Ransomware Distribution: How One Infection Can Go Network-Wide
Ransomware Network Distribution Techniques and Sub-Techniques
Ransomware’s undisputed notoriety extends far beyond its selectively destructive capabilities. Not unlike a (computer worm) this type of malware has an innate system- and device-skipping ability making it able to infect multiple devices and, of course, networks. In this article, we are going to take a closer look at what it’s called” lateral movement”, which is another word for ransomware distribution. Enjoy!
How Does Ransomware Spread?
Before we start talking about lateral movement, we should take a moment to think about how ransomware actually spreads. The most obvious choice would be the email way. Why? Simply because it’s convenient, it’s out there and threat actors don’t need to go through flaming hoops in order to come up with a good ‘disguise’ for the email’s contents. Here’s a quick example: a pdf attachment with a .vbs extension.
It takes about five seconds to come up with a long-winded name for your “.pdf” file. After that, you only need to apply the right icon, make sure that the fake .pdf extension remains within the viewable field of characters and that’s it. No one will bother looking at what’s written after the extension itself. Just how efficient is this ransomware distribution method?
Well, according to this 2022 cyber-study by Purplesec, 92% of malware is delivered through email; this includes viruses, rootkits, spyware, adware, and, of course, ransomware. So, email’s in the ivy league but what about a couple of bush leaguers? Although email is pretty much up for grabs, ransomware can be just as easily distributed by other means (e.g., an infected thumb drive or portable hard disk, a drive-by download, retrieving files from suspicious-looking websites, leaving your RDP port open, etc.). The possibilities are nearly endless and, as it happens, threat actors tend to leverage these types of opportunities.
On the topic of ransomware’s virulence, it’s not uncommon for such malware to remain dormant until the right moment presents itself. Ryuk’s the first example that springs to mind – in 2019, a group of malware analysts from the UK’s National Cyber Security Center has identified a Ryuk strain that possessed the ability to ‘deactivate’ itself after successfully infiltrating the victim’s infrastructure. It gets better; prior to placing itself into ‘hibernation mode’, Ryuk would have disabled every anti-malware protection mechanism along the way. In such cases, the dormancy period can last anywhere from a few weeks to a couple of months. This serves two purposes: obfuscation and maximizing the malware’s damage.
As you can see, given the right circumstances, for malware (ransomware) creators spreading ‘the word’ is just like shooting fish in the barrel. Now that you got the hang of this, let’s see how ransomware spreads through the network.
How does ransomware commonly spread to company networks
So, what’s up with this lateral movement and why does it matter? Well, in a nutshell, this choice of words kind of answers the above question, but because we won’t settle for that, let’s just go ahead and see what happens when ransomware gets inside a company’s network.
Lateral movement can be defined as a series of techniques and strategies a threat actor may employ in order to gain access to certain network resources or more unimpeded through the victim’s network. According to MITRE’s ATT & CK matrix – a system that defines the malware’s lifecycle – lateral movement has 9 major techniques as well as numerous sub-techniques: exploitation of remote services, internal spearphishing, ingress transferring, remote service session hijacking, remote services, replication through removable media, software deployment, tainting of shared content, and using alternative authentication material.
Exploitation of Remote Services
Threat actors would often exploit software or Operating System vulnerabilities to gain foothold in the (already) breached network. These flaws are usually exploited via a method called Remote Code Execution (RCE) – basically, the adversary will try to trigger some sort of anomalous response in the programming which they may leverage to run custom-built code. They can also take advantage of network discovery tools in order to identify faulty components.
Spearphishing’s also used during the initial infiltration stage. Though it may seem counterintuitive to employ the same method, spearphishing user accounts from the inside can grant you access to areas that are, otherwise, off-limits.
As they move further up the network, threat actors may use file-sharing systems or tools in order to transfer various types of files or tools between the already compromised sections and those soon-to-be-compromised.
Remote Service Session Hijacking & Remote Services.
During this phase, a threat actor will try to access other areas of the network by the means of hijacking remote services and/or communications. For instance, an adversary may interpose telnet, SSH, or RDP session between two instances in order to obtain the necessary clearance to interact with other systems. Another lateral movement technique involves the creation of a valid user account. This usually occurs during the first stages of the infiltration in ransomware distribution.
Replication through removable media
As the name suggests, this technique involves the infection of isolated systems by using removable media (e.g., memory cards, USB sticks, external hard drives). Replication via removable media is a bit tricky because it requires some help from the inside (i.e., insider threat). The person in question must identify an ‘air-tight’ network or systems (i.e., not directly connected to the company network) and physically interact with them.
Threat actors may leverage pre-existing software (e.g., 3rd party apps or OS-based ones) that are designed to fulfill administrative functions. If the action is successful, a threat actor can take advantage of the architecture in order to run evil code on an enterprise level.
Tainting of shared content
The threat actor can infect other systems by adding (hidden) payload files to shared storage, network drives, and even code repositories.
Use Alternate Authentication Material
Lateral movement can also be facilitated by alternate authentication material such as Application Access Token, Pass the Hash, Pass the Ticket or Web Session Cookie. The idea is to break open the cached credentials in order to bypass the normal authentication process.
How to secure your endpoints against ransomware
Following through on a few key action points can help you better mitigate the risk of a network-wide ransomware attack. Here are some aspects to take into consideration:
1. Constant backups are a must! It’s important to use a back-up location that is not directly connected to the local system, such as a cloud account and an external drive, as ransomware can encrypt data on these locations as well.
2. Teach your colleagues to never download or click on .zip or other type of attachments received in emails from unknown senders. This is the main method of distribution for ransomware threats. Only download attachments from known email addresses and scan any suspicious-looking attachment with a trusted and reputed antivirus product.
3. Instruct employees to never click links in emails from unknown senders. These links could redirect them to malicious websites that host ransomware. VirusTotal is a great tool to use to verify if a domain is safe or not.
4. Follow the common-sense guidelines to improve your network’s cyber safety. Teach employees to avoid questionable websites, never click links in unrequested emails or in unknown web pages and do not disclose personal or professional information on social media sites.
#5. Never use the administrator account on any of the computers in your environment. Instead, use guest accounts that have access only to the need to have and need to know information. This way, you can prevent escalation of privilege and other types of infiltration into your system
6.Do not keep the computers you use for business connected in a local network. As you saw, ransomware is capable of encrypting not only the data on the computer where the infection succeeded, but also on all the other computers that are connected to it though a local network. By keeping the computers isolated, you have a better fighting chance against this threat.
10. Teach your employees and anyone who has access to your computer(s) about these safety regulations and make it a requirement that they learn about the basics of cyber security. This can be an important investment in safeguarding your company’s data and ensuring business continuity.
11. Ransomware Encryption Protection. Take advantage of the latest anti-encryption technology in order to safeguard your digital assets. Heimdal™ Security’s Ransomware Encryption Protection can prevent active malicious encryption actions and eliminate all ransomware-related components.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
It’s high time everyone understood that the consequences of ransomware attacks go beyond data encryption. Data leakage is a huge risk that’s always attached to these type of cyber criminal hits and we’ve all seen them disrupt business flows and cause financial and credibility loss.
#1 Constant backups are a must! It’s important to use a back-up location that is not directly connected to the local system, such as a cloud account and an external drive, as ransomware can encrypt data on these locations as well.
Could you please clarify this statement? Are you saying a cloud account and an external drive can be accessed by ransomware? And by external drive, what do you mean?
Sir, my computer is affected by crypto locker now my old file has been restored from my backup without formatting…
Now Shall i connect to my office LAN if anything affect again or spread from my computer to another please confirm!!!!
If you restored the files on a clean computer and if the files are clean themselves, everything should be okay.
Sorry, small typo in your article here… not tenths but tens…
Thank you, Dennis! We’ve corrected the error. I hope you’ll continue to enjoy the blog!