Ransomware Myth Busting - 5 Myths of Modern Ransomware Attacks

Ransomware is a term that evokes fear in many and with good reason. Crowd Strike’s Falcon OverWatch™ threat hunters continue to see increasing numbers of hands-on-keyboard intrusions, with eCrime adversaries representing the most prominent threat type. Opportunistic cybercriminals await any opportunity to leverage your data against you for large payouts.

This risk is heightened when you consider the speed of eCrime adversaries’ “breakout time,” or the time it takes for them to move laterally from an initially compromised device to another asset within the victim's environment. A closer look at eCrime activity in 2021 revealed an average breakout time of only 1 hour and 38 minutes.

Even with the ubiquity of ransomware activity, there are still many myths surrounding these attacks and, more importantly, how businesses can proactively defend against them. This article aims to dispel these myths and highlight how you can harden and prepare your organization to defend against a potential ransomware attack.

During deployment into new customer environments, it is not uncommon for Over Watch to find signs of well-entrenched adversaries, with malicious activity uncovered under multiple valid accounts

Myth 1:Emails Are the Battlefront
Phishing, spearphishing, vishing, and other user-enabled initial entry points represent only a fraction of ways in which sophisticated adversaries can breach your organization’s environment.

For example, in a recent intrusion by an unknown eCrime adversary, Crowd Strike’s Over Watch team observed the threat actor use password spraying against a Remote Desktop Protocol (RDP) connection to gain initial access. This was followed by a wide range of activity indicative of the preliminary stages of a Dharma ransomware attack. Password spraying is a technique commonly used to acquire valid user credentials to operate within a victim environment as it circumvents the need to deceive a user into providing access.

With so many potential access vectors at an adversary’s disposal, defenders should focus their efforts on identifying the signs of hands-on-keyboard activity that follows initial access. Further, it is important to closely monitor existing tooling within your environment that could potentially be used by an adversary to access the network remotely or perform lateral movement once they are inside. Any out-of-hours use of such tooling could highlight malicious activity.

Myth 2: It’s All Over Once the Adversary Gains Access
Ransomware attacks are not one-step events. Once an adversary gains access to one device, they still must go through several steps to understand the enterprise environment, gain access across multiple devices, and finally execute ransomware. Defenders can look for the tell tale signs of this type of pre-ransomware behavior to disrupt an adversary before they can do any damage.

Adversaries also don’t just strike once. In many cases, disrupting an initial attack won’t stop an adversary from trying again. Remember that eCrime intrusion we just highlighted? Well, the adversary returned to the network because the exposed and compromised RDP service was not fully remediated. In this instance, the adversary continued their second attempt at ransomware deployment by using native tooling to tamper with the device’s security configurations.

Detecting the early stages of a ransomware intrusion is all about knowing your environment to effectively separate malicious from benign. Defenders should review existing remote access points and ensure logging is enabled and actively monitored to identify unusual access. Further, it’s important to understand the applications you have installed and maintain an up-to-date network diagram, as these provide a baseline of normal operations. Over Watch also recommends using frequency analysis to elevate the least common activities and artifacts within an environment these can be an indication of adversaries looking to blend into the noise.

Myth 3: Adversaries Use Only One Valid Account
Once an eCrime adversary gains access, they often attempt to compromise additional valid accounts to extend their reach onto more devices or elevate their access to the level needed to execute ransomware. By increasing the number of infected devices, adversaries improve their chances of the victim paying the ransom demand.

During deployment into new customer environments, it is not uncommon for Over Watch to find signs of well-entrenched adversaries, with malicious activity uncovered under multiple valid accounts. In one such case, threat hunters uncovered the eCrime group PINCHY SPIDER operating over RDP and under the context of multiple user accounts. PINCHY SPIDER had successfully brought REvil ransomware into the environment and was actively extending their foothold in the victim organization’s network through the use of valid domain accounts, the creation of new accounts, and credential harvesting in preparation for the ransom operation.

Defenders should audit creation events related to new user and administrator accounts as well as permission changes to user accounts. Maintaining proper visibility of administrative changes is required to track and trace malicious activity wherever it appears.