus on technology providers and public services. This ransomware was used against managed service providers (MSPs) to gain access to their customers' data and networks.

Maze spread through letters, but operators also installed the program after gaining access to networks using such common attack vectors as brute-force RDP. Once they penetrate the network, attackers steal credentials, perform lateral shifts to gain access to resources and retrieve data, and then install ransomware.

In a recent hacking campaign, Microsoft researchers tracked how Maze operators gained access via brute-force RDP to a local admin account on an Internet-accessible system. After brute-forcing the password, the operators were able to side-shift because the embedded admin accounts on other endpoints were using the same password.

After stealing credentials from a domain administrator account, the hackers used Cobalt Strike, PsExec, and a number of other tools to deliver all sorts of payloads and gain access to data. The attackers organized a fileless presence on the network using the task scheduler and services that launch remote shells based on PowerShell. The hackers also turned on Windows Remote Management in order to maintain control using the stolen domain administrator account. To loosen control over information security in preparation for the installation of the ransomware, attackers manipulated various settings through group policies.

REvil Ransomware

This is likely the first group of ransomware operators to take advantage of Pulse VPN's network vulnerabilities to steal credentials in order to gain access to the network. REvil (or Sodinokibi) became famous for infiltrating MSPs, gaining access to their clients' networks and documents, and selling access to them. Attackers continued to do this during the current crisis, attacking MSPs and other targets, including government agencies. REvil attacks differ in the use of new vulnerabilities, but their techniques are similar to those of many other hack groups: after penetrating the network, tools like Mimikatz and PsExec are used to steal credentials, "lateral displacement" and reconnaissance.

Other Families of Ransomware

During the period under review, the use of such families of applications managed by people was noticed:

• Paradise. It used to be spread directly through letters, but now it is used in human-controlled attacks.
• RagnarLocker. Used by a group that actively used RDP and Cobalt Strike with stolen credentials.
• MedusaLocker. Probably installed through existing Trickbot infections.
• LockBit. Distributed by operators who used the publicly available penetration testing tool CrackMapExec to perform lateral displacement.

The Immediate Reaction to Ongoing Attacks

We highly recommend that organizations immediately check for alerts related to the attacks described and prioritize investigation and system recovery. What should defenders pay attention to:

• The activity of malicious PowerShell, Cobalt Strike and other penetration testing tools will help attackers to attack under the guise of harmless red team activity.
• Credential theft activities, such as suspicious calls to the Local Security Authority Subsystem Service (LSASS) or suspicious registry changes that could signal new attacker payloads or credential theft tools.
• Any tampering with the security event log, USN log, or security agent - in this way attackers try to evade detection and make it impossible to recover data.

Find the total security to prevent all types of a ransomware attack