Illusive Blog March 19, 2021

Ransomware Incognito: 5 Tools Targeted Ransomware Groups Use to Disguise Themselves

By Claire Trimble
Attacker Tools, Lateral Movement, Ransomware, Targeted Ransomware

This is part 2 of a 3-part series looking at the evolving nature and sophistication of ransomware attacks. This series is a snapshot from the comprehensive eBook on the topic, Ransomware, Inc: The Rise of Targeted Ransomware Crime Syndicates, published by Alissa Valentina Knight and Knight Ink, and commissioned by Illusive. Read part 1, The Major Ransomware Threat Groups and What Makes Them Effective

In this article, we look at how targeted ransomware attackers utilize certain tools to move laterally inside networks. 

Seeking Credentials and Pathways – How Attackers Use Tools for Lateral Movement 

Targeted ransomware attackers are well beyond the old “spray and pray” attacks of old. They study the IT environment of the organizations they are targeted, research (to the extent possible) the tools used by those IT teams, move deliberately to avoid suspicion, and tailor their ransomware code to the specific targets. 

Yet how do they pivot laterally while avoiding security team detection? Well, first they need credentials.

Once an attacker has access to one host, they can leverage the credential and connection data on it to move to neighboring hosts. Cyber Attackers look for these rogue credentials and connections that lead them to an organization’s critical assets. Using Bloodhound, Mimikatz and other pre-built attack tools, this discovery process is more automated—and faster—than ever before. 

I’ll explain a few of these tools below:

  • Mimikatz – Used to extract plaintext passwords from memory. Mimikatz demonstrates vulnerabilities in Microsoft’s authentication protocols by allowing those who run it to dump credentials, even Kerberos tickets from the system to steal authentication credentials as well as escalate privileges.
  • Metasploit –  Can help attackers and penetration testers automatically generate malicious code to exploit vulnerable websites and applications. It includes some reconnaissance capabilities, like scanning for open ports, the ability to find bugs matching exploits in software, conduct vulnerability scans, and more. 
  • Bloodhound –  Provides a graphical representation of all available paths that an attacker might take towards critical Active Directory assets, such as control over Domain Admins. As a free tool for a quick graph of major connections within Active Directory, BloodHound does provide some value in attack simulations for both red teams and attackers. (Read a blog post on Bloodhound here)
  • NLBrute (AKA nl.exe or nlbrute.exe) – was created by a Russian developer for brute forcing Windows credentials over remote desktop protocol (RDP). NLBrute can be fed with a dictionary list/word file for the brute force efforts, or a list of passwords from previous credential dumps also referred to as “credential stuffing.”
  • Cobalt Strike – Provides penetration testers a Swiss Army Knife of functionality for adversarial simulation and red teaming. Cobalt Strike is threat emulation software, meant to enable executing targeted attacks against modern enterprises with one of the most powerful network attack kits available – but is also sometimes used by attackers as well. With built-in capabilities for spreading, kerberoasting, credential theft, and many other features, CobaltStrike is a formidable weapon for any attacker.

How Attackers Live Off the Land, Getting Higher ROI

The Living-off-the-Land (LotL) technique requires no external software, and an attacker relies simply on pre-installed Windows tools and processes to allow them to move inside a network. This makes it easier for them to remain undetected, and presents another level to the challenge of detecting hidden malicious lateral movement. Furthermore, it’s a much more cost-effective attack method than leveraging exploits and paid-for tools or access, Attackers use these tools and processes in support of their Tactics, Techniques, and Procedures (TTPs).

As Knight writes:

“Living off the land is the concept of a syndicate using already-available tools built into the operating systems in order to achieve their goals rather than downloading and using malicious tools that might otherwise be blacklisted. The increased exodus from tools like Mimikatz has a lot to do with the syndicates wanting to go undetected for a longer period of time. Whereas tools like Mimikatz might be blacklisted from use in a network and potentially trigger alarms, built-in tools that when combined together can achieve pretty much the same goal are used instead.”

And, as Knight notes, not all of these tools are malicious, and “many of the tools…were created and even acquired by Microsoft as system administration tools for server admins. They simply provide a utility needed by the syndicates to more quickly and easily achieve their actions on objectives.”

Some of these tools include “using file-less malware as to not disturb disks and file system tables to avoid detection by more sophisticated endpoint detection and response (EDR) and network detection and response (NDR) solutions. They’ll also use command line tools built into the operating system itself, using these built-in tools against the systems, such as Powershell and WMI to better understand where they’ve landed in the network and what level of privilege they have using these tools for reconnaissance.”

Keep an eye out for future posts in this series on ransomware. In the next post, we’ll talk more about attacker lateral movement and how Active Defense techniques can be used to stop ransomware attackers early in the attack lifecycle.  

Learn more: