How ransomware operators try to stay under the radar
We look at the three most common methods that ransomware groups use to avoid being detected.
An often heard remark is that when your security solution notices a ransomware attack, it’s already too late. There’s a lot of truth in that, if you consider the encryption process to be the ransomware attack. However, these days encryption is just a part of many ransomware attacks.
Some of the cybercriminals we conveniently call ransomware groups have even completely stopped using the encryption process because it’s too “noisy.” Any AI based solution that is worth the electrons used to create it, will notice the activities on a system associated with encryption and the deletion of backups.
In the first days of ransomware, the cybercriminals sent you an email, hoping you would open an attachment or click a link to infect your system with malware. But malware has only a short time-span during which it can hope to stay undetected. Widespread malware is usually just one update away from detection.
So, to hide their presence, many of these gangs have resorted to a lot more silent operations. Consider this typical attack flow:
- Initial access is gained by exploiting vulnerabilities on software or hardware found in the target’s environment.
- With valid credentials gained by the vulnerability exploitation, phishing, or password attacks, the criminals get access to an internet exposed service, where they can set up some foothold to provide them with command and control options.
- From here they can start lateral movement across the target’s network and find ways to raise their permissions.
- The next step is often called data exfiltration, which is nothing more than copying interesting looking files to a location under their control where the criminals can have a good look at them.
As you can see, there was no malware involved in these steps. Every single step can be done by using software that is already present. The lateral movement is often done by deploying built-in tools like PowerShell, PsExec, or Windows Management Instrumentation (WMI).
We call this technique Living-off-the-Land (LOTL). LOTL attacks are performed by mimicking normal behavior, and make it extremely difficult for IT teams and security solutions to detect any signs of malicious activity.
Another way to avoid being detected is using fileless malware. Fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. So, the malicious payload exists only in the computer’s memory, which means nothing is ever written directly to the hard drive. As a rule, if malware authors can’t avoid detection by security vendors, they at least want to delay it for as long as possible. This made fileless malware a step forward in the arms race between malware and security products.
Another, very different method to avoid detection is to disable the resident security software before the actual attack is launched. One way to achieve this, which we have seen this year, is by using signed drivers. The drivers can be deployed only when the attacker has already gained administrative privileges on compromised systems. Drivers are loaded early in the boot process of a system and can therefore interfere with subsequently loaded programs.
The most common type of attacks that uses drivers is the “bring your own vulnerable driver” (BYOVD) approach, in which the attackers use a driver from a legitimate software publisher that has known and exploitable security vulnerabilities. Since the driver is legitimate, it will bypass security checks and allow the attacker to then exploit it once it has been installed on the system.
However, there’s also been abuse of several developer program accounts engaged in submitting malicious drivers to obtain a Microsoft signature. Signatures from a trustworthy software publisher make it more likely the driver will get into Windows without interference from the security software.
Many anti-malware solutions, including Malwarebytes, have anti-tampering protection in place, so finding methods to disable the protection is a big deal for malware authors.
Finding signs of malicious activity that are designed to stay under the radar is a job for specialists, which is why many organizations are looking for Managed Detection & Response (MDR) services.