A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.
A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider’s network. As such, this honeypot contained an IT environment, an OT (operational technology)environment, and HMI (human machine interface) management systems.
After the honeypot officially opened for business, it took only three days to infiltrate and fill it with malware. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.
In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator’s account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.
In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.Image: Cybereason
In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.Image: Cybereason
The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they’ll move laterally throughout the network to hit one machine after another before finally launching the ransomeware
Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.
“In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated,”
To better protect your organization against ransomware attack, step up the following recommendations:
- Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response.
- Establish unified security operation center and workflows across both IT and OT environments.
- Design and operate with resiliency in mind.
- Partner with experts.
- Test, test, test.