Ransomware’s Uneven Playing Field: Re-Thinking Protection and Detection from Small and Medium Enterprises
Recently, Dark Lab attended a conference to present the lessons learnt from ransomware incidents impacting small and medium enterprises (“SMEs”), and how these lessons learnt can help us find effective measures against ransomware threats.
Apart from our experience dealing with ransomware, it has been reported by the industry, that 85% of ransomware attack victims are small businesses.[1] These businesses present as lucrative targets for opportunistic ransomware actors, given their limited access to resources to implement robust security solutions.
In the past year, we have responded to numerous ransomware incidents involving small to medium enterprises (“SMEs”) that lack of the resources to invest in advanced security tools such as Endpoint Detection and Response (“EDR”) or Security Information and Event Management (“SIEM”) systems. Despite the absence of these tools, our incident response efforts have revealed simple controls that can effectively serve as containment, preventive, or damage-control measures.
Our presentation covered several ransomware incidents involving both well-known operators and newcomers to the field. We provided our insights into the threat intelligence associated with these actors, analyse the Tactics, Techniques, and Procedures (“TTPs”) used compared to large-scale ransomware, and share lessons learned from handling these incidents, including mistakes made by the threat actors. We further note the potential applications of these strategies in larger enterprises as a means to strengthen their own posture.
This blog will deep dive into the threat intelligence associated with the current ransomware landscape, the Tactics, Techniques and Procedures (“TTPs”) behind ransomware attacks, and our lessons learnt along with the insights from previous incident experience.
The Current Ransomware Landscape
In 2024, we observe an increasingly unpredictable and diverse ransomware landscape following multiple disruptive events that have reshaped how the ransomware ecosystem operates today.
Significant catalysts for these shifts include the persistence of law enforcement disruptions against larger Ransomware-as-a-Service (RaaS) operators, as exemplified in the ongoing #OpCronos against LockBit. Not to mention BlackCat’s alleged exit scam following allegations of failure to payout their affiliate for their attack on UnitedHealth.
These two instances alone incited heightened scepticism and distrust within the cybercriminal community, leading to a shift away from these “market leaders”. Quickly, we observed smaller and new players seize this opportunity to establish their presence within the ransomware ecosystem. Not only applying the lessons learnt from the downfalls of bigger players, and factoring in the changes to the ways in which victims respond to ransomware attacks, we observe these new joiners seeking to distinguish themselves and increase their chances of success through alternative means of approaching ransomware attacks. For example;
A Focus on SMEs
Contrary to the misconception that SMEs are not a priority for ransomware groups due to the lower payout opportunity, we observe the majority of ransomware attacks are targeted against SMEs. This is as larger enterprises are now well-equipped with security solutions designed to prevent and detect against impending threats, thus posing SMEs as enticing targets for a higher likelihood of success.
We attribute this to a number of factors; limited funds to invest in cybersecurity professionals and technologies, lack of preparedness to respond to an attack, and the impact that operational disruptions may have on the viability of the business. Statistically, 75% of SMEs could not continue operating beyond seven (7) days if hit by ransomware [2], whilst 20% of SMEs that fell victim to a ransomware attack paid the ransom.[3] Furthermore, learning from the cases of LockBit and BlackCats’ notoriety, newer players seek to evade attention from media and law enforcement; conducting lower-profile attacks to maintain their presence and longevity.
Who’s targeting SMEs?
As seen in the image above, we observe both established RaaS operators who we track and know well, and newer players, experimental in the approaches to ransomware attacks, targeting SMEs. We note that this list is not exhaustive given the opportunistic nature of ransomware actors, and is further applicable in the context of larger enterprises.
With newer groups diversifying their attack methods and creating an increasingly ‘unpredictable’ ransomware threat, how can we stay focused?
Focusing on the “critical path”
Despite the abundance of new players on the market – bringing new approaches and techniques used to facilitate their attacks – we still observe overarching commonalities in their Tactics, Techniques, and Procedures (“TTPs”).
The above MITRE ATT&CK heatmap compiles the TTPs used by various aforementioned threat actors. By focusing on the most frequently used TTPs (highlighted in red and orange), we can prioritise our efforts to strengthen defences against these techniques, creating a ‘critical path’ for us to focus our efforts in devising protection and detection.
This critical path provides a holistic view of RaaS operators, not just applicable to SMEs but all types of victims. In the case of SMEs, given the limited access to resources, this critical path provides a realistic baseline to focus resources on preventing and detecting against ransomware threats.
Our experience responding to ransomware attacks against SMEs
To consider how this “critical path” translates into real life, we referenced some historic cases we have battled, and the lessons learnt. Specifically, we deep dived into three (3) case studies, attributed to RansomHouse, SEXi (a.k.a. APT Inc.), and LockBit, respectively.
Each case study shared commonality in that initial access was obtained via breaching perimeter devices e.g., SSLVPN. However, the case studies provided a useful comparison on the degree of impact incurred within an SME environment depending on the presence (or lack thereof) sufficient security controls.
Case Study 1: RansomHouse affiliate (an “Old Guard”)
In the first case study, the RansomHouse affiliate achieved initial access via a known vulnerability. The affiliate proceeded to perform account brute forcing and network scanning using the commonly leveraged, SoftPerfect Scanner. Obtaining a service account granted with administrative privileges, the affiliate proceeded to perform Remote Desktop Protocol (RDP) for lateral movement. Notably, the service account was secured with a weak password and the last date of password reset was the same as its creation date – a common issue we have observed across SMEs, whereby they use a weak password for account creation, and subsequently neglect to change the password later.
The affiliate further enumerated the victim’s environment, obtaining additional credentials to access their ESXi, Network Attached Storage (NAS), various databases and Software-as-a-Service (SaaS) platforms. With their better understanding of the victim’s environment and the “crown jewels” to target for sensitive data, the affiliate proceeded to deploy the AnyDesk remote access software and a PowerShell script. This resulted in large outbound data exfiltration over 700 gigabytes (GB) of data before removing backups and deploying ransomware across their Network Attached Storage (NAS), backup servers, and virtual infrastructure (VMware ESXi) servers.
This case study highlights the sheer impact of a ransomware attack in environments lacking network segmentation, password policy enforcement, and sufficient access controls.
Case Study 2: SEXi affiliate (“New Blood”)
In our incident attributed to an affiliate of SEXi (now rebranded as APT Inc.) ransomware, the affiliate infiltrated via a SSLVPN entry, landing on a demilitarised zone (DMZ) server subnet. The affiliate was also observed to deploy the SoftPerfect Scanner for network discovery, resulting in the identification of a vulnerable Veeam Backup & Replication server. Exploiting the vulnerability to create a new local admin account, the threat actor proceeded to perform credential dumping on the Veeam server, obtaining valid ESXi and NAS credentials.
Pivoting to the ESXi and NAS servers, the SEXi affiliate proceeded to deploy their ransomware and delete all backup data on the NAS. Due to network segmentation in place, ransomware deployment was contained within the DMZ, and no data exfiltration was observed.
Case Study 3: LockBit affiliate (another “Old Guard”)
In our latest battle with LockBit, the affiliate infiltrated via a SSLVPN server using a valid SSLVPN account. In this case, the SSLVPN account belonged to a third-party vendor and had a weak password which had not been changed for over three (3) years. The affiliate landed on a DMZ zone, though due to poor network segmentation in place, the SSLVPN account was capable of accessing a management subnet with /16 IP addresses – a significantly large IP address range for the threat actor to access, not to mention a vendor.
Due to password reuse, the LockBit affiliate proceeded to takeover an administrator account, leveraged to laterally move to additional environments via RDP protocol. Notably, the admin account was utilised to perform a DCSync attack on the Domain Controller (DC). The affiliate then proceeded to perform data staging, focused on discovering Excel, PDF, and Word documents contained within shared folders. At this point, the affiliate installed MegaSync, a legitimate tool for data transfers, and created a folder for file staging. The affiliate then deployed ransomware. However, due to outbound network restrictions in place – no data exfiltration was involved.
Notably, the victim was not observed to be listed on LockBit’s dedicated leak site, which we hypothesised was due to their inability to exfiltrate data from the victim’s environment. This highlights the effectiveness in file transfer restrictions in not only mitigating against the compromise of data, but the ability to avoid reputational damage from public awareness of the ransomware incident.
Case Study Comparison; Same Same (TTPs), But Different (Impact)
Comparison of these similar attacks highlight how enforcing simple controls to restrict malicious activity can significantly minimise the impact of ransomware attacks.
Through our incident experience, we highlight the following common issues in SMEs:
- Initial access is achieved through preventable “low hanging fruit”, such as;
- Commodity VPNs (e.g., Fortinet SSLVPN, SonicWall SSLVPN, etc.)
- Infostealer data and credentials leaked on dark web
- Lack of awareness and/or implementation of:
- Strong password policies – guidelines that enforce the creation and use of complex, hard-to-crack passwords
- Patch management – regular updating of software to remediate susceptibility to vulnerabilities that otherwise may be exploited by malicious actors
- Perimeter services – security measures that protect the outer boundaries of a network, such as firewalls and intrusion detection systems (IDS)
- Network segmentation – practice of dividing a network into smaller, isolated segments to limit access and lateral movement opportunities
What can SMEs do to minimise the risk and impact of ransomware threats?
From basic hardening configurations within Active Directory to enabling detection with honeytokens and strategically planning network restrictions, we share practical tips and strategies that we have implemented in our clients’ environments. This demonstrates how small businesses can reduce their risk from a full-scale ransomware attack or minimize the impact of such events. Additionally, we note that these strategies can be further leveraged by larger entities to strengthen their own environments.
Initial Access
Threat actors often seek “low hanging fruit” to gain initial access. For example, exposed SSLVPN gateways are frequently brute forced by malicious actors using leaked credentials.
The following tips can aid SMEs in minimising their attack surface exposure to reduce the risk of unauthorised access.
On the perimeter-level, SMEs can consider the follow tips to minimise their attack surface exposure;
- Stock take exposed services, patch or restrict administrative portals
- Trim down access from SSL VPN to internal network
- Isolate the systems with legacy operating systems
Access controls can further limit the opportunity for threat actors to infiltrate and/or persist in their post-compromise stages;
- Housekeep accounts, and strengthen existing multi-factor authentication
- Trim down access from SSL VPN to internal network
- Use a separate set of credentials for SSL VPN access
Discovery
Threat actors typically use tools like Network Scanners (e.g., SoftPerfect) that rely on file shares to enumerate files for targeting.
A file share is a network resource that allows multiple users or devices to access and share the files and folders over a network. Threat actors frequently leverage these file shares to identify files of interest (e.g., containing ‘password’, ‘confidential’, ‘finance’, ‘secret’, ‘backup’, ‘admin’, etc.).
To restrict the opportunity for threat actors to perform discovery via file shares, we recommend:
- Perform a stock-take on file servers to identify critical files housing sensitive and/or confidential data
- Review what users are allowed to access critical files, and restrict access based on the principle of least privilege
Canary tokens[4], otherwise known as a honey tokens, provide another avenue for proactive threat detection. Canary tokens are a digital identifier embedded within files, URLs, or systems to detect unauthorised access or activity. When an attacker interacts with a canary token, it triggers an alert to notify administrators of a potential breach.
Lateral Movement
Threat actors target privileged accounts as part of their intrusion, in particular Domain Admins, leveraging their heightened privileges to perform various activities, spanning from data collection and exfiltration to ransomware deployment.
This begs the question; Do we really need to use “Domain Admins” for day-to-day operations?
Tips to secure domain admin accounts and reduce opportunities for lateral movement:
- Account tiering is an effective means to reduce the risk of credential theft for administrative accounts. In short, it is the process of categorizing accounts and systems into tiers based on criticality. According to Microsoft, the “tier model creates divisions between administrators based on what resources they manage….[so that] admins with control over user workstations are separated from those that control applications”.[7]
- Enforce logon restrictions to ensure highly privileged accounts do not possess access to less secure resources. For example, domain admins (tier 0) should not possess permissions to access user workstations (tier 2).[8]
- Restrict login attempts from Remote Desktop Services[9]
- Ensure critical systems are kept up-to-date with regular patching. This involves referencing the systems categorized as critical (or “tier 0), and prioritizing these systems in your patch management process. As an example, Veeam Backup & Replication[10] and ESXi instances [11] are regularly targeted by multiple groups for ransomware deployment.
Exfiltration (and Remote Access)
Threat actors frequently abuse legitimate solutions to facilitate their remote access (e.g., AnyDesk, TeamViewer, etc.) and data exfiltration (e.g., MegaSync, Rclone, etc.). Furthermore, in some cases we observed that host-based firewall may have been controlled by a compromised administrative account.
To detect for the malicious misuse of these legitimate tooling and/or accounts, we advise the use of an Active Directory-Integrated DNS (ADIDNS) sinkhole – ensuring proper Access Control Lists (ACLs) are configured.
A DNS sinkhole, otherwise known as a sinkhole server, is a DNS server that provides false information to prevent the use of domain names. It is a strategy used to block malicious traffic. When a device attempts to access a known malicious domain, the DNS sinkhole redirects the request to a non-routable address, effectively “sinking” the traffic and preventing the device from connecting to a harmful site.[12]
Conclusion
As the ransomware landscape continues to evolve and diversify in the threats faced, focusing on identification of predictable TTPs, or even a ‘critical path’, helps us prioritize efforts to defend against the most pertinent threats.
Whilst SMEs may struggle due to their technical limitations and resources, we hope this blog helps provide insight in the simple, yet effective means in which SMEs can uplift their security posture. As a reminder, implementation of these strategies requires carefully designed architecture and process planning (e.g., appropriate access controls, standard operating processes) to maintain effectiveness. Furthermore, we note that these approaches are universal and applicable in larger enterprises, providing proactive opportunities to harden your security posture.
What lies ahead for the future of ransomware?
As organisations increasingly shift to cloud and integration of Software-as-a-Solution (SaaS), we expect to see increased targeting against these environments. Whilst we already observe ransomware actors selling compromised databases, we project an uptick in the reselling of access for re-intrusion into victim environments by other threat actors. The application of artificial intelligence (AI) and automation intelligence within the cybercriminal is a continued discussion, as we anticipate threat actors expanding beyond the use of AI for content generation (in the context of social engineering) to other applications. There’s no telling for certain what else the future holds, but for now, let’s concentrate on safeguarding ourselves against the most crucial threats.
MITRE ATT&CK TTPs for the “Critical Path”
We include the observed MITRE ATT&CK tactics and techniques highlighted in the “critical path”:
| MITRE ID | MITRE ATT&CK Tactic | MITRE ATT&CK Technique |
| T1583 | Resource Development | Acquire Infrastructure |
| T1587 | Resource Development | Develop Capabilities |
| T1588 | Resource Development | Obtain Capabilities |
| T1566 | Initial Access | Phishing |
| T1190 | Initial Access | Exploit Public-Facing Application |
| T1078 | Initial Access | Valid Accounts |
| T1133 | Initial Access | External Remote Services |
| T1059 | Execution | Command and Scripting Interpreter |
| T1053 | Execution | Scheduled Task/Job |
| T1047 | Execution | Windows Management Instrumentation |
| T1106 | Execution | Native API |
| T1204 | Execution | User Execution |
| T1569 | Execution | System Services |
| T1136 | Persistence | Create Account |
| T1543 | Persistence | Create or Modify System Process |
| T1098 | Persistence | Account Manipulation |
| T1505 | Persistence | Server Software Component |
| T1547 | Persistence | Boot or Logon Autostart Execution |
| T1055 | Privilege Escalation | Process Injection |
| T1134 | Privilege Escalation | Access Token Manipulation |
| T1027 | Defense Evasion | Obfuscated Files or Information |
| T1562 | Defense Evasion | Impair Defenses |
| T1112 | Defense Evasion | Modify Registry |
| T1140 | Defense Evasion | Deobfuscate/Decode Files or Information |
| T1036 | Defense Evasion | Masquerading |
| T1218 | Defense Evasion | System Binary Proxy Execution |
| T1497 | Defense Evasion | Virtualization/Sandbox Evasion |
| T1070 | Defense Evasion | Indicator Removal on Host |
| T1222 | Defense Evasion | File and Directory Permissions Modification |
| T1564 | Defense Evasion | Hide Artifacts |
| T1003 | Credential Access | OS Credential Dumping |
| T1083 | Discovery | File and Directory Discovery |
| T1082 | Discovery | System Information Discovery |
| T1018 | Discovery | Remote System Discovery |
| T1057 | Discovery | Process Discovery |
| T1135 | Discovery | Network Share Discovery |
| T1016 | Discovery | System Network Configuration Discovery |
| T1046 | Discovery | Network Service Discovery |
| T1069 | Discovery | Permission Groups Discovery |
| T1087 | Discovery | Account Discovery |
| T1482 | Discovery | Domain Trust Discovery |
| T1518 | Discovery | Software Discovery |
| T1021 | Lateral Movement | Remote Services |
| T1210 | Lateral Movement | Exploitation of Remote Services |
| T1570 | Lateral Movement | Lateral Tool Transfer |
| T1005 | Collection | Data from Local System |
| T1560 | Collection | Archive Collected Data |
| T1039 | Collection | Data from Network Shared Drive |
| T1105 | Command and Control | Ingress Tool Transfer |
| T1219 | Command and Control | Remote Access Software |
| T1071 | Command and Control | Application Layer Protocol |
| T1041 | Exfiltration | Exfiltration Over C2 Channel |
| T1048 | Exfiltration | Exfiltration Over Alternative Protocol |
| T1567 | Exfiltration | Exfiltration Over Web Service |
| T1486 | Impact | Data Encrypted for Impact |
| T1490 | Impact | Inhibit System Recovery |
| T1485 | Impact | Data Destruction |
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
