From phishing to ransomware: the whole lifecycle of an attack

Phishing is the entry point for about 80% of cyberattacks. But it’s a fair question to ask why phishing or spear-phishing represents such a threat for a company? How does the compromission of the credentials of someone from the marketing or sales team pose a real threat ? 

Of course, if the compromised account is the one of the system admin, it’s much easier for the hackers. 

But in most cases, this isn’t what happens. So what occurs between initial infiltration and impact? 

This article presents a relatively standard lifecycle for a cyberattack and some of the tactics and techniques used by hackers, from a phishing email to a ransomware in 4 steps : 

  1. Reconnaissance
  2. Initial access
  3. Exploitation
  4. Impact

The goal is not to be comprehensive in the description of the techniques and tactics used, but rather to propose an overview, from beginning to end, that is simple and understandable and can be shared with teams in order to highlight the importance of the initial phases of an attack. 

1. Reconnaissance

From phishing to ransomware: Reconnaissance

The goal of the hackers is to recon their target in order to prepare their attack

The idea is to gain an understanding of a target’s ecosystem (clients, software, suppliers, teams…) in order to increase their odds of successfully compromising an account. In order to do this, hackers rely on several techniques such:

OSINT (Open Source Intelligence): most people underestimate the amount of information available online, as soon as you spend some time looking. For example: 

  • Company employees: LinkedIn, company website
  • Software used: Various search engines, details of LinkedIn job offers or LinkedIn team descriptions
  • Clients & suppliers: Company websites
  • Habits of targets: Social media (Facebook, Instagram, Twitter, TikTok…)
  • Email corporate signatures: Contact someone under a harmless pretext and get an answer

Data leaks:  these occur regularly. Information can be found online afterwards, and it is possible to exploit compromised passwords that are reused or haven’t been changed. 

2. Initial access

From phishing to ransomware: Initial Access

Phishing

Hackers now have a reasonable overview of who works in the target company, which software they use, who are their customers and suppliers and who are the C-level executives. It’s time for them to set up a first beachhead. 

They will either seek to obtain credentials to compromise a user’s account, or to directly lead the user to download malware

In order to do this, phishing (or rather spear-phishing, since it is improved with all the information gathered during the reconnaissance phase) and social engineering techniques are the easiest, cheapest and most simple to deploy weapons. 

Hackers can replicate authentication pages to harvest credentials by using tools such as Evilginx, even enabling them to bypass with relative ease multi-factor authentication protections

And if they want to deploy malware, the sequence can be as follows (for example): 

  • Send a convincing spear-phishing email with precise details and an attachment
  • The user opens the attachment
  • A message relying on social engineering techniques (a sophisticated name to say that the message is sufficiently persuasive to convince the user) asks the user to enable macros, as in the image below

Once the macro is activated, it will automatically launch the download of a loader : the beachhead is established. 

And if the hackers really don’t want to go to the trouble of doing all this, they can just shell out some money and pay an Initial Access Broker (IAB). This is literally a third-party hacking group that sells initial access credentials. The more privileged the account is, the more expensive it is (the price can vary between $500 and $10,000 based on the company and privilege level of the account). 

Loader

A loader is a type of malware whose goal is to collect initial information on the target network and, first and foremost, create a link between the compromised endpoint and the hackers’ command & control infrastructure, in order to share information with the hackers, to download additional malware… etc.  

Among some loaders that have seen active use recently, one can name Qakbot or Hancitor. These malware are going to install code libraries and try and execute them, conduct a first preliminary mapping of the target network, and seek to establish a connection with the hackers’ command & control. 

If all these steps go according to plan, they can download additional malware (like cobaltstrike) in order to move on to the next phase.

At this stage in the attack, hackers have a beachhead but not necessarily access to an account with sufficient privileges to actually do damage. 

3. Exploitation

From phishing to ransomware: Exploitation

Goal: escalate privileges and lateral movement. In other words: obtain more power to act and deploy throughout the entire IT network

Privilege escalation will enable hackers to take control of strategic servers. It can be done via a multitude of techniques, amongst which we can name the following:

  • Hijacking of dll libraries: some routines and processes run automatically, with privileges that are higher than those of the user. For example, when a computer is powering up. Malware are going to seek to inject their own malicious code into these routines, so that they are executed with admin privileges, which will help hackers get closer to acquiring those rights 
  • Recuperation of admin hashes or tokens: the hash or credentials of administrators, or their session tokens, can be saved on an endpoint (for example, if used for login during the endpoint set-up phase before it is given to the user). Hackers’ software will look for these elements and seek to re-use them
  • Brute force: A tactic that allows hackers to find passwords by trying out as many as necessary, or simply by guessing them (in the Solarwinds attack, the password of a crucial update server could be guessed, letting the hackers in)
  • Exploiting a known vulnerability (to name just one among many, Zerologon for example) in order to attack domain controlers. In particular, hackers can exploit the fact that all copies of the Active Directory on a network might not all be up to date, in order to exploit vulnerabilities

Lateral movement is the hackers seeking to deploy on the entirety of the network (or at least to be in a position to take control of its crucial servers) : virtual machines, accounts and credentials of hackers, operating systems, servers… 

Once they have mapped a network, hackers are indeed going to seek to deploy throughout in order to prepare the impact phase and to increase their chance of surviving if they are discovered on an endpoint. They can harvest credentials (with tools like Mimikatz, or keyloggers), use compromised accounts to send other, credible, phishing emails, or exploit the privileges acquired to deploy on the network. 

If the hackers manage to complete these steps undetected, they are deployed throughout the network (or, at the very least, at its strategic points), with the privileges required to execute the next steps. They are in a position to strike. 

4. Impact

From phishing to ransomware: Impact

With the privileges they have obtained and successful spread throughout, the network, deploying a ransomware can be done relatively easily via the malware already in place (like Cobalstrike), on a command from the hackers’ command & control. 

Before acting, hackers will of course seek to compromise any backups they have gained access to. 

In most cases, gangs have specialized. Initial access, exploitation, providing ransomware as a service (RaaS), the value chain is well split out. By relying on the latter, all one needs is an entry point (and payment), and the RaaS’s teams will provide a detailed guide on how to deploy the ransomware, and even customer support for those executing the attack. 

As a side note, relying on a RaaS is not without risk: these hackers have been known to copy the data themselves and to beat their customers to the punch in asking for a ransom (who said their was honor among thieves?).

Hackers deploy a ransomware, and the attack will follow a relatively classic path: 

  • Data exfiltration: If the hackers want to get a copy of the data
  • Privilege change: Removing their privilege levels from the legitimate users
  • Encryption of data: the data are either destroyed (when hackers have secured a copy) or encrypted. Various ransomwares used different techniques, either by encrypting the entire disk or the individual files. Destruction or encryption of any backups as well
  • Ransom: hackers ask for a ransom to unlock and get the data back, and can threaten to leak them in order to damage the target’s reputation (double or triple extortion) 

CONCLUSION

From afar, phishing can seem relatively harmless (“at worst, a sales rep loses his or her credentials”). The problem is that any user can constitute an entry point into a network ahead of an in-depth attack. Of course, having a tiered network can limit certain risks and stop lateral movement from being easy. But that doesn’t change the fact that any account, even low-level, contains substantial information exploitable by hackers, enabling them to conduct sophisticated attacks later on.