The cybercrime gangs and APT groups that deploy ransomware use a variety of tactics to gain access to target machines and networks, but new data compiled by researchers shows that there are some interesting and important commonalities in when and how they deploy their wares.
Drawing on information gathered during dozens of incident investigations over the course of three years, FireEye’s Mandiant Intelligence team found that in 75 percent of incidents the attackers waited at least three days after their initial intrusion to deploy the ransomware. The amount of time that attackers waited to actually detonate their ransomware on a compromised machine or network varied widely--from hours to nearly 300 days--and the researchers found that most of the time there was some time elapsed between the initial intrusion and the ransomware deployment.
“This pattern suggests that for many organizations, if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided. In fact, in a handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment. Several investigations discovered evidence of ransomware installed into victim environments but not yet successfully executed,” Kelli Vanderlee, manager of intelligence analysis at FireEye, wrote in an analysis of the findings.
Every attack group has its own goals, and while the general idea behind ransomware attacks is obviously to make money, some groups also have other objectives for those operations. In some instances, attackers--particularly APT groups--use ransomware as cover for other intrusions or activity on a compromised network. Or a large ransomware attack could be used as a diversion to draw attention and resources away from a more targeted and damaging attack elsewhere in an organization. In any case, groups may have specific reasons for waiting several days or weeks to execute their ransomware once they’ve successfully compromised a target.
The Mandiant Intelligence researchers also found some interesting patterns in the times that ransomware attackers chose to execute their payloads. Security researchers who track specific APT groups often use the operators’ working hours as an indicator of where they might be located geographically. Using similar thinking, it seems some ransomware groups are tracking the working hours of their victim organizations and waiting until after normal business hours or weekends to execute the ransomware. In 49 percent of the incidents the team investigated the ransomware was executed on a weekday after business hours, and in 27 percent it was on a weekend.
“Some attackers possibly intentionally deploy ransomware after hours, on weekends, or during holidays, to maximize the potential effectiveness of the operation on the assumption that any remediation efforts will be implemented more slowly than they would be during normal work hours. In other cases, attackers linked ransomware deployment to user actions,” Vanderlee said.
“For example, in 2019 incidents at retail and professional services firms, attackers created an Microsoft Entra ID Group Policy Object to trigger ransomware execution based on user log on and log off.”
Ransomware began mainly as a problem for consumers, with individual attackers or small groups using relatively basic malware to target individuals. Most of this work was done through phishing emails or drive-by downloads on malicious or compromised websites, and those are still two of the dominant infection vectors now that attack groups have moved on to enterprises and government agencies as their main targets of choice. While enterprises and other large organizations may be more versed in the threat and have more resources to combat it, they also have more to lose and so they have become much more attractive targets.
“We anticipate that post-compromise ransomware infections will continue to rise and that attackers will increasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom demands, and targeting critical systems,” Vanderlee said.
“The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.”