An Anything But Normal Day

Imagine sitting down for work on an otherwise normal seeming day. You open your laptop and log in, but instead of seeing your empty desktop, you login to find an open note:

"All of your files are now encrypted by CONTI ransomware! ... "

You start to send messages to your coworkers and they confirm the worst, it's not just you, everyone else's machines are encrypted as well. The realization sets in that today will be anything but normal. You start to roll through the implications in your mind. Have I lost all of my work? Has everyone else lost all of their work?! Have we lost all of our sensitive documents, email, and intellectual property? Do we have backups, or are those encrypted as well? Your work life as you know it has now changed for the foreseeable future. You are the newest victim of a ransomware attack.

As unsettling as that scenario is, unfortunately, it is becoming a reality for many as ransomware teams that continue to disrupt important industries across the world. These attacks are is a highly expensive and disruptive problem, and appear to be getting worse.

Not only are ransomware attacks highly impactful when they strike, but they're frighteningly common as well, making ransomware a priority for cyber security teams assessing risk based on impact and likelihood. How common are these attacks? One data point from the Verizon DBIR found that financially motivated attacks account for 80%+ of all attacks and ransomware attacks increased by 13% in 2022, a jump bigger than the previous 5 years combined! Indeed it seems that things are bad, and getting worse.

Considering that every security team is resource constrained and must focus on high likelihood/high impact priorities, ransomware attacks seems to be one scenario that everyone must spend time considering and preparing for. Do we have a fighting chance against these criminal enterprises? Or should we just double down on insurance and just hope it never happens to us? That question is what I'd like to briefly discuss here, because it is my belief that any organization can effectively repel ransomware attacks...with the right strategy and preparation.

Can We Stop Ransomware Attackers?

"What chance do we have against world-class criminals?" you may ask. Not so fast. While it seems like this sort of attack would take a highly trained hacker, as the data shows, this is not actually the case. There's plenty of evidence to show that these kind of attacks can be, and frequently are, orchestrated by individuals with decidedly less than world-class level of talent. From the info we have, many of these attackers are simply at a base level of skill, able to follow a premade playbook of commands, and willing to wield a preconfigured set of scripts and tools that can get the attack done.

That is in some ways good news, and in some ways bad news. The bad news is that even with all the money and time we spend as an industry on cybersecurity, one low to medium-skilled person with a set of instructions can still potentially disrupt many entire organizations, schools, or hospitals. All they have to do is hit the bar of "good enough", which they unfortunately often do.

The good news is your attackers are not elite top-tier attackers, which means it may not be as hard to defend against them as you think. We need to shift the control from attackers back to defenders, so let's take a closer look at these attacks and how we might better plan to respond.

"It Only Takes One Mistake"

While ransomware attacks seem highly complex at first, they still follow a logical series of events that can be analyzed by defenders. The goal for defenders in all attack scenarios, ransomware included, is to create "defense in depth". Since ransomware is always a multi-step attack, we as defenders also have multiple steps where we can detect and halt the attack before the attacker makes it to the end goal (activating the ransomware). If at any point we catch and kick them out before that final step, the attackers don't win, the defenders do! Sure there may be some collateral damage and minor costs for partial incident response, but nothing on the scale of a successful ransomware attack. If we stop the true high-impact goal of the attacker, the defense is winning, don't forget that!

This truth is often forgotten and manifests in statements like "we just need to make one mistake and that's it, attackers win, that's an impossible standard!", it's actually exactly the opposite! For the highest impact attacks, attackers nearly always require a multi-step attack plan that is only truly successful in their eyes if they make it all the way to the end (activating the ransomware in this case). It is the attackers that cannot afford to make any mistakes or get caught in any of their activities, if so, the security team kicks them out and they start back at zero, or move on to the next organization. So for us as defenders, our job is to force errors on their part and ensure we expose their activities before it's too late. That's why a multi-layered set of preventative and detective controls creating "defense in depth" is so important. Attackers will undoubtedly find a way around some of our controls, but it only takes on slip on their part to blow their whole mission up.

Threat Models Grow On (Attack) Trees

Since whole organization ransomware is not a "single click and done" style attack, have you considered which steps would have to happen in your own network for a ransomware attack to occur? It's an important exercise for any defender.

Put on your attacker hat for a second and think about it. If you were an attacker:

  • What accounts would you need control or have access to?
  • Which systems would you need to control?
  • What would you do with that access to deliver and execute the malware across the environment?

This kind of preemptive consideration of how a successful attack might look is the first step towards defensive success. If you identify, close, and alarm the doors of opportunity before attackers find them, your team stays one step ahead.

One way to approach this is a threat modeling method called creating an "attack tree". When creating an attack tree, the defensive team starts with the end state, an assumed attacker goal, then tries to enumerate all potential paths to get to that goal, step by step, in reverse order.

With each step in the hypothetical attack you iteratively ask "How would they (the attacker) do that?", listing all options to accomplish that step, then ask the same question of each of those new items again and again, until the entire attack is exhaustively mapped out with all options that could lead to success. Bruce Schneier has a great article on the technique here.

In every SANS course I teach I talk about the value of creating attack trees as one of the most easily understandable and useful ways of preparing for attackers to knock on the door. In my opinion, every organizations SOC should be thinking like this as a first step towards creating a threat-centric and intelligence-informed defensive strategy.

Thinking Through a Ransomware Attack

Let's discuss ransomware in specific now. To lock down every machine in an organization, you need (as an attacker) to have the control required to stage and run malware on every machine in an environment, that doesn't just happen easily, an attacker has to build up to incredibly high levels of privilege. How? It's a bit different in every organization's network depending on which controls are in place and how their identities are managed, but we can speak in generalities to walk through it.

In reverse order, a ransomware attack affecting all organization assets might look something like this. (Note: For brevity, I will not be listing all or specific attack options here, just walking through one generic path starting with the end.)

  • All machines have ransomware simultaneously triggered, locking them down and halting business ("How would the attacker do this?")
  • All machines have the malware set to execute at a given time ("How would the attacker do this?"... )
  • All affected machines have the ransomware staged on them for later execution (At this point, you should be asking yourself "How would someone stage an executable on all systems on my network?" In other words, which systems and accounts can even do that? "Which systems/accounts are capable of doing this?" - think admins, patching and software update distribution systems, domain controllers and domain admins, etc.)
  • Attackers gain access to a system or account that can distribute ransomware to all systems ("What does it take to gain access to these systems?" Do you have MFA or FIDO2 keys required for logins? Do you know how attackers bypass MFA, there are numerous methods. Do you know how to hunt for these attempts and what evidence might be produced if they are attempting to do so? Are users, especially admins, trained to spot and report potential MFA bypass attacks?)

As you can see, we can walk an attack like this back and see in basic form what it requires, starting with the end and asking "What happens before that?" or "What is required to happen in order for this to occur?" at each stage, mapping out each item an attacker would need to achieve to continue to the attack.

An effective security team does this, not just in one linear path, but attempting to enumerate all potential paths that an attacker might be able to leverage to install malware on all systems, and ask themselves "How might I detect this earlier up the chain?" which of course brings up the question of "What happens earlier in the chain of events?" Knowing what happens earlier in the chain of events is exactly why we do attack tree modeling, it provides those answers! If we can premeditate all the required steps, then dig up guidance on detecting each of those activities as they occur (such as the MFA bypass links in the final bullet point above) we should be able to catch the attack much earlier on, and stop the attackers before they get to their goal!

For the example we just walked through we might be led to ask questions about who has access to patching servers and domain controllers, how those people access those systems, how those systems might be compromised, and how the security team can better apply preventative and detective controls to ensure that doesn't happen. This is threat-centric and intelligence-driven defense. We plan out what we need to do to at least stop the most damaging, and most common attacks. Planning to disrupt these high impact events is the minimum bar any security team should strive to hit and the best way to spend your limited resources and time.

What we want to do fill in these attack trees with as many low-level specifics on exactly how those attackers will operate. That ideally includes which commands they run, specific tools they use, and more. That allows us to prepare not just with generalities, but in as specific of a way as possible so we can spot these tactics when we see them. With that lined up, let's take a look at how ransomware operators act in low-level detail!

Conti Playbooks & Chat Leak

When attackers mess up, you should pay attention, read their leaks, and exploit everything you can about their mistake to gain additional insight into how they operate (aka build threat intelligence). That's exactly what happened late 2021 when the infamous (but now disbanded) Conti group had their tools and playbook for ransomware affiliates leak! In this highly unusual leak, defenders were given a major present - a full, open look at exactly how the group operates. The tools, commands, and methods they use to deliver organization-wide malware that they use to shut down an entire network were fully exposed.

Here is the leaked, real Conti ransomware operator playbook, as translated by Cisco's Talos group.

Guess what? None of it is very advanced or unique. That doesn't mean it wasn't effective though, these tactics were still good enough to work on almost 1000 organizations!

Interestingly, the Talos group also noted in their analysis that:

"One of the biggest takeaways during the translation was the overall thoroughness and detail of these playbooks. The level of detail provided could allow even amateur adversaries to carry out destructive ransomware attacks, a much lower barrier to entry than other forms of attacks."

Open Source Tooling Use

As you can see from the playbook, most of the tools Conti used are either freeware, open source security tools, or other generally available pieces of software that anyone can get their hands on. Again, that's good news, that means we have a chance of finding out about it before they do and getting alerts in place!

Case in point: I was recently listening to the excellent Hacker Valley Studio episode with John Hammond and couldn't help but think of this post when John had mentioned having wrote a PoC exploit for PrintNightmare for the security community to use as a proof-of-concept. He was shocked and disappointed to later hear from an organization that got hit by Conti that the PoC he wrote was used as part of the compromise and delivery of ransomware in their environment. Consider that this successful attack was not nation-state tier, zero-day, secretive exploit code. It was just what John had created and posted on GitHub, which was available and known to anyone that was looking around for it.

Of course, just because someone posted something on Twitter or GitHub doesn't mean that every single security team will know about it, but that's why your threat intelligence sources and detection technology vendors are so important. They should be keeping you in front of situations like this, especially for high-profile vulnerabilities like PrintNightmare! In an ideal world, that organization should've had a signature for that tool, patched the vulnerability, and had the attack would have been detected and stopped right there. PrintNightmare was a known exploited vulnerability and the GitHub PoC was widely discussed and freely available for download, so it was certainly possible to catch. But missing that bit of info led to the attackers sneaking through that stage of their campaign, ultimately continuing on to complete the full compromise. Certainly no team is perfect at vulnerability management, but again it's a game of priorities. That vulnerability was an well-announced enormous risk, and yet was still unpatched and available for exploit with a publicly available tool in that environment. That's where threat-centric and intelligence-informed defense in depth comes in, staying on top fo the news increases your chance of detection at at least one stage throughout the chain, which ultimately can halt an in-progress attack dead in its tracks.  


Ultimately, stories like this show that adversaries perpetrating these types of campaigns are often merely using off the shelf and open source tooling that you have just as much access to find out about as they do. So it comes down to who will act faster and pay more attention, you, or them? Will you anticipate their moves ahead of time, or will they hit you with surprise tactics that you could have discovered by spending a bit more time gathering threat intelligence? Are you making their job easy by missing or leaving highly risky vulnerabilities unpatched?

That leads me to the main conclusion here - that ransomware is not an inevitable situation. If defenders keep their eyes and ears on the news, blogs, social media, and all the other high-velocity sources of information security, and have the ability to quickly act on that information, we do have the ability to stop or at least dramatically lower the chance of ransomware and all other attacks from affecting us. If these attackers are using off the shelf, open source tooling, and predictable ( sometimes specifically known) tactics, we can tool up our posture to detect and react quickly to those tactics.

Using our threat models, anything that matches a potential ransomware scenario should require jumping into action to cut off their progress before disaster strikes! If we can see these attacks coming with enough runway to stop them, the next time you open that laptop at the beginning of the day, you can rest easy knowing there won't be a ransom note waiting.