{"id":34416,"date":"2020-07-13T02:49:00","date_gmt":"2020-07-13T06:49:00","guid":{"rendered":"http:\/\/blog.cybercon1.com\/?p=34416"},"modified":"2020-07-13T02:49:00","modified_gmt":"2020-07-13T06:49:00","slug":"ransomware-characteristics-and-attack-chains","status":"publish","type":"post","link":"https:\/\/blog.cyberconservices.com\/index.php\/2020\/07\/13\/ransomware-characteristics-and-attack-chains\/","title":{"rendered":"Ransomware Characteristics and Attack Chains"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.tripwire.com\/state-of-security\/contributors\/mjerzewski\/\">MATTHEW JERZEWSKI<\/a> &#8211; <strong>Ransomware<\/strong> has been around for decades going back all the way to\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.knowbe4.com\/aids-trojan\" target=\"_blank\">1989<\/a>. Since then it has only magnified in scope and complexity. Now at a time when working remotely is becoming more universal and the world is trying to overcome the Covid-19 pandemic, ransomware has never been more prominent.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.cyberconservices.com\/wp-content\/uploads\/2020\/07\/Payload-Diagram.png\" alt=\"\" class=\"wp-image-34417\" width=\"613\" height=\"311\"\/><\/figure>\n\n\n\n<p><strong>Ransomware<\/strong> is a type of malware that prevents users from accessing their system or personal files and demands a \u201cransom payment\u201d in order to regain access. There are two types of campaigns for <strong>ransomware<\/strong> \u201cHuman-operated\u201d and \u201cAuto-spreading\u201d, this article focusing on the human-operated campaigns.<\/p>\n\n\n\n<p>Human-operated campaigns tend to have common attack patterns which include: Gaining initial access, credential theft, lateral movement and persistence. For many of the human-operated campaigns, typical access comes from RDP brute force, a vulnerable internet-facing system, or weak application settings. Once attackers have gained access they can deploy a plethora of tools to get user credentials. After gaining credentials lateral movement takes place with either deploying a widely known commercial penetration testing suite called\u00a0<em><a rel=\"noreferrer noopener\" href=\"https:\/\/www.cynet.com\/cyber-attacks\/cobalt-strike-white-hat-hacker-powerhouse-in-the-wrong-hands\" target=\"_blank\">Cobalt Strike,<\/a>\u00a0<\/em>changing settings of the WMI (Windows Management Instrument) or abusing management tools with low-level privilege. Finally, attackers want to keep a connection and make it persistent; this is done by creating new accounts, making GPO (Group Policy Object) changes, creating scheduled tasks, manipulating service registration, or by deploying shadow tools.  <a href=\"https:\/\/www.google.com\/url?rct=j&amp;sa=t&amp;url=https:\/\/www.tripwire.com\/state-of-security\/featured\/ransomware-characteristics-attack-chains-recent-campaigns\/&amp;ct=ga&amp;cd=CAEYACoUMTI4MDY2MjQ2Nzg3MDk1ODUxNDUyGmY5NWQ3ZDU3NzU5MmRlMjE6Y29tOmVuOlVT&amp;usg=AFQjCNFk9KqgWG8YQ4vNyehyUpxGjgUGVA\">Read On:<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>MATTHEW JERZEWSKI &#8211; Ransomware has been around for decades going back all the way to\u00a01989. Since then it has only magnified in scope and complexity. Now at a time when working remotely is becoming more universal and the world is <span class=\"excerpt-dots\">&hellip;<\/span> <a class=\"more-link\" href=\"https:\/\/blog.cyberconservices.com\/index.php\/2020\/07\/13\/ransomware-characteristics-and-attack-chains\/\"><span class=\"more-msg\">Continue reading &rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[636],"tags":[637],"class_list":["post-34416","post","type-post","status-publish","format-standard","hentry","category-ransomware","tag-ransomware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/34416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/comments?post=34416"}],"version-history":[{"count":0,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/34416\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/media?parent=34416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/categories?post=34416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/tags?post=34416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}