Targeted ransomware, also known as human-operated ransomware, poses a significant threat to enterprises. In targeted ransomware attacks, adversaries use various MITRE techniques like T1069 — Permission Group Discovery, T1087 — Account Discovery, and others to learn about the permissions associated with accounts, identify misconfigurations, steal credentials, etc., to deploy ransomware across the network.
Targeted Ransomware is different from auto-propagation ransomware in the following ways:
- Steal credentials, keys, and other authentication tokens from memory, disk, etc. and deploy ransomware on infected systems
- Spread across network mapped drives to drop and execute ransomware using tools such as WMI, PSExec, PowerShell, Net tools, and others
- Propagate by using exploitation methods (Ex: Eternal Blue MS17–010) and deploying ransomware on target systems
2. Targeted Ransomware:
- Adversaries discover information about the network and domain and identify weakness in the environment
- Use tools like PowerShell, Bloodhound, etc., to perform domain reconnaissance and identify paths to high privilege targets
- Compromise software deployment systems or CI/CD systems and deploy ransomware across the organization
- Deploy ransomware across exposed C$ share using tools like PSExec, WMI, PowerShell scripts, etc.
- Deploy Ransomware using Microsoft Group Policy Objects (GPOs) from the compromised domain controller.
Ransomware is evolving from encryption-only attacks to data-exfiltration and data leakage attacks. Organizations have typically deployed backup and self-service restore features to recover from data encryption ransomware.