Blog | May 21, 2020

How Current Ransomware Tactics Look
a Lot Like Smoking a Brisket

You can’t rush the process of smoking a brisket, what I consider the peak of BBQ process.

For a 15-pound brisket, it generally takes over 14 hours of smoking at 225 degrees F to push through the “stall” … after which it requires another couple of hours to “rest.” This process is referred to as “low-and-slow” because it takes time and patience to proceed through each of the smoke phases.

Cyberattackers are just as patient when it comes to following their plan and achieving their goals.

In information security, we often describe attackers in terms of their tools, tactics, and process (TTP). One that we don’t often discuss is TIMING. One recent development in the use of ransomware involves choosing the most appropriate time to initiate the actual encryption. By appropriate, I mean the most inopportune time to strike a target in an effort to hamper recovery.

Let’s first take a step back though. When ransomware first burst broadly into the public view a few years ago, it was very simple: someone opens malicious content which downloads an encryption key and immediately begins to encrypt that single computer’s files (and all others to which they have access, including network shares). The next generation of ransomware started attacking databases directly, encrypting their contents.

A further evolution of a separate ransomware family focused on exploiting the software that manages workstation images (e.g. Kaseya), thereby unwittingly enlisting it to spread unwanted code. This tactic is not necessarily specific to ransomware but also was used for undesired rogue cryptocurrency mining.

The current, most popular methodology within ransomware deployment couples the popular “low-and-slow” tactics of yesteryear (very much like smoking a delicious brisket). Also known as advanced persistent threat (APT) methodology, the attacker initially gains a toehold into an environment, then quietly spreads laterally from this “beachhead” to establish multiple points of presence within the organization. Once many systems are infected, the attacker is free to take their time to embed themselves and begin a more rigorous campaign to examine all accessible files (including email), gather information, pivot to other connected systems, gain administrator access (if possible) and exfiltrate interesting or sensitive data to resell or hold hostage.

The newest ransomware tactic couples the low-and-slow APT method, but once the interesting data is taken, the attacker at the right time initiates the encryption on all infected systems. The extra spin? Timing. This type of attack offers the attacker the best chance for payoff when initiated at a particularly inopportune time, when the victim isn’t expecting it and is less likely to be able to respond quickly. As such, the first night of a weekend (especially a long weekend!) provides an ideal point for a devastating malicious campaign to be launched.

It is critical to continue to watch for the early indicators. It takes time for the attacker to distribute the malicious code throughout the environment and wait for the most inopportune time to start the encryption phase. This permits the defender a wider window of opportunity to prematurely short-circuit and evict the attacker.

No doubt tactics will continue to evolve. Attackers will continue to hone and improve their methods; likely by better automating the “spread malware internally phase” and with better obfuscation to reduce the chances of detection. Given the significant recent changes due to COVID-19 with more people working from home, it is possible that depending on remote access implementation, it may be more difficult for attackers to move laterally, from endpoint to endpoint. However, this possible mitigation aspect is likely overridden by more atomic endpoints running outside the safety of a corporate firewall and other corporate security infrastructure.

With this in mind, we highly recommend that you continue to watch for unusual indicators of inappropriate access, especially when they make themselves manifest early on a weekend. Ensure that your incident response playbooks are updated, with contacts updated. Perform tabletop exercises with this updated scenario to prepare for this.

While you might be looking at the start of a long weekend as a welcome break from work (or a chance to demonstrate your BBQ skills), attackers might just be thinking about getting started.

Eldon Sprickerhoff

Eldon Sprickerhoff

Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.