--

“Cryptolocker ransomware” by Christiaan Colen is licensed under CC BY-SA 2.0

Slowing the Advance of Ransomware Attacks

Abstract

Ransomware has been trending in the news of late. The attack begins through successfully breaching the perimeter followed by reconnaissance and exfiltration of data. Only after information is extracted does the attacker unleash the ransomware. Taking the information prior to encrypting it gives the attacker additional leverage with the victim through double-extortion. Either the victim pays the ransom, or their information is released. Email is a common attack vector while Remote Desktop Protocol is often used for lateral movement to gather information. A positive campaign to limit the open-source intelligence available is one way to slow or stop and attack. This paper briefly discusses the trend and suggests ways to slow or deter the attack.

Slowing the Advancement of Ransomware Attacks

InfoSecurity reported that remote desktop protocol (RDP) was used in 90% of cyber-attacks last year. Ransomware was involved in 81% of those cases. To be clear, RDP was not used in all cases to infiltrate the system. It was used to move laterally to conduct reconnaissance and capture data for later use (Muncaster, 2021). The two main themes in this report are RDP and ransomware, but malicious links and attachments in email phishing campaigns being the primary means of ingress. Criminals have been using RDP to move laterally once the breach occurs. This in a calculated effort to capture as much information as possible before launching the main event. Once the data are exfiltrated the ransomware attack can begin. The current trend is the use of double-extortion where the attacker encrypts the victim’s files and threatens to release the information publicly if the victim refuses to pay (Wodecki, 2021).

Traditional defensive techniques (VPN & MFA) used to stop unauthorized access via RDP have no effect on its use if the attacker has already landed within the system. Once inside the hacker simply hijacks credentials and blends in with normal network traffic (Muncaster, 2021).

According to Lance Whitney (2021) the phishing email attack is the most common method of gaining access. This is typically a payload being delivered directly within the email or a hyperlink that leads to the infection. He cites cases where the Trojan Troj/Phish HUP was used to infiltrate finance departments. This malware was first deployed in February 2021 and is spread through email links where the unwary victim is expecting to download a file from a cloud service, such as OneDrive. This isn’t a new phenomenon. An employee who is anticipating a file from a colleague is highly likely to download the file when it appears in his mailbox. Spearphishing techniques can convince many people to open the file even if it isn’t expected. Embedding a link to a spoofed website where the “file” is located provides the criminal with a tool to capture email credentials from numerous employees without being detected (Whitney, 2021). This leads back to the use of RDP once inside the network to conduct reconnaissance and exfiltrate as much information as possible before triggering the ransomware attack. Although there are tools that can help stop the attack, Whitney (2021) posits that user training is the primary method to prevent intrusion. This should take the form of mock phishing campaigns as well as training on voicemail and SMS based cyber-attacks.

While this is undoubtedly a step in the right direction, Aviv Grafi (2021) points out that 65% of phishing testing failures occur when the malware is part of an email attachment. This is generally part of an email that appears to come from within the company such as human resources. Knowledge of the company email naming convention can give criminals a way to spoof such an email.

End user training is only part of the solution. Preventing an effective spearfishing campaign begins with eliminating information available in open-source intelligence (OSINT).

Hutchins, et al (n.d.) of Lockheed Martin created the Cyber Kill Chain ® model which identifies seven links to a successful attack. Theoretically breaking any of the links in the chain hinders the attack. The seven links are reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.

Bianca Soare (2021) classifies the first step in a cyber-attack as systematically establishing a knowledge base to uncover and exploit vulnerabilities (reconnaissance). Passive reconnaissance is the art of using OSINT to gather information about an adversary. It is difficult to defend against, but not impossible. Eliminating the OSINT footprint of an organization can slow or deter an attack. Passive reconnaissance seeks out public information to map out a picture of the target. It takes specific information to mount a successful spearphishing attack. Company websites will often list names of key employees within the company. It may also provide a physical address of the business. The location of the company provides clues to pinpoint employees on social media. It may also aid in finding external vulnerabilities such as communication hubs, which are outside control of the organization. Social media provides the platform for people to highlight their jobs. This kind of information can be used to ascertain a weakness in the defenses. Consider the administrative assistant of a company executive. He is likely to have high-level privileges on the company network due to his proximity to the boss. An attacker can go undetected to catalogue the habits of such a person to discern his suitability as an attack vector. Using what he/she learns the attacker can establish a relationship with the employee. The relationship can harvest enough data to produce a successful phishing expedition, such as an email or SMS message with a link to a malicious website. The attacker exploits knowledge of the victim by using an enticement revealed in the relationship. The connection also established a trust factor making it almost certain the victim will click the link (Sager, 2014).

Purging as much information as possible from the public eye is the key to precluding its use against the organization. Cleaning up the company website to remove intelligence about the people who work there will slow the advance of an attack. Unless required by law, contact information should be limited to a single, centralized phone number and an organizational mailbox to prevent giving away the email naming convention or the name of a trusted employee in the company hierarchy. The physical address of the company should be avoided in favor of a post office box. Companies can limit their exposure on social media by establishing a policy to stop employees mentioning the organization. This is enforceable depending on the nature of the business and through the signing of non-disclosure agreements as a condition of employment (Matteson, 2018). Removing information from public access adds a layer of complexity to the puzzle an attacker is trying to solve.

One final thought about email. To increase the chances of identifying that an email is authentic and originated from the domain it is claimed to be from, consider implementing DomainKeys Identified Mail (DKIM). This is an email authentication standard that attaches a private key cryptographic signature to outgoing emails to verify its origin. The receiver of the DKIM email runs the public key as retrieved from the domain in question to validate the sender. This is not a guarantee that the email is genuine and doesn’t contain malware, but it does provide another layer of protection. To set up DKIM follow these steps (Jelen, 2018).

  1. Take note of all the domains in your organization used to send emails
  2. Install the DKIM package that is specific for your mail server
  3. Create a public and private key pair
  4. Create a DKIM TXT record to publish the DKIM selector and your public key
  5. Save your private key accordingly to your DKIM package
  6. Configure your mail server to make sure that DKIM is up and running

Conclusion

Ransomware attacks are on the rise. The most recent trend is the use of double-extortion techniques to force victims to pay the ransom. In this attack method the criminal infiltrates the network and conducts reconnaissance, then exfiltrates information to use as leverage against the victim. Once the information has been secured the hacker launches the ransomware attack. If the victim refuses or is slow to pay, the attacker threatens to release the information.

An assault can be stopped before it starts through the elimination of OSINT to the maximum extent possible. This takes away knowledge that can be used to increase the odds of a successful spearfishing attack. This will not guarantee the security of the network, but it may make things difficult enough for an attacker to pick an easier target.

References

Coker, J. (2021, February 8). Remote Desktop Protocol Attacks Surge by 768%. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/remote-desktop-protocol-attacks/.

Grafi, A. (2021, May 18). Why Anti-Phishing Training Isn’t Enough. Dark Reading. https://beta.darkreading.com/operations/why-anti-phishing-training-isn-t-enough.

Hutchins, E., Clopperty, M., & Amin, R. (n.d.). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

Jelen, S. (2021, May 22). SecurityTrails: DKIM: What is it and should you configure it? The World’s Largest Repository of Historical DNS data. https://securitytrails.com/blog/what-is-dkim.

Muncaster, P. (2021, May 19). RDP Hijacked for Lateral Movement in 69% of Attacks. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/rdp-hijacked-for-lateral-movement/.

Sager, T. (2014, July). Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention. SANS Institute: Reading Room — Analyst Papers. PDF. https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-approach-attack-prevention-35302.

Soare, B. (2021, March 17). The Cyber Kill Chain Model: A Comprehensive Guide. Heimdal Security Blog. https://heimdalsecurity.com/blog/cyber-kill-chain-model/.

Whitney, L. (2021, April 7). How to better combat malware delivered through email. TechRepublic. https://www.techrepublic.com/article/how-to-better-combat-malware-delivered-through-email/.

Wodecki, N. (2021, May 13). Zscaler Ransomware Report Reveals Sophisticated Double Extortion Attacks Are Targeting Essential Industries. Dark Reading. https://www.darkreading.com/attacks-breaches/zscaler-ransomware-report-reveals-sophisticated-double-extortion-attacks-are-targeting-essential-industries/d/d-id/1341006.

--

--

Richard Quidgeon
Maryville_University_Cyber_Fusion_Center

I’m in my last semester at Maryville University working on a MS in Cybersecurity. My background is military and civil aviation, so this is a big change of pace.