Ransomware Groups Prioritize Defense Evasion for Data Exfiltration

Ransomware attackers are applying a significant focus on defense evasion tactics to increase dwell time in victim networks, according to a new report by Cisco Talos.

This trend is a result of the shift to the double-extortion ransomware model, in which attackers aim to steal sensitive data and threaten to publish it online alongside locking down the victims’ systems.

Ransomware threat actors need to gain persistent access to understand the network’s structure, locate resources that can support the attack, and identify data of value that can be stolen, the researchers said.

The Cisco Talos report analyzed the tactics, techniques and procedures (TTPs) of the 14 most active ransomware groups between 2023 and 2024.

During Infosecurity Europe 2024, experts highlighted how data exfiltration is now the main way ransomware groups extort victims.

Hackers now view encryption as an add on or don’t bother locking down data at all.

How Attackers Are Establishing Persistence

The Cisco report highlighted a range of techniques deployed by ransomware actors to evade detection and move laterally in a network following initial access.

The most prominent groups quickly focus on defense evasion techniques, including:

  • The disablement and modification of security software such as anti-virus programs, endpoint detection solutions or security features in the operating system to prevent the detection of the ransomware payload
  • Obfuscate malicious software by packing and compressing the code, eventually unpacking itself in memory when executed
  • Modify the system registry to disable security alerts
  • Configure the software to execute at startup
  • Block certain recovery options for users

Living-off-the-Land Techniques

Attackers will then look to establish long-term access, ensuring their operations are successful even if their initial intrusion is discovered and remediated.

These persistence techniques include the use of automated malware persistence mechanisms, such as AutoStart execution upon system boot and creation of remote access software tools.

After achieving persistent access, threat actors will attempt to move laterally in the network and locate and exfiltrate sensitive data prior to deploying the ransomware payload.

They often look to exploit weak access controls and elevate privileges to the administrator level to progress further along the attack chain using various local utilities and legitimate services.

These ‘living-off-the-land’ techniques are designed to blend in with typical operating system functions. They often involve the use of network scanner utilities in conjunction with local operating system tools and utilities, such as Certutil, Wevtutil, Net, Nltes and Netsh.

Data Exfiltration and Encryption

After locating sensitive files in the network, attackers have developed effective methods for concealing the exfiltration of this data.

The researchers identified the regular use of compression and encryption utilities such as WinRAR and 7-Zip to conceal the exfiltration and transfer of sensitive files to an external adversary-controlled resource or over a command and control (C2) mechanism.

For more mature operations, some ransomware-as-a-service (RaaS) groups have developed custom data exfiltration tools to facilitate data theft, such as StealBit, which is used by LockBit.

Following data exfiltration, the attackers can stage the ransomware payload and encrypt the network before informing the victims and starting negotiations.

If the goal is pure data theft extortion, then the encryption phase is skipped.

Growing Vulnerability Exploitation

Ransomware attackers are increasingly exploiting known and zero-day vulnerabilities in public-facing applications for initial access, the researchers found.

The exploitation of these and other critical vulnerabilities can also enable privilege escalation, providing a basis for evading detection and establishing persistent access.

Read here: Chinese State Actor APT40 Exploits N-Day Vulnerabilities “Within Hours”

Cisco highlighted three vulnerabilities that have been repeatedly exploited by prominent ransomware groups in the past year:

  • CVE-2020-1472: Also known as ‘Zerologon’, this flaw is in the Netlogon Remote Protocol. Attackers can bypass authentication mechanisms and change computer passwords within a domain controller’s Active Directory, allowing them to quickly escalate privileges to domain administrator levels
  • CVE-2018-13379: The vulnerability in Fortinet’s FortiOS SSL VPN allows unauthenticated attackers to access system files through specially crafted HTTP requests. This enables threat actors to gain sensitive information, such as VPN tokens, and advance through the attack chain moving laterally within the network
  • CVE-2023-0669: This GoAnywhere Managed File Transfer flaw allows remote attackers to execute arbitrary code on the server without requiring authentication. The compromised server can be used as a pivot for further internal reconnaissance and lateral movement

Defending Against Evolving Ransomware Tactics

Cisco highlighted key steps organizations should take to mitigate the TTPs employed by ransomware groups. These are:

  • Apply patches and updates regularly to all systems and software
  • Implement strong password policies and enforce multi-factor authentication (MFA) for each account
  • Minimize attack surfaces by disabling unnecessary services and features, and apply best practices to harden all systems and environments
  • Segment networks using VLANs or similar technologies to isolate sensitive data and systems, thereby preventing lateral movement
  • Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events
  • Adopt a least-privilege approach, ensuring that users and systems have only the minimal level of access necessary to perform their functions
  • Minimize your IT systems’ exposure to the internet y limiting the number of public-facing services and ensuring robust protections for any necessary external interfaces