Ransomware Gangs Move Toward Efficient Self-Automated Attacks

Written by Jon DiMaggio. 4 May 2021

In early April 2021, Analyst1 published a whitepaper analyzing a self-proclaimed ransom cartel. While conducting research for the whitepaper, we reviewed several ransomware gangs and their activities. Now, we want to expand on one of our findings, which poses an extreme threat to enterprise organizations. Since February 2020, three of the five ransomware variants we researched—Lockbit, Ryuk, and Conti variants—began adding new functionality to automate components of their attack. Gangs are introducing this functionality into their ransomware payloads to improve their efficiency, thereby shortening the time it takes to compromise victims. This benefits attackers in a couple of ways:

1. Ransomware as a Service (RaaS) providers pay affiliates to conduct on-network activities that require human interaction to stage and compromise the environment. Gangs have realized they can eliminate these middlemen by automating affiliate-operated phases of their attacks. Currently, RaaS providers and affiliates share profits. If gangs can remove the affiliate dependency, then they can significantly increase their profits.
2. Today, most ransomware attackers spend anywhere from days to weeks in a victim’s environment. They spend their time staging and preparing the environment before executing the ransom payload. By optimizing their attacks and reducing the attack time from weeks to hours, attackers can significantly increase the volume of their operations. Naturally, this leads to an increase in revenue.

In the Ransom Mafia whitepaper,1 we discuss how the Lockbit gang took advantage of unpatched VPN software present on public-facing victim infrastructure. In doing so, they ran the most efficient enterprise ransomware attack we have seen to date.2 The vulnerable software and brute force tactics allowed for the perfect storm; it provided the gang with administrative privileges in addition to remote access into the victim’s environment. From there, the ransomware payload issues an ARP request to identify and connect to additional hosts. The ransomware achieves this by leveraging the Server Message Block (SMB) protocol to access each connected system. Next, each new victim’s system issues a request to attacker C&C infrastructure to download and execute the ransom payload, thereby reducing attacks from weeks to hours. Of course, the attack chain is more complex than we describe here, and we further detail it in our whitepaper. However, the primary takeaway is that with proper access, new automated features significantly reduce how long it takes the attacker to fully compromise a target.

Similarly, another gang known as Wizard Spider added new automation functionality to their Ryuk ransomware. In this instance, the ransomware can now automate host discovery and spread the ransom payload on its own. To accomplish this, Wizard Spider used a legitimate wake-on-LAN technology to discover all other hosts on the network. From there, they spread the ransomware payload, which removes most of the attacker’s manual interaction.3 In addition to identifying hosts, the wake-on-LAN technology allows Wizard Spider to power on offline systems before executing the ransomware payload across all systems in the victim environment. This ensures that the attacker can infect all systems within the target environment. Again, this capability reduces overall attack time and greatly reduces the attacker’s own interaction.

Wizard Spider also conducts operations involving Conti ransomware. The gang added capabilities to Conti—the gang’s newest ransomware variant—to reduce attack time significantly. Similar to Lockbit, Conti also takes advantage of the SMB protocol to self-propagate in addition to scripts, which further automates the compromise. However, its developers found other novel methods to reduce attack timeframes. Conti’s developers understood that the quicker they could move from initial access to ransomware execution, the fewer opportunities defenders would have to mitigate the attack.

To maximize efficiency, Conti ransomware uses 32 simultaneous threads to encrypt files. This reduced the time required to encrypt large amounts of data from hours to minutes. Furthermore, another update to the Conti payload added a file selection process prior to encryption. Specifically, this capability allows the attacker to encrypt local, network, or all data found in a target’s environment. Organizations will often store important data on network drives to make it accessible to their teams who may need it. Additionally, this ransomware feature provides attackers with the ability to encrypt high-value networked data if they choose to—as opposed to encrypting everything. By doing so, the attacker spends less time and resources encrypting the locally stored data, which is often less critical to the operation. This and its multi-thread encryption process significantly shorten the attack timeline.

What’s to come?

Ransomware attackers’ immediate focus will center on identifying new and creative ways to quickly acquire administrative privileges. Secondly, gangs will continue adding more efficient automated capabilities into their ransomware payloads. The elevated privileges are necessary to automate the attack. As of today, these upgrades have not replaced all “human on keyboard” phases of the attack. However, attackers are quickly moving toward this goal. Based on the additions and upgrades geared toward attack efficiency which we observed over the last year, we will likely see fully automated ransomware attacks becoming the norm within the next two years. The best way to reduce the risk of these attacks is to ensure that all public facing infrastructure is secure and up-to-date. Analyst1 continues to monitor Ransomware attackers, and we will provide updates upon discovering new information.

Endnotes

1. DiMaggio, Jon. “Ransom Mafia – Analysis of the World’s First Ransomware Cartel.” Analyst1, 07 Apr. 2021, https://analyst1.com/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel/.
2. Lopez, Marc Rivero and the ATR Operational Intelligence Team. “Tales From the Trenches; a Lockbit Ransomware Story.” McAfee, 30 Apr. 2020, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/.
3. Abrams, Lawrence. “Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices.” Bleeping Computer, 14 Jan. 2020, https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/.