Fraud Management & Cybercrime , Governance & Risk Management , Ransomware

Ransomware Attack Vectors: RDP and Phishing Still Dominate

Review of 2021 Ransomware Attacks Also Finds Average Ransom Demand Was $247,000
Ransomware Attack Vectors: RDP and Phishing Still Dominate
Top 10 tools used by ransomware groups during 2021 attacks (Source: Group-IB)

Attackers who successfully infect targets with ransomware primarily first gain access by exploiting poorly secured remote access connections or by using malware-laden phishing emails.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

So reports cybersecurity firm Group-IB, based on more than 700 attacks the company's incident response team investigated in 2021.

The average ransom amount demanded in the attacks Group-IB investigated last year was $247,000, which is says was an increase of 45% from 2020. Last year, 63% of all ransomware attacks it investigated involved data exfiltration.

How are attackers hacking victims? The firm found 47% of attacks traced to access of an external service - often remote desktop protocol or VPN - while 26% of attacks traced to phishing.

Top 10 techniques used by ransomware groups in 2021 (Source: Group-IB)

Such findings are little changed from previous years (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).

Perhaps this should not be surprising, since experts say criminals' chief motive remains to make a profit as easily and quickly as possible. If an attack technique offers a good return on investment, why wouldn't criminals keep using it?

Initial infection vectors tied to ransomware groups in 2020 (left) and 2021 (Source: Group-IB)

Cybercrime-as-a-Service Economy Thrives

The cybercrime-as-a-service economy makes RDP and VPN credentials widely available for sale via the initial access brokers who gather them, oftentimes with prices tailored to the annual revenue of a victim. Some ransomware groups also foster exclusive relationships with brokers, sometimes paying a flat fee, or in other cases sharing a pre-agreed split of any ransom a victim pays.

Also easy to procure: malware for gaining an initial foothold on devices. "Commodity malware deployed at the initial stage has become increasingly popular among ransomware actors," Group-IB says in its report, highlighting in particular Emotet, Qakbot and IcedID. But whereas in 2020 a single criminal syndicate typically wielded any given strain, in 2021, Group-IB says, multiple groups were often using the same strains. For example, the security firm found that the IcedID loader - a piece of malware designed to load other malware, such as ransomware - was being used during 2021 by affiliates of multiple groups, "including Egregor, REvil, Conti, XingLocker and RansomExx."

Example of a weaponized document used to deliver IcedID (Source: Group-IB)

Based on the February leak of the Conti ransomware group's internal communications, the creator of IcedID appears to be a developer with the codename Leo who - at least now, if not before - works for Conti.

After gaining access to a victim's network, Group-IB says, the most-used tool used by attackers, seen in 71% of attacks, was commercial software called SoftPerfect Network Scanner. Developer SoftPerfect says its software "can ping computers, scan ports, discover shared folders and retrieve practically any information about network devices via WMI, SNMP, HTTP, SSH and PowerShell."

"It is not unexpected to see freely available scanners - such as Advanced IP Scanner, SoftPerfect Network Scanner and Advanced Port Scanner - because they help quickly gather information about a scanned environment and identify the assets that could be valuable for lateral movement, data exfiltration or ransomware deployment," Group-IB says in its report.

Frequently Used: Cobalt Strike

Another commonly used tool seen in 57% of all attacks, Group-IB says, was legitimate software called Cobalt Strike. Such software can be used to install implants - aka beacons - to remotely control endpoints, and ransomware groups frequently wield cracked copies of the software.

Group-IB says attackers often use Cobalt Strike beacons to facilitate port scanning, "mainly in order to identify opened RDP, SMB, WinRm and SSH services across the attacked network" (see: Block This Now: Cobalt Strike and Other Red-Team Tools).

Attackers often use Cobalt Strike to move laterally across a network, as detailed by threat intelligence firm Advanced Intelligence, aka AdvIntel, in a recent report analyzing a December 2021 ransomware attack against the IT systems of the U.S. National Football League's San Francisco 49ers.

Victim notice posted to BlackByte's Tor-based data leak site

"With the use of Cobalt Strike, the Conti team who began the operation against the 49ers on Dec. 14, 2021, were able to compromise the victim's primary domain and get access to the local shares and core network segments for several departments, including the team's finance and accounting sectors," AdvIntel researchers Vitali Kremez and Yelisey Boguslavskiy write in the report.

"Conti's presence in the network shares enabled them to map internal folders and identify critical information which could be then handled by other groups for exfiltration and data encryption," they write. "In this case, Conti used a Cobalt Strike beacon to move laterally through a network silently in order to investigate it and map it to full capacity, rather than hit it directly."

AdvIntel attributed the attack to Conti, saying it passed stolen data to its BlackByte subdivision (see: BlackByte Ransomware Hits San Francisco 49ers' IT Systems).

Leak Sites: Who Gets Listed?

Based on ransomware groups' data leak sites in 2021, Group-IB reports that organizations in the United States, Canada and the U.K. were most frequently listed, and listed victims most often hailed from the manufacturing, real estate and professional services sectors.

This analysis is based on victims posted to data leak sites by ransomware groups. Note: Not all ransomware groups run such sites, and not all victims get listed. (Source: Group-IB)

One challenge with tracking ransomware remains the fact that not all attacks come to light. Many but not all ransomware groups run data leak sites. Even for groups that do run such sites, attackers' preference is for a victim to pay quickly and quietly - oftentimes to avoid getting listed in the first place - because that makes criminals' activities tougher for law enforcement agencies to track. When a victim doesn't pay, in some cases - but not all - a group that runs its own data leak site will list the victim and subsequently begin leaking data, to pressure them into paying the ransom.

For example, the leaks of Conti's communications revealed the identity of numerous organizations that had not previously disclosed or otherwise been outed as being ransomware victims. Some also paid a ransom, again with the public being none the wiser.

"Victims that have paid the ransom but didn't report the breach have now been exposed via the chat leaks," John Fokker, head of cyber investigations and principal engineer at cybersecurity firm Trellix, has told Information Security Media Group. "I guess even your ransomware skeletons come out of the closet sooner or later."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.