Ransomware Operations: The Modern Threat
Ransomware has evolved from simple encryption malware to sophisticated criminal enterprises. Modern ransomware operations combine technical exploitation with business extortion tactics. Understanding this ecosystem is essential for both red teams and defenders.
Educational Context
This chapter documents ransomware operations for defensive understanding and red team simulation. Actual ransomware deployment is a serious federal crime with penalties up to 20+ years. See Attribution & Consequences.
The Ransomware Ecosystem
Ransomware-as-a-Service (RaaS) Model
┌─────────────────────────────────────────────────────────────────────────────┐
│ RANSOMWARE-AS-A-SERVICE ECOSYSTEM │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ DEVELOPERS AFFILIATES VICTIMS │
│ (Create RaaS) (Deploy attacks) (Pay ransom) │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Build │ │ Buy/rent │ │ Company │ │
│ │ ransomware │─────────►│ access to │───────►│ encrypted │ │
│ │ platform │ │ RaaS panel │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ │ ▼ ▼ │
│ │ ┌─────────────┐ ┌─────────────┐ │
│ │ │ Compromise │ │ Pay ransom │ │
│ │ │ targets │ │ (Bitcoin) │ │
│ │ │ Deploy │ │ │ │
│ │ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ REVENUE SPLIT │ │
│ │ │ │
│ │ Developers: 20-30% Affiliates: 70-80% │ │
│ │ (provide tools, support) (do the attacks) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ SUPPORTING SERVICES: │
│ ├── Initial Access Brokers (sell compromised networks) │
│ ├── Bulletproof hosting │
│ ├── Cryptocurrency laundering │
│ ├── Negotiation services │
│ └── Data leak sites (for double extortion) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Major RaaS Groups (Historical)
| Group | Active Period | Notable Attacks | Status |
|---|---|---|---|
| LockBit | 2019-2024 | Royal Mail, Boeing, thousands more | Disrupted by law enforcement |
| BlackCat/ALPHV | 2021-2024 | MGM Resorts, Reddit | Disrupted/Exit scam |
| Conti | 2020-2022 | Costa Rica government | Disbanded after leaks |
| REvil/Sodinokibi | 2019-2022 | Kaseya, JBS Foods | Arrested/Disrupted |
| DarkSide | 2020-2021 | Colonial Pipeline | Shut down after attention |
Ransomware Attack Flow
Modern Ransomware Attack Stages
┌─────────────────────────────────────────────────────────────────────────────┐
│ RANSOMWARE ATTACK TIMELINE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ DAY 0-7 DAY 7-14 DAY 14-21 DAY 21+ │
│ ──────── ──────── ───────── ────── │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Initial │ │ Recon & │ │ Exfil │ │ Deploy │ │
│ │ Access │────────►│ Lateral │────────►│ Data │──────►│ Encrypt │ │
│ └─────────┘ │ Movement│ └─────────┘ └─────────┘ │
│ └─────────┘ │ │
│ Methods: Actions: Why: │ │
│ • Phishing • AD enumeration • Double extortion │ │
│ • RDP brute • Credential dump • Leverage ▼ │
│ • VPN exploit • Privilege esc • Proof of access ┌─────────┐ │
│ • Buy access • Map shares • Backup for │ Ransom │ │
│ • Find backups no-decrypt │ Note │ │
│ • Disable AV └─────────┘ │
│ │ │
│ ▼ │
│ ┌───────────┐ │
│ │Negotiation│ │
│ │ & Payment │ │
│ └───────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Initial Access Methods
COMMON RANSOMWARE ENTRY VECTORS:
1. PHISHING (Most common)
├── Malicious attachments (macro-enabled docs)
├── Links to credential harvesting
├── QR code phishing (QRishing)
└── Callback phishing (BazarCall style)
2. EXPOSED SERVICES
├── RDP brute force (port 3389)
├── VPN vulnerabilities (Fortinet, Pulse Secure)
├── Citrix vulnerabilities
└── Exchange vulnerabilities (ProxyShell, ProxyLogon)
3. INITIAL ACCESS BROKERS
├── Buy pre-compromised access on forums
├── Typical price: $500-$5000 per organization
├── Access sold includes: VPN creds, webshells, RDP
└── Affiliates skip initial compromise entirely
4. SOFTWARE VULNERABILITIES
├── Unpatched systems
├── Zero-days (rare but devastating)
└── Supply chain (see Supply Chain chapter)Technical Techniques
Pre-Encryption Actions
Modern ransomware doesn't just encrypt immediately. Operators spend days or weeks preparing the environment for maximum impact.
# Typical pre-encryption reconnaissance
# These are techniques observed in real attacks
# Enumerate domain
Get-ADDomain
Get-ADForest
Get-ADGroupMember "Domain Admins"
# Find backup systems
Get-ADComputer -Filter * | Where-Object {$_.Name -match "backup|veeam|acronis"}
# Enumerate shares
Invoke-ShareFinder -CheckShareAccess
# Find valuable data
Get-ChildItem -Recurse -Include *.sql,*.bak,*.mdf | Select-Object FullName
# Identify security tools
Get-Process | Where-Object {$_.Name -match "defender|symantec|crowdstrike|sentinel"}Disabling Defenses
# Observed defense evasion techniques
# Disable Windows Defender (requires admin)
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
# Stop security services
Stop-Service -Name "WinDefend" -Force
Stop-Service -Name "Sense" -Force # Windows Defender ATP
# Delete shadow copies (critical for recovery)
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
# Disable recovery options
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
# Clear event logs
wevtutil cl Security
wevtutil cl System
wevtutil cl ApplicationEncryption Patterns
RANSOMWARE ENCRYPTION METHODS:
File Encryption:
├── Symmetric key (AES-256) encrypts files
├── Asymmetric key (RSA-2048/4096) encrypts symmetric key
├── Encrypted key stored in file or separate location
└── Only attacker has RSA private key to decrypt
Encryption Scope:
├── Local drives (C:, D:, etc.)
├── Mapped network drives
├── Unmapped but accessible shares
├── Cloud sync folders (OneDrive, Dropbox)
└── Sometimes connected backup drives
File Targeting:
├── Documents: .doc, .docx, .pdf, .xls, .xlsx
├── Databases: .sql, .mdf, .bak, .sqlite
├── Images: .jpg, .png, .psd, .ai
├── Development: .cs, .py, .java, .cpp
├── VMs: .vmdk, .vhd, .vhdx
└── Backups: .bak, .vbk, .vib
Excluded (to keep system bootable):
├── Windows system files
├── Boot files
├── The ransomware itself
└── Ransom note filesDouble & Triple Extortion
Multi-Layer Extortion Model
┌─────────────────────────────────────────────────────────────────────────────┐
│ EXTORTION LAYERS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ SINGLE EXTORTION (Traditional) │
│ ┌─────────────────────────────────────────┐ │
│ │ Pay ransom → Get decryption key │ │
│ │ Don't pay → Files stay encrypted │ │
│ └─────────────────────────────────────────┘ │
│ │
│ DOUBLE EXTORTION (Current Standard) │
│ ┌─────────────────────────────────────────┐ │
│ │ 1. Pay ransom → Get decryption key │ │
│ │ 2. Pay again → Data not leaked publicly │ │
│ │ │ │
│ │ Data leak sites publish: │ │
│ │ • Sample files as proof │ │
│ │ • Countdown timer │ │
│ │ • Full data dump if unpaid │ │
│ └─────────────────────────────────────────┘ │
│ │
│ TRIPLE EXTORTION │
│ ┌─────────────────────────────────────────┐ │
│ │ 1. Encryption │ │
│ │ 2. Data leak threat │ │
│ │ 3. DDoS attacks on victim │ │
│ │ 4. Contact customers/partners directly │ │
│ │ 5. Report to regulators │ │
│ └─────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Ransom Negotiation
TYPICAL NEGOTIATION PROCESS:
1. INITIAL CONTACT
├── Victim visits .onion site from ransom note
├── Unique victim ID authenticates
├── Chat interface with "support"
└── Initial demand presented (often $100K-$50M)
2. PROOF OF DECRYPTION
├── Victim can decrypt 1-3 files free
├── Proves attacker has working decryptor
└── Builds "trust" in process
3. NEGOTIATION TACTICS (Victim)
├── Claim financial hardship
├── Request deadline extension
├── Ask for partial payment plan
├── Negotiate scope (decrypt vs no-leak)
└── Typical reduction: 20-50% off initial demand
4. NEGOTIATION TACTICS (Attacker)
├── Deadline pressure (price increases)
├── Leak sample data as pressure
├── Claim to have specific sensitive files
└── Professional tone to encourage payment
5. PAYMENT
├── Bitcoin or Monero
├── Payment instructions provided
├── Decryptor delivered after confirmation
└── Average time: hours to daysTo Pay or Not to Pay
FBI recommends against paying ransoms. However, many organizations pay because: business continuity costs exceed ransom, data leak would cause more damage, or insurance covers it. There's no guarantee of decryption or data deletion even after payment.
Defensive Measures
Prevention
| Control | What It Prevents | Priority |
|---|---|---|
| Offline backups (3-2-1 rule) | Eliminates encryption leverage | Critical |
| Patch management | Blocks vulnerability exploitation | Critical |
| MFA everywhere | Stops credential-based access | Critical |
| Network segmentation | Limits lateral movement | High |
| EDR solution | Detects pre-encryption activity | High |
| Email filtering | Blocks phishing delivery | High |
| Disable RDP or VPN to internet | Removes common entry points | High |
Detection Opportunities
RANSOMWARE DETECTION POINTS:
Initial Access:
├── Failed RDP logins from unusual locations
├── VPN connections from new geolocations
├── Phishing email indicators
└── New user accounts created
Reconnaissance:
├── BloodHound/SharpHound execution
├── Mass LDAP queries
├── Network scanning activity
└── Enumeration tool artifacts
Pre-Encryption:
├── vssadmin delete shadows
├── bcdedit modifications
├── Security service stopped
├── Mass file access patterns
├── Backup system access/deletion
└── Defender exclusions added
Encryption:
├── High CPU usage
├── Mass file modifications
├── New file extensions appearing
├── Ransom note file creation
└── Encryption key generation eventsRed Team Simulation
Simulating Ransomware (Safely)
For testing defenses without actual encryption. These tools simulate ransomware behavior without causing real damage.
| Tool | Purpose | Safe for Production |
|---|---|---|
| Ransomware Simulator | Test endpoint detection | Yes (no real encryption) |
| Atomic Red Team | Test specific techniques | Mostly (review each test) |
| Chain Reactor | Simulate attack chains | Lab only |
MITRE ATT&CK Mapping
Ransomware operations use techniques across the ATT&CK framework. Key techniques include:
| Technique | ID | Ransomware Use |
|---|---|---|
| Data Encrypted for Impact | T1486 | Core ransomware function |
| Inhibit System Recovery | T1490 | Delete shadow copies |
| Data Staged | T1074 | Prep for exfiltration |
| Exfiltration Over C2 | T1041 | Steal data for double extortion |
| Service Stop | T1489 | Disable security/backup services |