RansomOps: Detecting Complex Ransomware Operations

November 16, 2021 | 3 minute read

In a recent blog post we discussed how today’s more complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaign of old, and how  there are multiple players from the larger Ransomware Economy at work, each with their own specializations. 

These players include the Initial Access Brokers (IABs) who lay the groundwork for a ransomware attack by infiltrating a network and moving laterally to maximize the potential impact from the ransomware payload, and the Ransomware-as-a-Service (RaaS) operators who provide attack infrastructure to affiliates who actually carry out the attack.

We also discussed how the average ransomware attack proceeds in seven distinct phases: An attack attempt delivers the ransomware payload after an employee clicks on a phishing email or visits a malicious website; the ransomware installs itself onto the employee’s machine and runs its malicious code; as part of its startup process, the ransomware phones back to its attackers via a command and control (C&C) server for the purpose of receiving instructions. 

Once it’s obtained its marching orders, the ransomware goes about stealing access to credentials so that it can infiltrate even more accounts and devices; the ransomware uses those compromised accounts and devices to discover files with certain file extensions that it’s capable of encrypting; at that point, the ransomware moves laterally across the network to compromise even more accounts and devices.

Finally, the ransomware acts on its objectives by activating its encryption routine on local and network files and then displaying its ransom note to the victim. This level of compromise puts RansomOps attackers in a position where they can demand even bigger ransoms, and RansomOps techniques also commonly involve multiple extortion techniques. 

These include using double extortion where the attackers first exfiltrate a victim’s sensitive files before launching the ransomware encryption routine. The logic is that the attackers can use that stolen information to threaten noncompliant victims with the possibility of a data leak. This can take the form of ransomware actors putting additional pressure on victims to pay the ransom despite the availability of working data backups. 

Or it can involve ransomware attackers demanding two ransoms, one for a working decryption utility and another for the attackers’ word that they deleted their victims’ stolen information from their servers (as if the word of a ransomware group ever meant anything anyway).

Some groups have taken things a step further. In mid-September, for instance, Bleeping Computer reported that the Grief ransomware gang had begun threatening to delete a victim’s decryption key if they elected to hire someone to help them negotiate the ransom demand down. This came on the heels of the Ragnar Locker group threatening to publish a victim’s data if they notified the FBI or local law enforcement about an infection, per ThreatPost.

How Organizations Can Protect Themselves Against RansomOps

It’s possible for organizations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious emails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices. 

When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.

Defenders can flag resources that are attempting to gain access to other network resources with which they don’t normally interact, and discover attempts to exfiltrate data as well as encrypt files. Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organization.

But most organizations can’t do this on their own. They need the right solution to perform these threat hunting tasks for them. That’s why Cybereason designed its anti-ransomware platform to combine both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs). The former can help to keep organizations safe against known ransomware campaigns, while the latter can help security teams to visualize and stop even those attack attempts that no one has seen before. 

The Cybereason operation-centric approach is undefeated in the fight against ransomware because it detects RansomOps earlier in the attack sequence based on rare or advantageous chains of malicious behavior. Cybereason delivers the best prevention, detection and response capabilities available to thwart ransomware attacks.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern RansomOps attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed