Anatomy of a Ransomware Attack

Ransomware continues to be a significant threat to organizations of all sizes. Victims (in this case, companies) are denied access to data and services and ransom is demanded to restore access. Organizations suffer financial losses and (brand) reputation loss because of significant downtime of critical IT services.

Ransomware continues to evolve, and more sophisticated variants are being introduced all the time – offering better encryption and new features. However, we have seen that the 5 major stages remain pretty much the same.

1. Campaign: This is the technique that the attacker attempts to exploit an IT environment to gain access. There are many methods that they can utilize such as remote exploits on web servers, weaponizing websites, or the most popular method sending spear phishing emails with malicious links. 2. Infection: This is the phase where the malicious code gets executed and ransomware takes hold of a system and maintains persistence, however, the data has yet to be encrypted. This is the stage where the damage can be prevented by invoking an effective incident response plan and using forensic skill sets of resources. During analysis of various Ransomware attacks, we have identified various tools and techniques that were used by attackers.

  •  Use of privileged accounts and sometimes the creation of privileged accounts within victim’s environment

  • The download of tools and exploit frameworks such as Metasploit, Fuzzbunch, and network scanners

  • Network login (type 3 and 10) for remote login by exploiting RDP

  • Use of SMB, PowerShell, WMI, and BITS for lateral movement and remote execution

  • Use of exploitation tools like Bloodhound, Adfind, Cobaltstrike beacons, Procdump, Lsass, and Mimikatz to determine the path to DC, compromise credentials and maintain persistence

  • Use of malicious websites such as ‘’, ‘’ to push various exploitation tools and upload output taken from exploitation tools

  • Use of data compromising techniques such as the use of ‘Rclone’ which can transfer the bulk of data to cloud storage like ‘’ and ‘Dropbox’

3. Staging:In this phase of attack chain, the ransomware embedded itself into a system by making various changes to achieve persistence and starts communicating with the Command and Control (C2) server which holds the encryption key.

  •  Use of malicious batch scripts and PowerShell scripts to disable Antivirus by modifying the registry

  • Huge amount of network flow related to communication to C&C using beacons and autorun entries on affected systems

  • Various malicious executables dropped on systems and shared across the environment by using network shares.

4. Scanning:This is the phase where the malware begins to scan the infected host to identify files to encrypt. Once completed, it looks for file shares and data stored on the cloud. It evaluates the level of permissions such as read, write, or delete and access via the compromised user/machine.

  • Increased lateral movement using RDP and SMB across network

  • Increased access to various network shares/ stores.

5. Encryption:Once the malware completes its analysis and inventory, it initiates the encryption process. Local files are encrypted almost immediately then the malware moves to the network shares. The network data is copied locally, encrypted, then uploaded back to the share replacing the original document. Ransom note dropped throughout the compromised portions across the systems which contains the payment demand as well as payment details.

That's it for now, folks! Now that we have understood how an attack unfolds, in our next post we will talk about standard remediation techniques.

31 views0 comments