Ransomware

Common ransomware precursors in 2024

As in previous years, multiple threats in our top 10 play a role in ransomware intrusions as common precursors:

• Impacket
• Mimikatz
• SocGholish
• Gootloader
• HijackLoader
• NetSupport Manager

Check out each of those pages for ideas on how to take action to detect those threats. We’ve previously shared the simplified ransomware intrusion chain below as a way to think about detecting across the entire intrusion, and it continues to hold up as a high-level approach to breaking down ransomware.

Here are some of the common techniques, tools, and procedures we observed across “pre-ransomware” intrusion stages:

Initial access

Ransomware affiliates continue to rely on the same broad categories of exploitation of vulnerabilities, phishing, brute force, and valid credentials for initial access. This year we observed affiliates exploiting vulnerabilities in ScreenConnect and Fortinet software.

We also observed the whole enchilada of phishing varieties, most notably with Black Basta affiliates who conducted extensive social engineering campaigns that began with email bombing to flood a victim’s inbox with spam. Next, the adversary—posing as an IT admin offering to help with the email problem—contacted the user via phone or a link to join a Microsoft Teams call. Once in contact, the adversary guided the user into running a remote monitoring and management (RMM) tool like Microsoft Quick Assist, AnyDesk, or TeamViewer.

In August 2024, we observed ransomware incidents that leveraged virtual private networks (VPN), particularly Cisco ASA, as an initial access vector and to facilitate further access within organizations. To exploit VPN appliances, adversaries typically conduct password spray attacks targeting login accounts with weak passwords and without MFA. Reporting indicates that both Akira and FOG ransomware affiliates have targeted VPN software for initial access.

Finally, as noted in the Stealers section, we continued to see increasing use of info-stealing malware for obtaining valid credentials, which adversaries use or sell to ransomware affiliates to gain access.

Lateral movement

Adversaries are fast and furious when it comes to lateral movement, with some intrusions progressing in a matter of hours. A continuing trend is adversaries quickly moving to unmonitored parts of the network; this past year, adversaries often favored moving to VMware ESXi hypervisors, which are rarely well-monitored. In these attacks, adversaries deploy encryptors developed for Linux to stop all virtual machines running on a victim’s hypervisor before encrypting individual VMDK files. Hypervisors are a particularly valuable target because organizations often use them to host business-critical services, and they are unable to host endpoint sensors. Although most ransomware reporting focuses on Windows varieties, many of the more prolific ransomware families—like RansomHub, Play, Black Basta, and Akira—include a Linux variant that they can deploy against hypervisors.

Prior to moving to ESXi environments, adversaries commonly obtain credentials through tools like Mimikatz and move laterally using detectable tools like PsExec or Impacket. We also observed adversaries downloading and using RMM tools to facilitate lateral movement as well as persist in the environment and act as their command and control.

Reconnaissance

As adversaries land on new systems, we regularly observe them conducting reconnaissance with the usual built-in commands:

• ipconfig
• whoami
• net
• nltest

We have also observed adversaries using free open source tools like AdFind, Angry IP Scanner, BloodHound, Nmap, PCHunter, SoftPerfect NetScan, and others to map out victim environments and scan the system for hosts.

Command and control

This past year, we saw adversaries continue to abuse RMM tools. (Adversaries use these tools to facilitate lateral movement, persistence, and command and control; we classify RMM usage under command and control consistent with MITRE ATT&CK®.) RMM tools are an attractive option for adversaries because they offer robust sets of remote administration features with the veneer of legitimacy, as they are used for regular business functions.

This past year, we most commonly saw the following RMM tools:

• NetSupport Manager
• AnyDesk Standalone
• TightVNC
• ConnectWise
• TeamViewer Standalone
• AdvancedRun
• RUSTDESK
• Ammyy Admin

Notable ransomware trends in 2024

It’s hard to believe that only a couple years ago, it would have been relatively unheard of for a ransomware actor to call their victim on the phone. However, what used to be SCATTERED SPIDER’s signature technique has proliferated across ransomware actors. Aggressive social engineering tactics that include calling the victim have spread across the ransomware ecosystem. At Red Canary, we observed an increase in email bombing followed by voice phishing, consistent with Black Basta precursor behavior.

Another technique that has spread across the ransomware ecosystem is the use of RMM tools for command and control and lateral movement. For example, this year we saw NetSupport Manager break into our yearly top 10, demonstrating the popularity of the use of RMM tools.

New ransomware groups

The past year saw an emergence of new ransomware variants, with newer groups quickly rising to the tops of charts for number of victims compromised (based on data from their own data leak sites). Prolific groups like FOG, RansomHub, and FunkSec all first appeared on the scene in 2024. Groups that began operations in 2024 represented a large percentage of ransomware attacks, with some researchers estimating that new groups made up over 50 percent of the compromises in November and December 2024.

Record-high costs of a ransomware event

Ransomware continues to be a lucrative business for criminals, with victims in 2024 reportedly making record-high ransom payments, with one as high as $75 million. Despite these individually large ransom payments, there was a drop in the total amount of ransom earnings in 2024, combined with a decreasing percentage of victims that pay the ransom. Whether choosing to pay or not, the costs of being ransomed far exceed the requested ransom amount.

Businesses often face regulatory fines, litigation, and reputational damage from ransomware events, which can impact future earnings. Since the SEC’s requirement to disclose material cyber events in late 2023, there has been a boon to class action lawsuits following data leaks. The increased media reporting of ransomware incidents, made possible through adversary leak sites, has also likely contributed to this boon. Attorneys monitoring for any data breaches reported to the SEC or on data leak sites will initiate these so-called “event-driven litigations” almost immediately upon disclosure. In some cases, multiple attorney groups will initiate lawsuits, driving up the cost to the victim.

A silver lining: Law enforcement takedowns

2024 started off with a big win against ransomware operator LockBit with Operation Cronos, a multi-national effort led by the UK National Crime Agency (NCA). The trans-national disruption operation involved law enforcement agencies from nine countries, who collectively took down 34 servers, seized more than 200 cryptocurrency wallets, seized the LockBit data leak site, and arrested two alleged LockBit members. The LockBit disruption was quite different than previous takedown efforts in that it aimed not only at dismantling the infrastructure but also sowing distrust in the ransomware marketplace, releasing affiliate names and stating that developer LockBitSupp was working with authorities.

Despite this effort, LockBitSupp announced within five days that operations had resumed. Although LockBit continued to post victims throughout 2024, some researchers assessed that the majority of the posted victims listed were from older intrusions, calling into question the accuracy of LockBit’s claims.

The good news for defenders is that even though new techniques and tools have emerged, many ransomware techniques have remained the same for the past several years. Continuing to focus on detection across the entire ransomware intrusion chain—particularly ransomware precursors—remains an effective strategy to ensure ransomware incidents have minimal impact.

The tried-and-true guidance of patching known vulnerabilities remains a solid approach to preventing initial access, as many ransomware intrusions start this way. If an organization can’t keep up with patching all vulnerabilities, we recommend prioritizing based on vulnerabilities in internet-facing devices listed in CISA’s Known Exploited Vulnerabilities catalog.

Prevention

• Educate employees on the latest ransomware actor TTPs, such as the email flooding techniques employed by Black Basta affiliates.
• To prevent unauthorized access to Microsoft Teams chats or phones, disallow external access and allowlist partner domains as needed. This involves setting the External Access portion of Teams to either:
  • Allow only specific external domains
  • Block all external domains
• Enhance endpoint visibility by deploying detection and response sensors across systems. Unmonitored endpoints can create an attacker playground; defenders’ visibility limits adversaries’ freedom.
• Maintain an approved tools list and monitor or deny unauthorized RMM tools. Legitimate tools can be exploited—know what’s in your environment and how the tools are utilized. Adversaries will often change the filename, download and run it from a non-standard directory, or make suspicious network connections.

When it comes to detecting ransomware, the earlier you detect it, the better. While you may not be able to prevent initial access, having detection in depth along multiple intrusion phases will increase the likelihood of identifying ransomware precursors before the intrusion gets to exfiltration or encryption. We encourage you to check out the following other TDR pages for detection opportunities along multiple precursor phases prior to exfiltration or encryption:

• Initial Access: Qbot, SocGholish, Raspberry Robin
• Reconnaissance: BloodHound
• Credential Dumping: Mimikatz, LSASS Memory
• Lateral Movement: Cobalt Strike, Impacket, Ingress Tool Transfer

As adversaries conduct discovery about the environment, we’ve found they regularly perform similar commands. The following detection analytic can help identify nltest behavior that helps an adversary learn more about domain trusts. Of course, if this is a command that is commonly run in your environment, you’ll need to tune it, but in our experience nltest is fairly uncommon.

If the activity makes it all the way to ransomware, the following detection analytic reliably identifies adversaries deleting volume shadow copies. This is something we see the majority of ransomware groups do if they encrypt data and cause impact. While this is a detection of “last resort,” if you detect at this point and act quickly, you may be able to prevent further lateral movement and encryption.