Security researchers map out how a ransomware attack plays out over a two week period.

By Steve Ranger

Security researchers have revealed the anatomy of a ransomware attack, showing how cyber criminals gained access to a network and deployed ransomware  — all in the space of just two weeks.

Researchers from tech security company SentinelOne examined a server that was used by criminals in October last year to turn a small security breach in a corporate network into a damaging Ryuk ransomware attack. This sort of data can be vital in helping understand the tactics and techniques used by attackers.

The network was initially infected with the Trickbot malware.

Once the network was breached by the Trickbot malware, the hackers started to hunt around to find out what they had gained access to – and how to make money out of it.

“Over the course of some time they dig around in the network and they attempt to map it out and understand what it looks like. They have an endgame, and their endgame is to monetise the data, the network, for their illicit gain,” SentinelOne researcher Joshua Platt told ZDNet. “They already understand there is the potential for making money and are looking to expand that leverage.”

Once the hackers decided to exploit the network breach, they used tools like PowerTrick and Cobalt Strike to secure their hold on the network and explored further, searching for open ports and other devices to which they could gain access. Then they moved on to the ransomware phase of the attack.

From the initial TrickBot infection, through profiling the network, to finally initiating the Ryuk malware attack took around two weeks, said SentinelOne. “Going by the timestamps, we can guess the time period of two weeks for dwell time,” the company’s blog post said.

Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally, according to the UK’s National Cyber Security Centre advisory from last year.

It’s targeted ransomware: the ransom is set according to the victim’s perceived ability to pay, and it can take days or even months from the initial infection to the ransomware being activated, because the hackers need time to identify the most critical network systems. But the NCSC said this delay also gives defenders a window of opportunity to stop the ransomware attack from being triggered, if they can detect that first infection.

According to the FBI, Ryuk is an extremely lucrative project for its criminal developers, generating roughly $61m in ransom between February 2018 and October 2019.

The success of Ryuk in forcing companies to pay ransoms means that the crooks have a bulging war chest with which to hone their attacks. “It’s obviously going to increase; they have more money and more ability now to hire even more talent,” said Platt.

Ransomware also continues to evolve, Platt said: “When you look at the beginning of ransomware, they would ransom personal computers for $300, and now we are into the millions of dollars”. 

The next step, he said, would be more sophisticated extortion attempts: “These guys are digging around in the networks they are looking for the biggest possible thing they can extort companies with.”