WIXLIB

4RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITETo achieve their malicious aims, cybercriminals use a vast number of approaches that potentially allowthem to gain remote access, monitor their victims’ activities, and then apply surgical, pinpoint pressure.This demonstrates how much power they can achieve over their victims’ data, networks, businesscontinuity, and reputation. Indeed, these attacks don’t have to come via custom malware, zero-dayexploits, or long-term persistence campaigns. They can simply be the result of poor security practices byemployees, poor configuration of RDP or other remote access tools, or gaps in practices and processes,within both your organization and that of your service providers or others in your supply chain.HOW RANSOMWARE DOES IT TECHNICALLYWhile ransomware has been a nuisance for more than a decade, the scope for ransomware hasexpanded throughout the period of digital intensification brought by the COVID-19 pandemic. A clearcorrelation rapidly emerged between COVID-19 lockdowns and phishing emails that were often basedon topical fears of negative business impacts and lost opportunities.Another manifestation of this phenomenon was employees suddenly working from home and (often forthe first time) accessing internal company systems and services via Remote Desktop Protocol (RDP).This became a wildly popular vector to deliver ransomware. With the admin rights that accompanysome cases of RDP use, ransomware can appear alongside a number of other security concerns in anetwork.We can also see that wielding ransomware as a tool for digital crime is very much a game of ambitionand scale. Less skilled actors can dabble, coding imperfect malicious scripts that will impact a verylimited number of victims via spam. Others may try their luck by propagating malicious payloads —including ransomware — via downloaders or botnets. More ambitious actors may pay a fee to use afully tuned ransomware product and deploy it to earn profit for themselves, becoming affiliates of theransomware developers through a ransomware as a service (RaaS) business model.Advanced criminal actors running the RaaS schemes often leverage vulnerabilities to gain access to amachine, then move laterally to a server and on-to the wider network, only later deciding on the use ofransomware. If resource rich, these gangs may purchase zero-day exploits or even develop their own,allowing them to bypass many types of proactive mitigation technologies. Finally, whether throughluck, skill, or significant investments of human and financial resources, attackers can conduct supply-chainattacks to access entire IT ecosystems. For example, by commandeering popular managed service provider(MSP) platforms and productivity tools, threat actors can unleash ransomware across multiple networks(and thus organizations) at scale. Leveraging a supply-chain attack to position ransomware is yetanother fearsome scenario for businesses to contend with.An appreciation for the ever-growing variety of approaches and speed with which ransomware canevolve is critical to understanding the security posture necessary to avoid business outages. Innovationin ransomware moves quickly; case in point is when researchers observed Sodinokibi (aka REvil)ransomware demonstrating file encryption within a PC’s Safe Mode that flew under the radar yetrequired additional user login. Within a month, this novel capability had been improved by changing thelogin password to the attacker’s choice and configuring the PC to automatically reboot and log into SafeMode, making it a viable vector for a full-scale campaign.Network-attached storage (NAS) devices, which are commonly used to share files and make backups,have also earned the attention of ransomware gangs. In 2021, the NAS appliance maker QNAP alertedits customers that eCh0raix ransomware was attacking its NAS devices, especially those with weakpasswords. ESET telemetry from Q4 2020 showed that eCh0raix was the most prominent ransomwaretargeting NAS devices.

5RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITERANSOMWARE VIA RDPAn RDP endpoint is a Windows device that is running Remote Desktop Protocol (RDP) software so thatit can be accessed over a network, such as the internet. RDP enables an organization’s Windows devicesto be accessed remotely as if their keyboards and displays were on your desk. The benefits of deployingRDP can be several, from managing or troubleshooting employee devices to serving up centralizedresources such as desktops that can run heavy workloads, applications, or databases.Company systems that employees need to access remotely must have RDP enabled, and ideally,mandate platform access via two-factor authentication (2FA). Employees then connect to these systemsby running RDP software; for example on their laptops. When the network address of the remotesystem is entered, the client software reaches out to the designated port on the remote system (thedefault port for RDP is 3389, although that can be changed). The remote system presents a login screenthat asks for a username and password. You can see what this looks like on a Windows systemin Figure 1.Figure 1 // RDP login screenThere are two main ways in which organizations use RDP:1. The first is to manage programs running on a server; for example a website or back-end database. In thisscenario, the simplest configuration has a system administrator open port 3389 to the outside world toallow remote management.2. A second use of RDP is to allow remote access to corporate desktops or virtual machines that have accessto resources not accessible outside the corporate network. Accessing such systems via RDP means thereis no need to directly open sensitive internal servers to the internet. It may also be that desktops in theoffice have extra processing power needed for many processes or have expensive specialist softwareneeded for staff to complete some (or in some cases most) of their tasks. Again, when this is done overthe internet, often port 3389 is opened to the outside world.

6RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITEFor the criminally inclined, finding systems accessible from the outside world and then abusing them formalicious purposes is straightforward because: Vulnerable RDP systems are easy to find. It is easy for attackers to obtain a foothold on RDP systems if they have poor configuration. Many RDP systems have weak configurations. Tools and techniques for escalating privilege and obtaining admin rights on compromised RDPsystems are widely known and available.Systems running RDP can be identified by specialized search engines like Shodan, which constantly scourthe internet for connected devices and collect information about them. As of June 15, 2021, Shodanindicated that there were over 3 million systems on the internet with port 3389 open (registration maybe required to view filtered Shodan queries). As you can see from the Shodan interface in Figure 2, over1 million of those systems were in the US.Figure 2 // Over 3 million systems on the internet using port 3389 (Source: Shodan)Using a different query, over 2.7 million machines were found to be explicitly running RDP. For anattacker, all of these machines are potential targets to be explored. While logging in to an RDP systemtypically requires a username and password, these can be surprisingly easy for attackers to guess andmany will lead to success.One shortcut for attackers who have sufficient funding is to simply purchase access to compromisedRDP systems. Such credentials are available in marketplaces on the dark web. Note that ransomwareis not the only reason for buying hacked RDP credentials. Other uses for a compromised RDP systeminclude sending spam, hosting malware, password cracking, mining cryptocurrency, and a range ofactivities for which anonymity is desirable and attribution is not; think fraudulent purchasing and moneylaundering.If only username and password are required to remotely access the device, then an attacker, havingidentified such endpoint as a target, can make repeated attempts to guess these credentials. Doing so ata high rate, via use of a database of plausible credentials, is referred to as brute-force attack. Absent anymechanism to limit multiple bad guesses, such attacks can be very effective and even lead to a networkwide compromise.

RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITEESET telemetry confirms RDP as one of the most popular attack vectors, with detections surpassing 71billion between January 2020 and June 2021. While the most notable increase occurred in the first halfof 2020, 2021 saw the highest figures yet. When comparing H1 2020 and H1 2021, ESET saw a sixfoldgrowth in detected brute-force attacks against RDP.180600160500140ThousandsRDP brute-force attack detection trend 7-day averageMillions71204001003008060200401002000Attack Attempts (left axis)Unique Clients (right axis)Figure 3 // Trends of RDP connection attempts and unique clients between January 2020 and June 2021,seven-day moving averageGaining unauthorized access from the internet to devices running RDP may require more upfront effortthan email-based ransomware, but the RDP vector offers threat actors significant benefits, like misuseof legitimate access, the potential to evade endpoint protections, and the ability to rapidly compromisemultiple systems — or even the whole network — within a single organization.Attacks via RDP can fly under the radar of many detection methods, meaningfewer metrics and less threat awareness.For example, any organization with a mature information security program will detect and block a pieceof ransomware embedded in a file attached to incoming email. Such incidents are typically logged andreported by endpoint protection programs, and vendors of such programs aggregate anonymized threattrend statistics from such reports.The same is often true of efforts to trick users into visiting malicious websites propagating ransomware.However, if an attacker with system administrator privileges on a compromised server turns off theendpoint protection software before deploying their ransomware, that attack may well elude typicalmalware metrics.Lateral movement and living off the landFor the ransomware attacker, a compromised RDP system can mean much more than extorting moneyto decrypt the files on that machine. That’s especially true if that system can provide an entry pointto an entire network of devices, potentially enabling large-scale encryption or theft of mission-criticaldata. That’s what happened in many of the headline cases cited earlier, and the techniques for carryingout this type of attack are no secret.

8RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITEUpon gaining remote access, the attacker will want to learn more about the compromised machine,evaluating its potential for abuse, including mapping connections to other systems. If access was notgained with admin credentials, several techniques can be used to escalate privilege to admin level.If there is endpoint protection installed on the system and it can be turned off by a user with adminprivileges, the attacker will likely try to turn it off. This makes it easier for the attacker to downloadadditional software, based on an assessment of the system’s potential for abuse. Note that in thefollowing text when actions are described as being performed “by the attacker” they may not beperformed by a person at a keyboard but by software used to automate aspects of an attack.Some attackers will try to introduce as little malicious code as possible in order to minimize thechances of detection. Instead, a strategy of “living off the land” will be employed, using legitimatesoftware, often used by the system’s actual administrators, and even standard tools installed withthe base operating system, to extend network penetration. For example, PsExec and WindowsManagement Instrumentation Command-line (WMIC) are often misused to achieve lateral movementin compromised networks. There are valid reasons for these programs to be executed, and so detectingabusive use by an attacker can be difficult, although not impossible. For more information on how todetect them see the discussion of endpoint detection and response (EDR) tools below.The term lateral movement is used to describe the strategy of gaining a foothold on one system andusing that to compromise other devices that can be reached from there. For example, attackers canutilize compromised credentials to target a server not even present in the targeted organization and useits connection to the main infrastructure to deliver the ransomware payload.In addition to living off the land, ransomware attacks may take advantage of unpatched vulnerabilitiesin legitimate system software. Perhaps one of the most archetypal examples was WannaCryptorransomware, which propagated via EternalBlue exploit, misusing high-severity vulnerability inMicrosoft’s implementation of Server Message Block. Despite patches having been publicly available forapproximately two months prior to the WannaCryptor campaign on May 12, 2017, attackers still foundand compromised over 200,000 vulnerable machines. Even in the latter stages of this outbreak, infecteddevices continued to pose threats as, for example, users may have unknowingly brought compromisedinto whatadmins felt toandbe aearnsecureperimeter. of millions of dollars, attractingrabilities, addlaptopsworm-likecapabilities,hundreds7% drop in de7% descentsent directay for botnetnetwork viachain. Due tod, blocked, andware category.th 41% of alle exploit.nd, Win/Fileder.AvaddonWin/Filecoder.WannaCryptor trojan41.0%Win/Filecoder.Phobos trojan6.7%Win/Filecoder.GandCrab trojan4.1%Win/Filecoder.Sodinokibi trojan3.8%Win/Filecoder.Buran trojan3.7%Win/Filecoder.Avaddon trojan3.4%Win/Filecoder.CryptoWall trojan3.3%Win/Filecoder.Cerber trojan3.3%Win/Filecoder.Locky trojan3.0%Win/Filecoder.CTBLocker trojan2.4%Top 10 ransomware families in T1 2021 (% of ransomware detections)Figure 4 // Top 10 ransomware families in T1 2021 (% of ransomware detections).Four years after its devastating 2017 attack, WannaCryptor still ranks among the mostdetected ransomware families in the wild (data source: ESET Threat Report T1, 2021)with 3.4%. Notably absent was Win/Filecoder.STOP, which has been knocked out of top 10 despite itbeing in the third spot with a 6.7% share in T3 2020.Large earnings of gangs running and participating in ransomware-as-a-service schemes worked as amagnet and attracted other cybercriminals to this part of the threatscape. New players that surfacedin T1 2021 included Black Kingdom, FiveHands [45], Makop, Mamba, and Mansory – which, due to itscode resemblance, seems to be a renamed version of the Nemty/Nephilim ransomware.

9RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITEOf course, it is possible that in some cases an attacker’s first point of contact with an organization willbe a server running a mission-critical database, in which case an opportunistic criminal may decide tosave some time and effort and go for a quick win by simply stealing data, encrypting and ransomingthe files used by that one asset. However, a lot can be gained via persistence, so many ransomwareoperators are likely to continue to perform recon even after the data has been stolen and beforeencrypting it — just to make sure they have enough leverage.Defending against RDP ransomware attacksIt is possible to defend systems running RDP against unauthorized access and thus deny criminalsthis increasingly popular attack vector, whether they are purveying ransomware or engaged in someother abuse of unauthorized system access. While defensive strategies are covered in this section, amore technical checklist of anti-ransomware techniques is provided in the section “Securing RDP againstransomware.”Of course, your organization may already have policies in place to address remote access security. Youmight have rules requiring all RDP access to be routed over a VPN (virtual private network), securedby MFA (multi-factor authentication), limited to specific roles, on specific systems that are configuredsecurely, patched promptly, monitored constantly, firewalled appropriately, and backed up regularly.However, even if you have such rules in place or are working toward putting them in place, rules alonewill not ensure your remote access is not hacked. You still have to make sure everyone is complying withthe rules, while also being prepared to handle an attack that somehow succeeds despite those rules.A foundational first step in defending against RDP ransomware attacks is to make an inventory of yourinternet-facing assets. To say that you cannot defend a system if you are not aware of its existencemight sound like a statement of the obvious, but based on our investigations the following scenario isnot that unusual: an organization is attacked via an internet-connected asset that the organization’ssecurity staff were not aware of until after that attack.You need processes in place to ensure that does not happen to your organization. For example, it shouldnot be possible for either a contractor or an employee to connect either a physical or a virtual serverto both the organization’s network and the internet unless that server is securely configured; saidconfiguration must occur before the server goes live, particularly if the server is running RDP with adomain admin account.When you have finished creating your inventory of internet-facing assets, you need to documentwhich ones have remote access enabled, and then decide if that access is necessary. If access isnecessary, require long passwords for the accounts that will have such access. How long? Passwordsof 15 characters or more may seem prohibitively long but are easily remembered if passphrases are used,and passwords that length need not have complexity rules, which research shows tend to push peopleinto poor password practices. After setting stringent password length requirements on the accounts,determine whether or not it is feasible to limit those systems to the internal network and access themremotely using a corporate VPN.If a system does have to be accessible from the public internet via RDP, and using a VPN is not feasible,at least install MFA so that you are not relying on passwords alone for protection. However, be sureto use an MFA solution that is not SMS-based. Criminals have plenty of ways to thwart SMS-basedauthentication (often developed by malware authors targeting customers of banks in Europe, whereSMS-based MFA has been used for many years to confirm banking transactions).If you are forced to rely on passwords because MFA is not available — possibly due to shortsightedbudgetary policy — at least stop would-be intruders making repeated attempts to guess credentials. Seta threshold of three invalid login attempts, after which no login attempts are recognized for a set periodof time; for example, three minutes. In Figure 3 you can see what this looks like in Windows.

10RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulationTLP: WHITEFigure 5 // Account lockout policyYou can also change the RDP listening port from 3389 to something else to make accessible machinesslightly harder for attackers to find. This can be done through system settings, but you will also need tochange firewall rules to accommodate the designated port. Bear in mind that this is merely security byobscurity and should not be relied upon to keep RDP systems safe (see the section “Securing RDP againstransomware” for more details).Hardening and patching should be performed for all remotely accessible devices. In addition to makingsure that all security vulnerabilities are identified and remediated, you want to make sure that all nonessential services and components have been removed or disabled, and that settings are configured formaximum security.For example, on Windows systems you can use Software Restriction Policies (SRP) to prevent filesrunning from folders such as AppData and LocalAppData, which are sometimes used by malware.You can also use AppLocker to control which apps and files employees can run on their machines. Ofcourse, the last line of defense against RDP ransomware is a comprehensive and well-tested backup andrecovery system. Given that backup is key to surviving ransomware regardless of attack vector, it will bediscussed after three more vectors, email, supply-chain, and vulnerabilities are considered.Quick aside: SMB protocol, runner-up to RDPThe Server Message Block (SMB) protocol, which is mainly used for file and printer sharing in enterprisenetworks, is also widely misused as a remote service through which ransomware can enter. In T1 2021,ESET technologies blocked 335 million brute-force attacks against public-facing SMB services. Althoughthis represents a decline of 50% when compared with the last four months of 2020, attacks via SMBremain a prominent threat. Also, the WannaCryptor (aka WannaCry) ransomware, which comprised41% of ransomware detections in the same T1 period, propagates by exploiting the vulnerable SMBv1protocol.Follow this advice to

5 RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulation TLP: WHITE RANSOMWARE VIA RDP An RDP endpoint is a W