How This Ransomware Gang Compromised Enterprises in 70+ Countries!

Modus Operandi of a ransomware group that compromised organizations in 70+ countries in the last 4 years:

Every Ransomware gang has 2 simple goals:

1) To run commands on a victim's machine

2) To run those commands stealthily

Here's how Ghost ransomware gang that compromised companies over 70+ countries meets these goals (based on recent report by FBI/CISA).

Attack Flow:

1. Attacker targets a company > Scans their public facing assets that have unpatched CVEs > Exploits them > Gains initial access.
   

2. Attacker uses PowerShell on compromised asset to install 'Cobalt Strike' beacon malware > Once beacon is installed, the machine contacts attackers server (landing successful!)
   

3. Attacker now leverages Cobalt Strike's in-built feature to display list of running processes > Identifies anti-virus software > Turns if off.

4. Attacker now runs Cobalt Strike's 'hashdump' to collect passwords from memory > Using those passwords attacker moves to new systems.

5. Attacker also scans for open network shares and remote systems to move to those as well > On all the compromised new systems, attacker installs Cobalt Strike beacon so that they can run further commands easily and repeat above cycle.
   

6. Once the attacker spreads across several hundreds of systems, finally pulls the trigger >Deploys ransomware > Encrypts systems > Clears Windows event logs, deletes shadow copies to prevent recovery.

Key Insights:

1. Cobalt Strike is a good example of 'right tool in the wrong hands'. It's a powerful tool intended for pen testers but leveraged by attackers.
   

2. Cobalt Strike has various capabilities but the most striking feature is this: planting a 'beacon' that establishes persistent communication between the attacker and the target. Once a beacon is implanted, attackers can run commands, move laterally, and spread rapidly. All without needing fresh exploits.
   

3. Organizations that have basic hygiene (timely patching, running devices without local admin privilege, monitoring AV disablement etc.) should be able to repel majority of these. Others may not.
   

4. How do we detect? Cobalt Strike servers come with a default certificate displaying specific values for the serial number, the issuer etc. Look for these values. If they have not been modified by the attackers, it’s a definite sign.
   

5. Attackers often use Cobalt Strike's DNS-based communication that is pretty hard to detect compared to classic HTTP traffic. Look for irregular DNS request patterns, (ex: unusually long domain names, an excessive number of subdomains).
   

6. Google has open-sourced YARA Rules and a collection of IOCs to detect Cobalt Strike. You can access them here.