They Come in the Night: Ransomware Deployment Trends

Ransomware is a remote, digital shakedown. It is disruptive and
expensive, and it affects all kinds of organizations, from cutting
edge space
technology firms, to the wool
industry, to industrial
environments. Infections have forced hospitals to turn
away patients and law enforcement to drop
cases against drug dealers. Ransomware operators have recently
begun combining encryption with the threat of data
leak and exposure in order to increase leverage against victims.
There may be a silver lining, however; Mandiant Intelligence research
suggests that focusing defensive efforts in key areas and acting
quickly may allow organizations to stop ransomware before it is deployed.

Mandiant Intelligence examined dozens of ransomware incident
response investigations from 2017 to 2019. Through this research, we
identified a number of common characteristics in initial intrusion
vectors, dwell time, and time of day of ransomware deployment. We also
noted threat actor innovations in tactics to maximize profits (Figure
1). Incidents affected organizations across North America, Europe,
Asia Pacific, and the Middle East in nearly every sector category,
including financial services, chemicals and materials, legal and
professional services, local government, and healthcare. We observed
intrusions attributed to financially motivated groups such as FIN6,
TEMP.MixMaster, and dozens of additional activity sets.

Figure 1: Themes Observed in Ransomware Incidents

These incidents provide us with enhanced insight into ransomware
trends that can be useful for network defenders, but it is worth
bearing in mind that this data represents only a sample of all
activity. For example, Mandiant ransomware investigations increased
860% from 2017 to 2019. The majority of these incidents appeared to be
post-compromise infections, and we believe that threat actors are
accelerating use of tactics including post compromise deployment to
increase the likelihood of ransom payment. We also observed incidents
in which ransomware was executed immediately, for example GANDCRAB and
GLOBEIMPOSTER incidents, but most of the intrusions examined were
longer duration and more complex post-compromise deployments.

Common Initial Infection Vectors

We noted several initial infection vectors across multiple
ransomware incidents, including RDP, phishing with a malicious link or
attachment, and drive by download of malware facilitating follow-on
activity. RDP was more frequently observed in 2017 and declined in
2018 and 2019. These vectors demonstrate that ransomware can enter
victim environments by a variety of means, not all of which require
user interaction.

Most Ransomware Deployments Take Place Three or More Days After
Initial Infection

The number of days elapsed between the first evidence of malicious
activity and the deployment of ransomware ranged from zero to 299 days
(Figure 2). That is, dwell times range quite widely, and in most
cases, there was a time gap between first access and ransomware
deployment. For 75 percent of incidents, at least three days passed
between the first evidence of malicious activity and ransomware deployment.

This pattern suggests that for many organizations, if initial
infections are detected, contained, and remediated quickly, the
significant damage and cost associated with a ransomware infection
could be avoided. In fact, in a handful of cases, Mandiant
incident responders and FireEye Managed Defense contained and
remediated malicious activity, likely preventing ransomware
deployment. Several investigations discovered evidence of ransomware
installed into victim environments but not yet successfully executed.

Figure 2: Days elapsed between initial
access and ransomware deployment

Ransomware Deployed Most Often After Hours

In 76% of incidents we reviewed, ransomware was executed in victim
environments after hours, that is, on a weekend or before 8:00 a.m. or
after 6:00 p.m. on a weekday, using the time zone and customary work
week of the victim organization (Figure 3 and Figure 4). This
observation underscores that threat actors continue working even when
most employees may not be.

Some attackers possibly intentionally deploy ransomware after hours,
on weekends, or during holidays, to maximize the potential
effectiveness of the operation on the assumption that any remediation
efforts will be implemented more slowly than they would be during
normal work hours. In other cases, attackers linked ransomware
deployment to user actions. For example, in 2019 incidents at retail
and professional services firms, attackers created an Active Directory
Group Policy Object to trigger ransomware execution based on user log
on and log off.

Figure 3: Ransomware execution frequently
takes place after hours

Figure 4: Ransomware execution by hour of
the day

Mitigation Recommendations

Organizations seeking to prevent or mitigate the effects of
ransomware infections could consider the following steps. For more
comprehensive recommendations for addressing ransomware, please refer
to our blog post: Ransomware
Protection and Containment Strategies: Practical Guidance for
Endpoint Protection, Hardening, and Containment and the
linked white paper.

Outlook

Ransomware is disruptive and costly. Threat actor innovations have
only increased the potential damage of ransomware infections in recent
years, and this trend shows no sign of slowing down. We expect that
financially motivated actors will continue to evolve their tactics to
maximize profit generated from ransomware infections. We anticipate
that post-compromise ransomware infections will continue to rise and
that attackers will increasingly couple ransomware deployment with
other tactics, such as data theft and extortion, increasing ransom
demands, and targeting critical systems.

The good news is that particularly with post-compromise infections,
there is often a window of time between the first malicious action and
ransomware deployment. If network defenders can detect and remediate
the initial compromise quickly, it is possible to avoid the
significant damage and cost of a ransomware infection.

Register for our upcoming ransomware
webinar to learn more.

Print Share Comment Cite Upload Translate

APA

() » They Come in the Night: Ransomware Deployment Trends. Retrieved from https://www.truth.cx/2020/03/16/they-come-in-the-night-ransomware-deployment-trends/.

MLA

" » They Come in the Night: Ransomware Deployment Trends." - , https://www.truth.cx/2020/03/16/they-come-in-the-night-ransomware-deployment-trends/

HARVARD

» They Come in the Night: Ransomware Deployment Trends., viewed ,

VANCOUVER

- » They Come in the Night: Ransomware Deployment Trends. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2020/03/16/they-come-in-the-night-ransomware-deployment-trends/

CHICAGO

" » They Come in the Night: Ransomware Deployment Trends." - Accessed . https://www.truth.cx/2020/03/16/they-come-in-the-night-ransomware-deployment-trends/

IEEE

" » They Come in the Night: Ransomware Deployment Trends." [Online]. Available: https://www.truth.cx/2020/03/16/they-come-in-the-night-ransomware-deployment-trends/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p>Ransomware is a remote, digital shakedown. It is disruptive and expensive, and it affects all kinds of organizations, from cutting edge <a href="https://news.sky.com/story/spacex-and-tesla-documents-leaked-online-by-hackers-11947792">space technology</a> firms, to the <a href="https://www.itnews.com.au/news/australian-wool-sales-stopped-by-ransomware-attack-538657">wool industry</a>, to <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html">industrial environments</a>. Infections have forced hospitals to <a href="https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients/">turn away patients</a> and law enforcement to <a href="https://www.zdnet.com/article/six-suspected-drug-dealers-went-free-after-police-lost-evidence-in-ransomware-attack/">drop cases</a> against drug dealers. Ransomware operators have recently begun combining encryption with the threat of <a href="https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/">data leak and exposure</a> in order to increase leverage against victims. There may be a silver lining, however; Mandiant Intelligence research suggests that focusing defensive efforts in key areas and acting quickly may allow organizations to stop ransomware before it is deployed.</p> <p>Mandiant Intelligence examined dozens of ransomware incident response investigations from 2017 to 2019. Through this research, we identified a number of common characteristics in initial intrusion vectors, dwell time, and time of day of ransomware deployment. We also noted threat actor innovations in tactics to maximize profits (Figure 1). Incidents affected organizations across North America, Europe, Asia Pacific, and the Middle East in nearly every sector category, including financial services, chemicals and materials, legal and professional services, local government, and healthcare. We observed intrusions attributed to financially motivated groups such as <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html">FIN6</a>, TEMP.MixMaster, and dozens of additional activity sets.</p> <p> <img src="https://www.fireeye.com/content/dam/fireeye-www/blog/images/ransomwaretrends/Picture1.png" alt="" /> <br /> <span class="type-XS">Figure 1: Themes Observed in Ransomware Incidents</span></p> <p>These incidents provide us with enhanced insight into ransomware trends that can be useful for network defenders, but it is worth bearing in mind that this data represents only a sample of all activity. For example, Mandiant ransomware investigations increased 860% from 2017 to 2019. The majority of these incidents appeared to be post-compromise infections, and we believe that threat actors are accelerating use of tactics including post compromise deployment to increase the likelihood of ransom payment. We also observed incidents in which ransomware was executed immediately, for example GANDCRAB and GLOBEIMPOSTER incidents, but most of the intrusions examined were longer duration and more complex post-compromise deployments.</p> <h4>Common Initial Infection Vectors</h4> <p>We noted several initial infection vectors across multiple ransomware incidents, including RDP, phishing with a malicious link or attachment, and drive by download of malware facilitating follow-on activity. RDP was more frequently observed in 2017 and declined in 2018 and 2019. These vectors demonstrate that ransomware can enter victim environments by a variety of means, not all of which require user interaction.</p> <table border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="96" valign="top"><p> <b>RDP or other remote access</b></p> </td> <td width="528" valign="top"><p>One of the most frequently observed vectors was an attacker logging on to a system in a victim environment via Remote Desktop Protocol (RDP). In some cases, the attacker brute forced the credentials (many failed authentication attempts followed by a successful one). In other cases, a successful RDP log on was the first evidence of malicious activity prior to a ransomware infection. It is possible that the targeted system used default or weak credentials, the attackers acquired valid credentials via other unobserved malicious activity, or the attackers purchased RDP access established by another threat actor. In <a href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html">April 2019</a>, we noted that FIN6 used stolen credentials and RDP to move laterally in cases resulting in ransomware deployment.</p> </td> </tr> <tr> <td width="96" valign="top"><p> <b>Phishing with link or attachment</b></p> </td> <td width="528" valign="top"><p>A significant number of ransomware cases were linked to phishing campaigns delivering some of the most prolific malware families in financially motivated operations: TRICKBOT, EMOTET, and FLAWEDAMMYY. In <a href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html">January 2019</a>, we described TEMP.MixMaster TrickBot infections that resulted in interactive deployment of Ryuk.</p> </td> </tr> <tr> <td width="96" valign="top"><p> <b>Drive-by-download</b></p> </td> <td width="528" valign="top"><p>Several ransomware infections were traced back to a user in the victim environment navigating to a compromised website that resulted in a DRIDEX infection. In <a href="https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html">October 2019</a>, we documented compromised web infrastructure delivering FAKEUPDATES, then DRIDEX, and ultimately BITPAYMER or DOPPELPAYMER infections.</p> </td> </tr></tbody></table> <h4>Most Ransomware Deployments Take Place Three or More Days After Initial Infection</h4> <p>The number of days elapsed between the first evidence of malicious activity and the deployment of ransomware ranged from zero to 299 days (Figure 2). That is, dwell times range quite widely, and in most cases, there was a time gap between first access and ransomware deployment. For 75 percent of incidents, at least three days passed between the first evidence of malicious activity and ransomware deployment.</p> <p>This pattern suggests that for many organizations, <b>if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided. </b>In fact, in a handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment. Several investigations discovered evidence of ransomware installed into victim environments but not yet successfully executed.<b></b></p> <p> <img src="https://www.fireeye.com/content/dam/fireeye-www/blog/images/ransomwaretrends/Picture2.png" alt="" /> <br /> <span class="type-XS">Figure 2: Days elapsed between initial access and ransomware deployment</span></p> <h4>Ransomware Deployed Most Often After Hours</h4> <p>In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization (Figure 3 and Figure 4). This observation underscores that threat actors continue working even when most employees may not be.</p> <p>Some attackers possibly intentionally deploy ransomware after hours, on weekends, or during holidays, to maximize the potential effectiveness of the operation on the assumption that any remediation efforts will be implemented more slowly than they would be during normal work hours. In other cases, attackers linked ransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off.</p> <p> <img src="https://www.fireeye.com/content/dam/fireeye-www/blog/images/ransomwaretrends/Picture3.png" alt="" /> <br /> <span class="type-XS">Figure 3: Ransomware execution frequently takes place after hours</span></p> <p> <img src="https://www.fireeye.com/content/dam/fireeye-www/blog/images/ransomwaretrends/Picture4.png" alt="" /> <br /> <span class="type-XS">Figure 4: Ransomware execution by hour of the day</span></p> <h4>Mitigation Recommendations</h4> <p>Organizations seeking to prevent or mitigate the effects of ransomware infections could consider the following steps. For more comprehensive recommendations for addressing ransomware, please refer to our blog post: <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2019/09/ransomware-protection-and-containment-strategies.html"><i>Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment</i></a> and the linked <a href="https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf">white paper</a>.</p> <table border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="96" valign="top"><p> <b>Address Infection Vectors</b></p> </td> <td width="528" valign="top"><ul> <li>Use enterprise network, email, and host-based security products with up-to-date detections to prevent and detect many common malware strains such as TRICKBOT, DRIDEX, and EMOTET.</li> <li>Contain and remediate infections quickly to prevent attackers from conducting follow-on activity or selling access to other threat actors for further exploitation.</li> <li>Perform regular network perimeter and firewall rule audits to identify any systems that have inadvertently been left accessible to the internet. Disable RDP and other protocols to systems where this access is not expressly required. Enable multi-factor authentication where possible, particularly to internet-accessible connections, see pages 4-15 of the white paper for more details.</li> <li>Enforce multi-factor authentication, that is, where enabled, do not allow single factor authentication for users who have not set up the multi-factor mechanism.</li> </ul> </td> </tr> <tr> <td width="96" valign="top"><p> <b>Implement Best Practices</b></p> </td> <td width="528" valign="top"><ul> <li>For example, carry out regular anti-phishing training for all employees that operate a device on the company network. Ensure employees are aware of threat, their role in preventing it, and the potential cost of a successful infection.</li> <li>Implement network segmentation when possible to prevent a potential infection from spreading.</li> <li>Create regular backups of critical data necessary to ensure business continuity and, if possible, store them offsite, as attackers often target backups.</li> <li>Restrict Local Administrator accounts from specific log on types, see page 18 of the white paper for more details.</li> <li>Use a solution such as LAPS to generate a unique Local Administrator password for each system.</li> <li>Disallow cleartext passwords to be stored in memory in order to prevent Mimikatz credential harvesting, see p. 20 of the white paper for more details.</li> <li>Consider cyber insurance that covers ransomware infection.</li> </ul> </td> </tr> <tr> <td width="96" valign="top"><p> <b>Establish Emergency Plans</b></p> </td> <td width="528" valign="top"><ul> <li>Ensure that after-hours coverage is available to respond within a set time period in the case of an emergency.</li> <li>Institute after-hours emergency escalation plans that include redundant means to contact multiple stakeholders within the organization and 24-hour emergency contact information for any relevant third-party vendors.</li> </ul> </td> </tr></tbody></table> <h4>Outlook</h4> <p>Ransomware is disruptive and costly. Threat actor innovations have only increased the potential damage of ransomware infections in recent years, and this trend shows no sign of slowing down. We expect that financially motivated actors will continue to evolve their tactics to maximize profit generated from ransomware infections. We anticipate that post-compromise ransomware infections will continue to rise and that attackers will increasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom demands, and targeting critical systems.</p> <p>The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.</p> <p>Register for our upcoming <a href="https://www.brighttalk.com/webcast/7451/389929">ransomware webinar</a> to learn more.</p> First name:

Last name: