Introduction
Attack vectors are the way attackers exploit. Hackers do not have mystic skills that provide access to well-protected systems. Threat actors try to find vulnerabilities in different systems and then exploit those vulnerabilities.
Attack vectors depend on the vulnerabilities of specific systems. Companies and employees have to know about these possible vulnerabilities and take measures for them.
This report includes techniques that can be used as a reference for the organization’s information technology team members, incident response teams, intelligence, and malware analysts. It can be used as a guide on where to focus and what kind of situations/activities to pay attention in order to reduce/prevent the effects of ransomware-related attack vectors.
Therefore this report contains the most common attack vectors and the top 10 ransomware attack techniques.
- Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.
- In 2021, 37 percent of all businesses and organizations were hit by ransomware.
- Recovering from a ransomware attack cost businesses $1.85 million on average in 2021.
- Out of all ransomware victims, 32 percent pay the ransom, but they only get 65 percent of their data back.
- Only 57 percent of businesses are successful in recovering their data using a backup.
The year 2020 saw a rise in the ransom demanded by hackers, which increased by %60 since the start of the year to $178,000 on average. In 2021, the average ransom demand reached $220,298 — up 43 percent compared to 2020.
Key Findings
- Phishing
- Malware Injection
- Vulnerability Exploitation
- Brute-Force
- Insider Threats
- Weak Encryption
- Exposed Information (Leakage)
- Insecure Authorization
- The Evolution of Ransomware
- Top 10 Ransomware Attack Vectors
- MITRE ATT&CK Ransomware Analysis
Most Common Cyber Attack Vectors
Phishing
Phishing is a deceiving method using social engineering. Hackers can get information about the target, access systems that the attacker should not access, inject malware, and many other attack vectors depending on the attacker’s creativity. One way of phishing (and the most common) is credential phishing. Hackers try to get your credentials without your permission in credential phishing attacks. Hackers can make this attack by injecting a keylogger (a type of malware that records the victim’s keyboard inputs and sends them to the attacker), creating a fake login page so that when you enter your credentials, hackers can see what your credentials are.
There are other phishing methods, of course, but the common measure against this attack vector is being cautious while sharing or entering credentials or downloading files from unknown sources. Companies have to provide consciousness to their employees.
Malware Injection
Hackers have to have access to inject malware. This can be done by phishing, exploiting a vulnerability, or direct connection because of misconfiguration. It does not matter how it is injected, malware capabilities are important in this section. Actually, there are a lot of malware types, and thus, there are various harmful effects for you or for your company. Some examples of malware are keyloggers (logs victim’s keyboard inputs and sends them back to the attacker), ransomware (encrypts all files of the injected computer and demands a ransom to give the key that decrypts the files), spyware (acts like a spy and monitors victim’s activities) and adware (downloads or displays advertisements to the victim’s computer).
Exploiting Vulnerabilities
As I said earlier, hackers do not have mystic powers that enable access to every system they want. They need to find vulnerabilities so that they can exploit that vulnerabilities and have access.
Companies and people use services (browsers, operating systems, SSH, RDP, …), but these services may have vulnerabilities. Especially when the vulnerability is found in recent times, companies and people may not have enough time to close that vulnerability.
You should always keep your software up-to-date, keep your company’s security services up-to-date and use the original software to receive updates.
Brute Forcing
Brute forcing is trying random passwords and hope logging in to the target’s account. There are some easy measures that companies and individuals can take:
- Use complicated and different passwords for each of your account. If it is impossible to remember all passwords, then use a password manager.
- Use MFA (Multifactor Authentication) to be asked for more authentication questions.
- Lock the account, if the number of trying password exceeds a limit.
- You can make the user wait for a while after logging in. This will increases the amount of time to spend for brute forcing.
- Put a CAPTCHA to the login page.
- Give the same error message for wrong username input and wrong password input.
Insider Threats
Employees may allow access to hackers or steal important information from your company and give that information to hackers. Why would he/she do that? Because they may try to get benefit from this attack or get revenge on the company. Companies should set authorization rules correctly to prevent this from happening.
Decrypting Poor Encrypted Data
Your data should be encrypted in the network traffic and in the storage. You should select modern cryptography algorithms to be more secure. You can also encrypt your data more than once so that decrypting it becomes harder. If you are storing a password, you should also use hash algorithms and, eventually, salting algorithms.
You should protect your data as an individual too. Ensure that you use websites with HTTPS, not HTTP. HTTPS encrypts your data so that no one can capture and read it. Otherwise, it is easy to capture credentials, especially if you are using public networks.
Already Exposed Information
Your exfiltrated information can be displayed or sold in dark markets. Hackers that target you can buy this information and use them in their hacking plan. Account credentials, credit card information, or personal information are your valuable information, and hackers can get these not just by hacking your accounts. They can hack the company and steal data from its database. That is why you should update your password for a certain period so that leaked data do not have any effect on you.
Hackers might not get your valuable information directly, but they can get some personal information from public resources like social media. They can scan your fingerprint on public media with OSINT (Open Source Intelligence) techniques. They might use that information for adding specific passwords to brute-force payloads.
Insecure Authorization
Hackers may have already accessed your systems and waiting for escalating privileges. By doing that, they can reach valuable and more information. That is why you should not use your computer with root access.
Moreover, companies should set authorization rules well. Otherwise, hacked employees might cause enabling access to other computers in the company.
Top 10 Ransomware Attack Techniques
The Evolution of Ransomware
The history of ransomware goes back to 1989. The first known ransomware attack in history was carried out against attendees of the international AIDS conference to be carried out by evolutionary biologist Joseph L. Popp in 1989. Although there was internet technology in those days, it was not used for today’s needs. A total of 20,000 ransomware-infected disks were sent to the conference attendees, and the theme was “AIDS Information – Demo Disks.” After 90 reboots of the participants’ computers using the disk, a $189 ransom was requested for their encrypted files, and the requested ransom amount was sent to a mailbox in Panama.
In the past, ransom payments demanded were sent to mailboxes. This resulted in the attackers demanding ransom being easily tracked and caught. But today, with the emergence of cryptocurrencies that will increase anonymity and make tracking much more complex, the trend in ransom demands has started to shift in this direction.
In addition, more robust encryption algorithms have been adopted over time, as the ransoms demanded are based on the encryption of files. In 2006, threat actors began using asymmetric RSA encryption to make their attacks impossible to block.
Top 10 Attack Techniques
Despite the increasing diversity of ransomware threat actors and operators, they have common goals. To achieve these goals and create a successful attack chain, knowing what the most commonly used techniques in ransomware attacks are is one of the elements that should not be ignored in preventing/mitigating such threats.
With the techniques compiled concerning the MITRE ATT&CK platform threat matrix, you will get information about why attackers use these techniques and how to avoid them. Identifier ID values will also be provided so that you can refer to the relevant techniques.MITRE ATT&CK Matrix
Tactical ID | Tactical Name | Technical ID | Technical Name |
TA0001 | Initial Access | Phishing | T1566 |
TA0002 | Execution | Commandand
Scripting Interpreter |
T1059 |
TA0004 | Privilege
Escalation |
Process Injection | T1055 |
TA0007 | Discovery | Process Discovery
File and Directory Discovery |
T1057
T1083 |
TA0009 | Collection | Data from Local System | T1005 |
TA0010 | Exfiltration | Exfiltration Over C2 Channel | T1041 |
TA0040 | Impact | Data Encrypted for Impact
Inhibit System Recovery Service Stop |
T1486
T1490 T1489 |
T1566: Phishing
Definition
Attackers use phishing emails, a digital social engineering method, to gain initial access to target systems, and this technique requires user interaction to be successful.
Usually, e-mails intended for a person, institution, or industry are distributed with a file attachment containing malicious code, and logical reasons are tried to be given as to why this file should be opened. Malicious attachments can be used in many formats, such as Microsoft Office documents, executable files, PDF files, or archived files. The distribution of files with password protection in order not to be detected by the endpoint security solutions and the various instructions for the user to open the file is among the scenarios that may be encountered.
Detection
Network intrusion detection systems and email transmission paths can be used to detect phishing emails that contain malicious email attachments. The solutions used for this can be signature or behavior based. DKIM and SPF checking or filtering based on email header analyzes can give details about possible attack attempts.
Using anti-virus solutions on the email server or user’s computer can help detect malicious files and attachments. It can be useful to monitor sub-processes created by software associated with Microsoft Office or other documents.
Impact Mitigation
Anti-virus network intrusion detection systems designed to scan and delete malicious email attachments can be used to quarantine suspicious files. You can run email scans to prevent file extensions that are often used for malicious activities from being forwarded by email.
T1059: Command and Scripting Interpreter
Definition
Attackers take advantage of the primary command line client, the Windows Command Shell (cmd), to locally control every aspect of a system on Windows systems.
Files with the .bat or .cmd extension are commonly used to run sequential or repetitive commands on the command line client. Attackers can run commands or payloads to help them achieve their goals.
Detection
Attempts to enable permission to run these scripts on the system may be suspect if the functionality to create scripts is restricted for normal users. Commands that run outside of a certain loop in the system’s normal operation can be considered suspicious if scripts are not restricted and widely used in the system.
Impact Mitigation
The best viable solution for this technique is to perform application control and block code execution on the system by script blocking.
T1055: Process Injection
Definition
Attackers can inject malicious code into the address space of the currently running process for reasons such as bypassing process-based defense systems, escalating privileges, and using network/system resources that are allowed to be accessed by the relevant process. Since the injected malicious code is masked under a legitimate process, security solutions can prevent it from being detected.
Detection
Commonly referenced Windows API calls for code injection should be followed. Since these calls alone will not indicate bad faith, the situation of gathering under certain conditions should be analyzed.
API calls that can be tracked:
CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread and VirtualAllocEx/WriteProcessMemory
The creation of executable files, unrecognized or unrecognized DLLs that are generally not loaded into a process, can be tracked. Opening network connection, reading files, etc. You can analyze process behavior to detect whether processes that do not typically perform such actions are performing such activities.
Impact Mitigation
Some endpoint security solutions can be configured on the user’s computer to prevent some types of process injection based on a set of behaviors that occur during process injection. Security kernel modules that provide access control and process restrictions, such as AppArmor, grsecurity, and SELinux, can be used.
T1083: File and Directory Discovery
Definition
Attackers look for specific file extensions and folders before determining what to encrypt on the target system. Specific locations of a host or network share can be searched to locate files.
Detection
Its processes and command line arguments can be monitored for actions that can be executed to gather system and network information.
Impact Mitigation
Since this attack technique is based on the abuse of system features, there is no known method, and it cannot be easily mitigated.
T1041: Exfiltration over C2 Channel
Definition
In addition to encrypting data to demand ransom, attackers threaten to steal and broadcast data via command and control servers operated by operators.
Detection
In order to detect attempts to leak data over the network, discrepancies in data traffic that do not occur in normal data flow or in inbound/outbound data traffic should be monitored.
For example, it is suspicious that a server sends more data than it receives. Attackers use ports and protocols that are not widely used and, therefore, not monitored to make them harder to detect. It is necessary to analyze the package content to capture such use cases.
Impact Mitigation
Data Loss Prevention (DLP) solutions can prevent data loss if attackers send data over unencrypted protocols. Additionally, network intrusion detection and prevention (IDS/IPS) systems can be implemented to control malware based on signatures and toolkits that attackers use for network intrusion.
T1486: Data Encrypted for Impact
Definition
Attackers first detect local disk drives and network-connected drives. It then renders sensitive user data (Office, PDF, image, video, a text document, source code, etc.) and documents that may contain critical system parts unreadable with a secret encryption key that the user cannot access without payment.
Detection
The execution and command line parameters of processes such as vssadmin, wbadmin, and bcdedit, frequently used as auxiliary processes in the data encryption process, can be monitored. Many file changes occurring in user directories in a short period can be considered suspicious.
Impact Mitigation
In Windows 10, cloud-based protection and Attack Surface Reduction (ASR) rules can prevent ransomware files from being run. However, the most effective solution against ransomware attacks is to regularly back up corporate data and store multiple copies of the created backups in environments that do not have access to the Internet and always be prepared for disasters.
T1490: Inhibit System Recovery
Definition
Operating systems include a built-in Backup Catalog, Volume Shadow Copies, and automatic repair features to prevent data loss. Attackers can shut down services designed for such purposes to prevent the recovery of a corrupted system. Similar commands can be run using the processes below to disable or delete system recovery features.
vssadmin.exe can be used to delete all copies of Volume Shadow on the system.
- vssadmin.exe delete shadows /all /quiet
The Windows Management Instrumentation (WMI) component can delete copies of Volume Shadow.
- wmic shadowcopy delete
wbadmin.exe can be used to delete the Windows Backup Catalog.
- wbadmin.exe delete catalog -quiet
bcdedit.exe can be used to disable the automatic Windows recovery feature.
- bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no
Detection
You can use process monitoring to keep track of processes and command line parameters related to blocking system recovery above. For example, Event ID: 524 in Windows event logs indicates that a system catalog has been deleted and may contain data associated with suspicious activity.
Impact Mitigation
To avoid disabling or deleting services associated with system recovery, you can configure your operating system accordingly. Data backup is also among the most effective solutions for this technique. However, you must ensure that any data backups are protected against techniques that attackers can use to destroy data backups to prevent system recovery. For this reason, you should take care not to store your backup data in an environment with internet access.
T1489: Service Stop
Definition
Attackers can stop or disable users on their targeted system to prevent them from using legitimate services. Stopping critical operating system services or processes can prevent malicious activities from taking place on the system or help attackers achieve their goals of damaging the working environment. In addition, attackers can stop or block critical services, including anti-viruses, backup, and highly essential services specific to an organization (for example, MSExchangeIS, which will render Exchange content inaccessible).
Detection
You can monitor process and command line parameters to check whether critical services and processes are terminated. In addition, you can follow the high-importance service changes via the registry entry (Windows service information HKLM\SYSTEM\CurrentControlSet\Services).
Impact Mitigation
Ensure that process and file permissions are appropriately granted to prevent attackers from disabling critical services. Similarly, configure permissions to access the registry. You can limit the privileges of user accounts and groups so that only authorized system administrators can interact with critical service changes and configurations.
T1005: Data from Local System
Definition
Before exfiltration, attackers can probe local system resources, such as the file system or local database, to find sensitive data and files. During this research, Windows Command Shell (cmd) Command and Scripting Interpreter is frequently used, which has the functionality of interacting with the file system to gather information.
Detection
You can monitor processes and command line arguments for actions that can be taken to collect data from the system.
Impact Mitigation
Data Loss Prevention (DLP) solutions can restrict access to internal sensitive data and generate alarms by detecting unencrypted data.
T1057: Process Discovery
Definition
Attackers try to get information about processes running on the target system. The information obtained can be used to understand typical software/applications running on systems within the network. Tasklist via cmd or Get-Process utility via PowerShell can be used on Windows systems to detect running processes. In addition, information about running processes can be collected through the CreateToolhelp32Snapshot Windows API. Mac and Linux systems can be executed using the ps command or the /proc directory.
Detection
Process discovery happens continuously as part of the entire operation to explore the environment based on the information obtained, not as the action performed at a particular stage of the process being executed. As a result, processes and command line arguments that can be used to gather network and system information can be monitored. In addition, withbuilt-in features allow remote access tools to gather information directly with the Windows API.
Impact Mitigation
Since this attack technique relies on the abuse of system features, there is no definitive method, and it cannot be easily mitigated.
Conclusion
Attack vectors are the methods of hacking for specific cases. Those methods depend on the vulnerabilities of a targeted system. There are vulnerabilities explained and examples of how hackers might exploit those vulnerabilities. There are some basic measures that companies and individuals should apply.
Although ransomware groups and software samples are on the rise, you are familiar with the most common techniques used by attackers to achieve their targets. Knowing that the techniques mentioned here are only the “most widely used” techniques, keep in mind that there are techniques that are not mentioned here but whose use has been identified in the operations performed.
Now you know how ransomware threats to your systems behave, how they can be detected, how to prevent an attempted attack, or how to circumvent it with minimal damage. In addition to this information, you can increase the effectiveness of the security level you want to create with in-house cyber security awareness training.