Most Targeted Attack Vectors

Attackers typically target open services with known vulnerabilities, since those are the easiest to exploit. The Center for Internet Security (CIS) develops benchmarks for numerous operating systems and devices, which provide guidance for hardening systems by turning off any services that are not required for the system to perform its function. This is particularly important for services that are shipped with the operating system but are no longer supported, such as Adobe Flash or Microsoft Internet Explorer. Exploit kits are usually designed for easy targets, such as vulnerable services. Sophisticated attackers are capable of exploiting zero-day vulnerabilities, but usually look for easy targets first.

Ransomware attacks may vary in technique, depending on the sophistication of the attacker, but typically the same general script is followed:

  1. Attackers gain access via a known flaw, which may exist in:

    • Unpatched devices (exploitation)

    • New or unknown devices (exploitation)

    • Poorly configured devices (exploitation)

    • Phishing (emails, attachments, Dropbox)

    • Credential Stuffing (web site attacks, RDP)

    • Web Shell/Loader (web site attacks, php, perl, python, asp, etc.)

  2. Attackers disable key services and scrub log entries, moving laterally through the network to gain a foothold by mapping the network and compromising assets beyond the original attack. Cobalt Strike, originally released as a penetration testing tool, is the most common tool used. Versions that have been cracked are widely distributed in hacking forums. Cobalt Strike is loaded into memory via DLL hijacking. Once loaded, many native operating system commands can be run, such as: net, ping, whoami, wmic, and many more that help the attacker evade detection. Other tools, commonly scripts, are used to disable security programs.

  3. Attackers gain privileged access to the Active Directory (AD) Domain. Programs such as Mimikatz and Bloodhound are commonly used to retrieve information from other assets to gain access to the AD Controller.

  4. Attackers leverage escalated privileges to install code throughout the environment. Once an attacker gains privileged access, there is little that can be done. As access is gained into other devices, additional Cobalt Strike Beacons execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other payloads. The Windows Management Instrumentation Command-Line (WMIC), and PowerShell are commonly used to execute files pushed via Server Message Block (SMB) to other assets. Attackers commonly perform file searches for key terms such as “policy,” “bank,” “2021,” “statement,” and “insurance,” looking for financial documents and documents that contain accounting information.

  5. Attackers commonly search for backups that are accessible from the network to prevent their targets from restoring data and will typically encrypt one or two systems as a test to ensure they will be successful.

  6. Attackers exfiltrate data with programs such as, Rclone, WinSCP, StealBIT, and MegaSYNC and subsequently encrypt data, which disrupts operations. All the remaining systems are encrypted using PsExec to execute the malware after the malware is pushed via SMB. Microsoft Group Policy (GPO) is also used to push the malware to the Domain Controller. Microsoft’s System Center Configuration Manager (SCCM) or Remote Monitoring and Management (RMM) is also commonly used to push malware. Attackers will typically delete the Volume Shadow Copy Service (VSS) and associated files to prevent restoration.