The ransomware hacker’s toolkit

appgate
Mike Sentonas, CTO at CrowdStrike looks at the ransomware hacker’s toolkit and how it is vital that companies understand more about the modus operandi of cyber criminals.

Ransomware remains one of the most lucrative forms of cybercrime around. Even with ransomware attacks and breached databases a daily occurrence, unless you’ve been through an attack it’s hard to appreciate how difficult it is. And ransomware threat actors are continually updating and improving their intrusion and cybersecurity evasion techniques. It is vital that companies understand more about the modus operandi of cyber criminals, allowing them to tighten their defenses in turn.

What happens during a ransomware attack?

There are several vectors cyber criminals can take to access an organization’s systems. One of the most tried, tested and effective methods is phishing. The aim of phishing is to lure employees, the more senior, the better, into believing that they are receiving an email or message from a legitimate organization. From here, the goal is to convince the victim to volunteer their login details.

This is the perfect scenario for the attacker, when they log into a company system using stolen but genuine credentials, their opportunity to traverse the network undetected is immense.

Cyber criminals will then begin to increase their access across the company’s system until they reach their target. This means that all of the company’s data and files can be observed, analyzed and when threat actors come across valuable information such as essential databases, exfiltrated. Having stolen this data, they’ll encrypt the disk so that the victim has no access to their own files.

Adversaries will then contact the victim and threaten to release the organization’s sensitive information to the public and/or competitors unless their payment demands are met. This approach is sometimes referred to as extortionware.

However, as malicious and sophisticated as this sounds, ransomware bad actors have actually developed a variety of new and even more difficult to detect techniques.

The new tools and techniques deployed by cyber criminals

One of the main reasons ransomware has continued to run rampant for over 15 years is its ever-evolving nature. Cyber criminals are constantly adapting – and ‘bad files’ downloaded by incautious users are no longer the main danger to be concerned about. Today’s sophisticated attacks involve human cyber criminals, using a blend of specialist tools, network utilities that are already installed and everyday apps. Some of the tools used to compromise systems and exfiltrate valuable data were even originally designed to help guard networks.

Ingress tool transfer is a method commonly used after the criminal has compromised a system and granted themselves access. This process is used to expand the criminal’s foothold by transferring files or tools from external sources into the company’s system. The notable aspect of this technique is that criminals will prefer to use legitimate, native tools that allow them to carry out their operation without triggering security software detection. For example, some cyber criminals have transferred over the windows version of the ‘wget’ utility that allowed them to download a web shell and a scanning tool to aid in their data exfiltration process.

Phishing and other email-based attacks are a fairly well-known phenomenon to IT staff. The idea that an email attachment can result in a damaging cascade of cyber events is rudimentary knowledge. Adversaries will also research the target in advance to learn which communication methods are available or likely to succeed.

These details are then used to craft a tailored and convincing message. In some cases, bad actors will even use verbal communications – referred to as “vishing”. The reason for this is because many cyber security solutions focus on the email phishing threat so, to avoid detection, bad actors are now using other, less monitored communication channels.

Once the threat actors have located an enterprises’ valuable data, they need to find a way to collect this information without arousing suspicion or detection. The screen capture technique allows ransomware criminals to capture sensitive information from a victim’s system by taking a single screenshot at one point in time or scheduling them at regular intervals.

Similar to the techniques used above, screen capture can be done by using existing, native and legitimate system features, making them difficult to detect. To view documents and screenshots, criminals are happy to use the humble and venerable Notepad and MS Paint apps. Tools that are guaranteed to be present on targeted computers are much preferred to risking detection through the introduction of new software.

How to combat the ever-evolving ransomware threat

Knowing and understanding the new tools and techniques adversaries are using is just the first step to protecting a company from a ransomware attack. The key is to have the right tools for the job. Enterprises need to be adopting new-age protective measures and cybersecurity practices. 

As a baseline, enterprises need to establish control over the software running in their environment, eliminate unneeded software and keep their environment up-to-date with the latest patches. In addition, it is crucial that full endpoint protection, including next-generation antivirus (NGAV) and endpoint detection and response (EDR), is deployed across all endpoints.

NGAV uses machine learning intelligence and data analysis to detect patterns of behavior used by threat actors, which means that unknown threats can be anticipated and prevented. Also, EDR is the process of continuously recording and analyzing any action on the endpoint, creating a complete data model and allowing any indicators of attack to be spotted and stopped.

The next and most crucial stage is the human element. EDR should then be passed over to specialized threat hunting teams that can detect hidden attacks and new techniques, as mentioned above, that may have been missed during the automated process. 

READ MORE:

Ransomware threat actors are constantly evolving. Organizations that remain at a standstill and refuse to move with the times to keep up with the criminals will continue to fall victim to these ever-changing and devastating attacks. Practicing good cyber security hygiene and upgrading to the latest cybersecurity solutions is crucial to safeguarding against these new ransomware methods of attack. 

About Mike Sentonas

Mike Sentonas is CrowdStrike’s Chief Technology Officer. Previously, he served as Vice President, Technology Strategy at CrowdStrike. With over 20 years’ experience in cybersecurity, Mike’s most recent roles prior to joining CrowdStrike were Chief Technology Officer – Security Connected and Chief Technology and Strategy Officer APAC, both at McAfee (formerly Intel Security). Mike is an active public speaker on security issues and provides advice to government and business communities on global and local cyber security threats.

He is highly sought-after to provide insights into security issues and solutions by the media including television, technology trade publications and technology centric websites. Michael has spoken around the world at numerous sales conferences, customer and non-customer conferences and contributes to various government and industry associations’ initiatives on security. Michael holds a bachelor’s degree in computer science from Edith Cowan University, Western Australia and has an Australian Government security clearance.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Mike Sentonas

Mike Sentonas is the CTO at CrowdStrike

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...