Cisco Talos: Prime Ransomware TTPs Uncovered


Cisco Talos analyzed the highest 14 ransomware teams between 2023 and 2024 to reveal their assault chain and spotlight fascinating Techniques,Strategies and Protocols. The safety firm additionally uncovered probably the most leveraged vulnerabilities being triggered by ransomware actors.

Ransomware assault chain: What Cisco Talos researchers realized

Ransomware actors practically all use the identical assault chain.

Infographic showing typical ransomware attack chain.
Typical ransomware assault chain. Picture: Cisco Talos

The first step for ransomware actors

Step one for the risk actor consists of getting access to the focused entity. To attain that objective, ransomware actors use completely different strategies — some of the frequent strategies is to social engineer their targets by sending emails containing malicious information or hyperlinks that can run malware on the focused system. The malware will then enable the attacker to deploy extra instruments and malware to achieve their objectives. Multifactor authentication is likely to be bypassed right now utilizing varied strategies, both due to poor MFA implementation or due to proudly owning legitimate credentials already.

Talos additionally reported that an rising variety of ransomware associates scan internet-facing techniques for vulnerabilities or misconfigurations that would enable them to compromise the system. Unpatched or legacy software program is a very excessive threat.

Step two for ransomware actors

The second step is to achieve persistence in case the preliminary vector of compromise will get found; that persistence on techniques is usually achieved by modifying Home windows registry keys or enabling autostart execution of the malicious code upon system boot. Native, area and/or cloud accounts may also be created for persistence.

Step three for ransomware actors

Within the third step, the risk actor scans the community setting to get a greater understanding of the inside components of the infrastructure. Information of worth that can be utilized for ransom is recognized at this step. To efficiently entry all components of the community, attackers usually use instruments to raise their privileges to administrator stage, along with utilizing instruments that enable community scanning. Common instruments for these duties are Residing Off the Land binaries AKA LOLbins, as a result of they’re executable information native to the working system and fewer susceptible to lift alerts.

Step 4 for ransomware actors

The attacker is able to gather and steal delicate information, which they usually compress with utilities (reminiscent of 7-Zip or WinRAR) earlier than exfiltrating the info to attacker-controlled servers through the use of Distant Monitoring and Administration instruments or extra customized ones, reminiscent of StealBit or Exabyte for instance, created by LockBit and BlackByte ransomware teams.

Attainable step 5 for ransomware actors

If the objective is information theft or extortion, the operation is over. If the objective is to encrypt information, the attacker wants to check the ransomware within the setting — that’s, checking the supply mechanisms and the communications between the ransomware and the C2 server — earlier than launching it to encrypt the community and notify the sufferer they’ve been breached and must pay the ransom.

Three most abused vulnerabilities

Cisco Talos reported that three vulnerabilities on public-facing functions are generally exploited by ransomware risk actors.

  • CVE-2020-1472 AKA Zerologon exploits a flaw within the Netlogon Distant Protocol that enables attackers to bypass authentication and alter pc passwords inside a website controller’s Lively Listing. This exploit is broadly utilized by ransomware actors as a result of it allows them to achieve entry to a community with out authentication.
  • CVE-2018-13379, a Fortinet FortiOS SSL VPN vulnerability, allows path traversal that enables an attacker to entry system information by sending specifically crafted HTTP packets. VPN session tokens is likely to be accessed this manner, which can be utilized to achieve unauthenticated entry to the community.
  • CVE-2023-0669, a GoAnywhere MFT vulnerability, permits attackers to execute arbitrary code on a focused server that makes use of the GoAnywhere Managed File Switch software program. That is the latest vulnerability listed by Cisco Talos in its report.

All these vulnerabilities enable ransomware actors to get preliminary entry and manipulate techniques to run extra malicious payloads, set up persistence or facilitate lateral actions inside compromised networks.

DOWNLOAD: Cybersecurity’s Advantages and Finest Practices from TechRepublic Premium

Notable TTPs of 14 ransomware teams

Cisco Talos noticed the TTPs utilized by 14 of probably the most prevalent ransomware teams based mostly on their quantity of assault, impression to prospects and atypical conduct.

Infographic showing ransomware groups ranked by number of victims on their leak sites.
Ransomware teams ranked by variety of victims on their leak websites. Picture: Cisco Talos

One of many key findings relating to the TTPs signifies most of the most distinguished teams prioritize establishing preliminary compromise and evading defenses of their assault chains.

Ransomware risk actors usually obfuscate their malicious code by packing and compressing it and modify the techniques registry to disable safety alerts on the endpoint or server. They may additionally block sure restoration choices for the customers.

The Cisco Talos researchers highlighted that probably the most prevalent credential entry approach is the dumping of the LSASS reminiscence contents to extract plaintext passwords, hashed passwords or authentication tokens saved in reminiscence.

One other pattern in C2 actions is using commercially out there instruments reminiscent of RMM functions. These functions are usually trusted by the setting and permit the attacker to mix in with the company community site visitors.

The way to mitigate the ransomware risk

For starters, it’s obligatory to use patches and updates to all techniques and software program; this fixed upkeep is important to scale back the danger of being compromised by an exploit.

Strict password insurance policies and MFA have to be applied. Complicated and distinctive passwords have to be set for each consumer and MFA enforced, so an attacker possessing legitimate credentials remains to be not in a position to entry the focused community.

Finest practices to harden all techniques and environments have to be utilized. Pointless providers and options ought to be disabled to scale back the assault floor. Additionally, publicity to the web have to be decreased by limiting the variety of public-facing providers as a lot as potential.

Networks ought to be segmented utilizing VLANs or related applied sciences. Delicate information and techniques have to be remoted from different networks to forestall lateral actions from an attacker.

Endpoints have to be monitored by a Safety Info and Occasion Administration system, and Endpoint Detection and Response or Prolonged Detection and Response instruments have to be deployed.

Disclosure: I work for Development Micro, however the views expressed on this article are mine.