How a ransomware attacker thinks

What are they thinking?

When it comes to ransomware criminals, the answers can vary. Some organizations are sophisticated businesses where hackers are treated as employees with HR departments and paid time-off, while others are more ramshackle.

But they’re all dangerous—and after your data. Mike Puglia, general manager of cybersecurity labs at Kaseya, told IT Brew that financial motivation has been the constant motive of ransomware attackers. The tactics are much the same between groups: gaining access, exploiting vulnerabilities, escalating privileges, and deploying an encrypter to hold the data for payment.

“It’s Whac-a-Mole, or a game of cat and mouse, between defenders and attackers, and as soon as one hole is closed, suddenly the next wave comes,” Puglia said.

Undetected. Threat actors can lurk inside systems for months before taking action. They infiltrate via a number of different techniques, including social engineering, and once inside they conduct reconnaissance to get ready to exfiltrate data, encrypt your backups, or both.

Meanwhile, attack speed and efficiency are increasing. Attackers often work as teams with different workflows and responsibilities. It’s important to understand that these groups can be as professional as the institutions they target, said Chris Hendricks, head of incident response at Coalition.

“This isn’t just a slapdash setup; this is big money and big organization and a lot of people, and as they get better at running their nefarious business, it means a faster impact on the side of our customers,” Hendricks said. “The good news, of course, is that our customers are getting smarter about responding. So, it’s a back-and-forth.”

Ways in. Attackers use varied tactics, including software-as-a-service and outsourcing to third-party vendors who charge for their services, often asking for a portion of the proceeds in cash or crypto.

“Ransomware gangs have great partner programs,” Puglia said. “They will allow access and they will get 30% of the take; you’ll use their systems, and they’ll collect the cryptocurrency, and they’ll keep 30% of it.”

It pays off, as Maël Le Touz, senior threat researcher at Infoblox, told IT Brew in January.

“These criminal gangs are not just doing this because it’s fun. They’re doing this because it’s very, very profitable, and there is very little law enforcement and very little risk for them being involved,” Le Touz said.

Tactical demand. Once they’ve compromised a system, attackers reach out with the ransom demand. Paul Caiazzo, the chief threat officer at Quorum Cyber, emphasized the importance of using a third party to conduct negotiations. In some cases, a threat actor will leave instructions for how to get in touch with them that is typically “a chat you’re going to find on the dark web someplace.”

“We would never recommend any clients jump on one of those negotiation chats with a threat actor, don’t even click the link,” Caiazzo said. “By going to the threat actors page, they’re going to be able to learn some things about you, and there’s a potential for additional risk to come to you as a result of that.”

If an untrained individual does interact with them, Caiazzo warned that saying the wrong thing could derail the entire defense operation quickly. Hendricks agreed, advising that organizations shouldn’t engage with attackers without talking to a professional first.

“Even if you don’t choose to make a payment, you might still choose to talk to them, but through a third party,” Hendricks said. “It can be really beneficial to learn that you have these options, that there are people who can do this in a smart way and protect you, whatever decision you choose to make.”