Digital extortion: The three (killchain) phases of a ransomware attack

Understanding and defending against ransomware attack strategies

With increasing digitization, cybercrime threats are on the rise. More than 50 percent of businesses and organizations worldwide have been the target of ransomware attacks. Estimates suggest that companies pay ransomware attackers an average of more than $100,000 to decrypt their systems. Collateral damage from misuse of stolen data is also difficult to quantify.

An innocent kick on a link in a phishing email can already give unauthorized people access to a company's network. The intruders can then scout the IT environment, embed themselves and ultimately unleash the malicious effect. The so-called kill chain model depicts the flow of these three iterative phases, dividing each phase into a loop of sub-steps. The term kill chain was adapted from the military domain, where it also describes the structure of attacks.

Complex cyber attacks, such as ransomware attacks, are almost never automated, but are carried out manually to a significant extent. Cyber criminals are increasingly working professionally and in groups with specialists for the individual parts of the attack. This enables greater effectiveness both for the quality of the individual attack and in quantity through parallel attacks of multiple targets.

All cycles of the kill chain must be completed for a successful attack. The undetected passage through the complete attack chain can extend from days to weeks to months. If the chain breaks at any point, the attack fails. The model thus provides starting points for countermeasures that companies can take at the relevant time. Suitable defense methods can be defined for each link in the attack chain. The earlier the escalation chain is broken (especially before the "impact" cycle), the lower the damage. You can find out which measures companies should take prophylactically in the article "Ransomware attacks - 5 tips on how companies and organisations can protect themselves".

Link tip: Clemens Rambow, Offensive Security Expert at Allgeier secion, shows the most effective detection options within the kill chain to stop cyber attacks directly in the initial phase in the webinar "Killing Kill Chains - How do I protect myself effectively from attacks?", which can be viewed in three episodes on Allgeier secion's Youtube channel.

The three phases of a successful ransomware attack

An attack can be analyzed in three phases Intrusion, Propagation and Endgame - the so-called kill-chain model or attack-chain model.

Intrusion (access to the system).

• Subphases: Recon - Weaponize - Deliver - Evade - Execute.
• Execution: manual and partially automated
• Duration: hours

To gain access to a system, attackers attempt to trick a user into executing malicious code on the system. Typically, this does not involve the use of a "single piece of malware", but rather the use of different malware tools and existing mechanisms of the attacked environment itself in combination over the course of the attack (over days to weeks). Most frequently, this is done via phishing campaigns, which are designed to trick users into disastrous activities by pretending false facts (social engineering). The starting point for phishing attacks is usually information about the personnel and organizational structure of a company. This can be organizational charts showing the company's organization with contact persons and responsibilities. Job advertisements may provide attackers with addresses of the personnel management as well as information about the company's IT infrastructure. Social networks for maintaining professional contacts can also provide cybercriminals with useful insider information. Unlike fraudulent spam emails, ransomware attacks are therefore attacks on a previously selected target.

After scouting ("Recon"), an attack is set up ("Weaponize") and set in motion ("Deliver"). This can take the form of a compromising attachment or a link in a misleading email with a fake sender, for example. If the malicious code gets past security measures ("Evade") and is unknowingly executed by a user, it can begin its work in the attacked system ("Execute").

If something goes wrong in this sequence for the attacker, he must restart to run through the "Intrusion" loop. The hackers now have a backdoor in the attacked system. This gives them a foot in the door to gain increasing control over the system and use it as a beachhead into the wider IT environment. The malicious code may attempt to anchor itself in the system in order to survive a reboot (persistence) or automatically reload further malware. If the malware has managed to successfully establish a communication channel to the outside, the transition to the second loop "Propagation" takes place, in which the aim is to extend control over the system.

Propagation

• Subphases: C&C - Discover - Escalate - Gain - Move.
• Execution: mainly manual
• Duration: days to weeks

If the "Execute" phase was successful, command-and-control traffic ("C&C") flows, i.e., the malware transmits spied data to the perpetrator. Initially, this can be user name, permissions, and information about the system's Windows version and antivirus software, for example. The malware can now regularly retrieve new tasks from the attacker's server and execute them on the compromised system.

At this stage, playbooks are run through - these are instruction manuals on how to spread an attack in a system environment. Such playbooks are traded by hacker groups on the Internet. They are often based on the Cobalt Strike software, which is intended for testing and simulating attacks for the benefit of companies, but is also used by actual attackers.

At this point in the "propagation" loop, an inventory of the infiltrated system environment ("Discover") takes place with the goal of taking control of the active directories. Additional attack tools can be reloaded, but also on-board system resources can be brought to bear. As a result, local access rights can be extended for the attackers ("Escalate"). This could be used, for example, to gain access rights from active sessions on the infiltrated computer ("Gain"). Users who have extended privileges are of particular interest here. With the rights gained, the intruders can move on to a higher system level ("Move").

The result of the successfully completed "Propagation" cycle is usually the attacker's desired access to the compromised system with domain administrator privileges ("Access").

Endgame (Mission Objective)

• Subphases: Access - Collect - Exfiltrate - Manipulate - Maintain
• Execution: manual, if necessary automated periodically
• Duration: Open End

The attacker is now familiar with the environment in terms of administration practices, protection measures, and location of mission-relevant resources. With the elevated privileges, he can now proceed to implement his mission. In the final "impact" loop, the intruder could, for example, collect sensitive business data ("Collect") and smuggle it out of the system ("Exfiltrate"). He can further perform manipulation such as encryption (activities such as ransomware execution is mostly at the end within the endgame phase!) for extortion or vandalism for sabotage ("Manipulate"). Damage to third parties, such as customers or partner companies, may also be possible with unauthorized data (supply chain attack). It may also be a matter of maintaining undetected access for as long as possible (focus e.g. industrial espionage) and regularly extracting data from the system ("Maintain").

Combinations of these operations with a preceding Maintain phase are also possible. Finally, reselling access to the highest bidders (especially geopolitical actors such as intelligence services) is conceivable.