Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

How ransomware attackers get into your IT environment.

15 maart 2023

door NCC Group

How can you defend against ransomware attacks?


NCC Group’s Annual Threat Monitor Report 2022 found, perhaps unsurprisingly, that the threat of ransomware attacks is still ever-present.

North America and Europe faced the bulk of the attacks, with North America suffering 44% and Europe 35% of the 2,531 ransomware incidents reported.

According to IBM, the average ransomware attack cost victims $4.54m (not including the ransom itself) and took 326 days in total to be identified and contained.

Typically, the attackers aim to extort money from the target organizations. Initially —– they will exploit weak security measures to gain access to the victim’s IT environment, then move laterally to take ownership once inside. They then demand a ransom to regain access and prevent stolen data from being leaked publicly.

While several coordinated operations resulted in the arrests of key members of prolific cyber-criminal groups, the threat from ransomware will likely persist well into 2023 and beyond.

So, what can your organization do to avoid being among the next ransomware victim?

Despite the prevalence of ransomware attacks, you typically only need fundamental security hygiene to prevent most — if not all — from hitting your organization on a big scale. To prioritise the correct defensive measures, it is critical to understand how cyber-criminals could force their way into your IT environment.

Once the attackers successfully gain access, it can often take multiple days before they try to steal and encrypt the victims’ data and systems, which is an appropriate time to have threat detection measures in place to identify the attacker and prevent any further damage.

To explore how you can effectively defend against potential future attacks, we’ve chosen three recent, real-life incidents handled by our Cyber Incident Response Team.

They each show how organizations across any industry are at risk if they don’t have the necessary security measures in place for prevention and detection.

Phishing in the financial services industry

In Q1 2022, a financial services organization was hit by Conti ransomware.

Like many ransomware attacks, it used phishing to infiltrate the IT environment. In this case, access was gained by hijacking a legitimate email conversation, and spear phishing with a link to a malicious Excel file, from which QakBot was deployed.

Once in, the attacker used several methods to move through the IT environment over the course of two days. These included:

• Downloading additional attack tools using QakBot
• Deploying Cobalt Strike on multiple systems
• Collecting email from an Exchange server using a PowerShell script
• Searching for Hyper-V hosts by querying the victim’s Active Directory.

Sensitive information was stolen on Day One of the attack, with emails and data exfiltrated using QakBot and Rclone respectively. And by 16:05 on Day Two, the target organization's data and systems were encrypted, disrupting its operations.

Vulnerabilities in the transport industry


An organization in the transport industry found itself the victim to ransomware. This time, the attack exploited a vulnerability known as Log4Shell, located in the Log4j library in a VMware Horizon server.

The VMWare Horizon server prone to Log4Shell was accessible from the internet, so the attacker could get into the IT environment via this server after scanning online for vulnerable systems to exploit.

Much of the attack path took place over five days. The methods included:

• Downloading attack tools
• Harvesting Domain Admin credentials by dumping LSASS memory with ProcDump
• Changing the password of Domain Admin using Pass the Hash
• Deploying Cobalt Strike for persistent remote access
• Inspecting the network using NetScan and creating an overview of network shares.

The attacker exfiltrated data using Rclone on Day Five, and finally, at 02:00 on the twelfth day from the initial entry, the victim’s operations were disrupted by encryption of their files using Quantum ransomware.

Stolen credentials in the high-tech industry

In this third example, an organization in the high-tech sector had its IT environment compromised in a BlackCat ransomware attack.

The attacker most likely gained access to the IT environment by stealing VPN credentials, using Raccoon Infostealer on Day One. On Day 17, these stolen credentials were used to authenticate to the company’s network.

The attacker could now use these credentials to scan and authenticate several other servers. And as it was the VPN account being abused, no forensic traces related to any of the tooling could be found in the systems.

The attacker went on to:

• Move laterally over Remote Desktop Protocol
• Stop the detection of further malicious activities by disabling Microsoft Windows Defender
• Use scheduled tasks to execute the ExMatter exfiltration tool.

The organization's operations were disrupted at 01:44 on Day 18 of the attack. After encrypting all files, the ransomware used several legitimate executables to maximize the attack’s impact.

Don't be held hostage by Ransomware

Ransomware attackers might attempt to infiltrate your IT environment in a number of ways — from the phishing, Log4j vulnerabilities, and VPN credential theft seen in these examples, to public RDP access, and exploitation of Microsoft Exchange services.

But in each case, a failure to prevent and detect the attacker means they’re often inside an IT environment unobserved for extended periods, with inadequate security measures allowing them to disrupt their victims’ organizations successfully.

Based on our analysis of observed attacks, prioritized security hygiene and preventative measures would be:

With these defences readily in place, the attackers would not be so successful a second time.

For further information regarding our threat intelligence services or help in defending your organization from Ransomware attacks, get in touch with one of our ransomware resilience experts.

Call us before you need us

Our experts are here to help you