Ransomware has been around for decades going back all the way to 1989. Since then it has only magnified in scope and complexity. Now at a time when working remotely is becoming more universal and the world is trying to overcome the Covid-19 pandemic, ransomware has never been more prominent. Ransomware is a type of malware that prevents users from accessing their system or personal files and demands a “ransom payment” in order to regain access. There are two types of campaigns for ransomware “Human-operated” and “Auto-spreading”, this article focusing on the human-operated campaigns.

Human-operated campaigns tend to have common attack patterns which include: Gaining initial access, credential theft, lateral movement and persistence. For many of the human-operated campaigns, typical access comes from RDP brute force, a vulnerable internet-facing system, or weak application settings. Once attackers have gained access they can deploy a plethora of tools to get user credentials. After gaining credentials lateral movement takes place with either deploying a widely known commercial penetration testing suite called Cobalt Strike, changing settings of the WMI (Windows Management Instrument) or abusing management tools with low-level privilege. Finally, attackers want to keep a connection and make it persistent; this is done by creating new accounts, making GPO (Group Policy Object) changes, creating scheduled tasks, manipulating service registration, or by deploying shadow tools.

Ransomware Payload Diagram
Payload Diagram

Diving deeper into the campaigns

RobbinHood ransomware

RobbinHood ransomware made waves in 2019 when it infected Baltimore and Greenville city networks. Research into CVE-2018-19320 shows the RobbinHood ransomware takes advantage of a vulnerable driver installed on a user’s machine. This low-level driver is primarily used to program and query status on several embedded ICs (integrated circuits) on the user’s hardware, and is exposed to applications through its low-level kernel driver. The driver is installed with a default access (Read more...)