Blog > Incident Response

Anatomy of a Ransomware Attack

Forewarned is forearmed. Understanding how hackers prepare and deploy a ransomware attack can give us valuable insight. In this post, we’re going to break down step-by-step what hackers do to set-up a ransomware attack and, even more importantly, what you can do to reduce your risk.

The hacker’s main challenge is finding a way into your network to infect your computers so he/she/they can demand a ransom. Hackers typically rely on automated bots that scan the internet 24/7 to identify potential targets with exploitable vulnerabilities. These bots are getting smarter all the time and are even able to design and execute end-to-end attacks. Once the bot has access to your network, the hacker goes into action and finishes the job.

In this post, we’ll be using a real-life ransomware case we responded to as our model. We’ve anonymized the details, but in the real event the hackers were able to take control of 17 servers before they made their ransom request.

Step 1: Searching for potential targets

It’s common to hear organizations hit by ransomware attacks complain about being targeted by someone who wants to harm them, either a competitor or a disgruntled former employee. The reality is that targeted attacks are quite rare. Most of the time, you appear on a hacker's radar because one of their bots has found a loophole to exploit and gain access to your network.

In the case we are examining for this post, the victim was identified during a massive internet scan by a bot that scans the internet continuously for potential targets. The victim was using an RDP (Remote Desktop Protocol) solution to allow employees to remotely access the company network.

Once the bot has discovered the RDP gateway, it proceeds to the second phase of the attack: connecting to the network.

Step 2: Brute force or dictionary attack

Once the bot has identified the RDP service, it automatically launches a brute force or dictionary attack, which tries multiple combinations of usernames and passwords to find a valid account that allows network access. Priority is given to finding administrator accounts as this provides the attacker with more privileges in the network. The bot will prioritize default user accounts with administrator privileges: root, admin, Administrator, etc.

Depending on the complexity of the passwords used in a network, a brute force attack can take a few seconds, minutes, or with complex passwords, it can take months.

In the case we’re examining, the brute force attack took 11 days to succeed, all without the company realizing it. The bot finally found a valid password for an administrator account in the network and logged into the network.

Step 3: Searching for targets in the network

As soon as the hacker confirms the connection to the network, the next step begins. The hacker connects to the network and installs vulnerability scanning tools. This allows him to identify important services in the network such as the Active Directory (AD) domain controller, file sharing servers, and SQL databases.

Unfortunately for the company that was the victim in our case, the administrator account found by the hacker had access to several servers. The hacker spent 23 days in the network finding his targets. He only executed the ransomware when he was sure the infection had spread to enough critical machines to ensure the organization would pay the ransom.

Once the hacker has identified the machines he wants to infect, he moves on to the last stage of the attack, which consists of infecting the devices and encrypting the data.

Step 4: Data encryption and ransom demand

In our case, having made his decision, the hacker logged on to each machine and blocked the antivirus from running before executing his ransomware manually. The operation took place during the night (which is common) because this allows the hacker to ensure that his malicious activity will not be discovered until he has infected all his targeted machines.

In total, the hacker infected 17 servers and encrypted their content. The hacker left a file containing instructions for paying the ransom. Initial contacts made by the victim with the hacker indicated that the hacker demanded a ransom of US$150,000.

4 recommendations to strengthen your ransomware protection

This is the profile of a classic ransomware attack where the hacker teams up with a robot to accelerate the process. The attack exploited shortcomings in the organization's RDP remote access solution (RDPs remains a frequently targeted weak point).

To reduce your risk profile, we recommend:

  • Reinforcing access control to the network. Choose VPN solutions rather than RDP solutions
  • Using multi-factor MFA authentication for all remote accesses
  • Deploying an intrusion detection system to protect your network
  • Continually monitoring your network to identify and deal with malicious activity quickly. The faster you react, the less severe the impact will be

Need Help? StreamScan is Here.

Whether you need help dealing with a ransomware attack, help conducting a security audit, developing a security plan, or implementing a Managed Detection and Response solution, StreamScan has experts with years of experience in the manufacturing sector who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.