While ransomware attacks are seemingly on the rise, as indicated by Mandiant, understanding the attackers’ “playbook” is a worth-while endeavor for any cybersecurity team. Recent research conducted by Cisco Talos helps do just that. Based on a comprehensive review of more than a dozen prominent ransomware groups, Talos identified several commonalities in tactics, techniques, and procedures (TTPs), along with several notable differences and outliers. Talos’ research shows that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism, and phishing for credentials often preceding these attacks. Ransomware gangs are also increasingly exploiting zero-day vulnerabilities in public-facing applications, which has become a prevalent initial access vector.
Primary TTPs For Initial Access. Using the MITRE ATT&CK® Framework as a baseline, Talos identified primary TTPs utilized by major ransomware threat actors over the past three years, involving a detailed examination of each TTP and its execution methods. They have come up with several key findings:
- Many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points.
- Many groups have exploited critical vulnerabilities in public-facing applications, indicating an increased need for appropriate security controls and patch management.
- Ransomware actors continue to apply a significant focus on defense evasion tactics to increase dwell time in victim networks. This includes disabling or modifying security software, such as anti-virus, endpoint detection, or other security features in the operating system to prevent detection of the ransomware payload.
- Adversaries will also obfuscate malware by packing and compressing the code.
Typical Ransomware Attack Chain. The typical ransomware attack follows a five-phase process or “attack chain”. These include:
- Initial Access. Using a combination of social engineering, network scanning, and open-source research, adversaries work to gain initial access to the target network by first identifying possible access vectors and then exploiting those vulnerabilities.
- Persistence. Once initial access is gained, threat actors work to establish long-term access, ensuring that their operations will be successful even if their initial intrusion is discovered and remediated.
- Discovery, lateral movement, and privilege escalation. Once persistence is established, attackers will begin exploring the target environment to better understand the network’s structure, escalate their privileges to admin rights, and locate resources that can support the attack or be extorted.
- Exfiltration of Data. Once valuable data or resources have been discovered, attackers then collect this sensitive information and send it to an external adversary-controlled resource.
- Ransomware Deployment. After all the above steps are concluded, adversaries will then stage the ransomware payload and begin encrypting files.
WaterISAC encourages members to implement proactive protections and strategies to combat the attack chain mentioned above. Members can access additional ransomware resilience information by reviewing the resources below. For more on ”Inside the Ransomware Playbook”, visit Cisco Talos. As always, members are highly encouraged to regularly reference CISA’s #StopRansomware page for the latest advisories, alerts, resources, and recommended practices.
Additional Ransomware Resources and Coverage from WaterISAC:
- Ransomware Resilience – Strategies for Improving Attack Outcomes | June 4, 2024
- Ransomware Resilience – NCSC Shares Guidance for Organizations Considering Payment in Ransomware Incidents | May 14, 2024
- Ransomware Resilience – Utilize CISA’s Ransomware Vulnerability Warning Pilot (RVWP) | May 2, 2024
- Ransomware Resilience – Don’t Wait ‘til it’s Too Late | December 18, 2023
- Ransomware Resilience – Incomplete Remediation Results in Ransomware Reinfection | October 5, 2023