What is a Ransomware Attack?

What is a Ransomware Attack?

Million-dollar ransomware payouts, government protection, and ease of access will continue to fuel the growth of cybercrime.

Imagine coming to work and turning on the computer only to see a message that says “repairing file system on C:” or “oops, your important files are encrypted” demanding a payment in bitcoin to decrypt them.

A typical message displayed during a Ransomware attack
A typical message displayed during a Ransomware attack

When you read the headlines of six-figure ransomware payouts, you might begin to wonder how hacker groups are able to seek top developers who can build tools that can exploit, scale, and kill, at the push of a button, your entire data center. And if that’s not bad enough, your data, intellectual property, and customer records can be sold to data brokers.

Once the brokers get the data, it’s anyone’s guess as to who will end up buying those stolen credit cards, bank account information, and logins to your corporate web site.

But before you can understand the motivations behind new and past attacks on global businesses, you have to have an understanding of the actors, tools, and types of attacks that are being used to penetrate and access your network.

Where Ransomware Starts

We get it. You’re busy and so is your staff. And if you’re like most other businesses, the software you need to operate it requires more, complex integrations for people to manage. And as the processes and systems grow in complexity to support the changes in how you operate the business, it’s the people, most often, who didn’t get that latest software update because they were just too busy and clicked a ransomware-harboring malicious link, or opened a word doc, unintentionally enabling access to macros, giving hackers an all-access pass to that user’s pc.

Now, your company – the brand and any proprietary research and customer data, are at risk of being hacked and sold by data brokers.

The Dark Web

You may have heard about the Tor Project – a 501c3 whose belief is that “everyone should be able to explore the internet with privacy.” The site Silk Road, the first online black market, enabled its users to buy and sell illegal products by using the Tor network as its backbone so that transactions were conducted anonymously. Using networks like this, hackers and wannabees alike can use tools like ‘Satan’, a Malware-as-a-Service application to target attacks on a corporate network. After a few mouse clicks and linking a bitcoin wallet, the app can generate everything an attacker needs to penetrate a network, including PowerShell scripts, office-based macros, ransom notes, and sites to collect payments. Once these malicious apps make their way onto a networked workstation, there’s no telling what may happen next.

Actual screenshot of ‘Satan’ Malware as a Service
Actual screenshot of ‘Satan’ Malware as a Service

The attacks almost always start with a phishing email. But malware today has become so good at spoofing techniques and securely signing digital certificates, that the malspam goes undetected by the software that is built to defend against it.

Now let’s say for a minute that you’re running a multi-billion dollar trading desk where sending and receiving files containing sensitive information are common play. Now let’s pretend for a minute that Jane, in the billing department, unknowingly clicked on a spoofed email from her workstation. Next thing you know, Jane has a piece of malware sitting on her workstation, connected to your company’s network. Weeks and months pass while Ryuk uses its arsenal of tools to collect sensitive data, using tools like Netpass, Outlook scraper, WebBrowserPassView, Mail PassView, and Credential enumerator to scape passwords and contacts from system memory, email, and web browsers.

Actual screenshot of Mimikatz showing stolen credentials
Actual screenshot of Mimikatz showing stolen credentials

And if that’s not enough to make skeptical of clicking links or opening emails, Ryuk uses another malware that goes by the name Emotet which has a list of features that allow it to evade detection. For example, the malware will run differently in a virtual environment than it would on a local desktop. Another one of its features allows it to download updates and install new malware. All with the goal of penetrating and crippling the network.

Searching for Sensitive Data

Once the malware gets onto a workstation, these sophisticated hackers will start their search for information so that they could spread the infection. To put it into perspective, think of all the information Jane has on her desktop computer.

Corporate file and email servers, customer contacts, social security numbers, bank accounts, and other personal or proprietary data, are exposed to hackers. And once attackers are able to move laterally by successfully logging into other network nodes with access to more of your content, Ryuk, with all of its self-updating and disappearing superpowers, will automatically install itself onto each compromised workstation and continue its reconnaissance mission, hunting for sensitive data that will be stolen to extort you for a six or seven-figure payday.

If you’re interested in learning about how our solution StealthDEFEND can help you protect your IT network, you can follow this link to learn more https://www.stealthbits.com/stealthdefend-product

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.