Anatomy of a Targeted Ransomware Attack

Anatomy of a Targeted Ransomware Attack

Anatomy of a Targeted Ransomware Attack

Imagine your most critical systems suddenly stop operating, bringing your entire business to a screeching halt. And then someone demands a ransom to get your systems working again. Or someone launches a DDoS against you and demands ransom to make it stop.  That’s the world of ransomware and ransom DDoS.

So what exactly is ransomware? It is malicious software that encrypts files on computers making them useless until they are decrypted. In some cases, ransomware could even corrupt and destroy data. A ransom note is then placed on compromised systems with instructions to pay a ransom in exchange for a decryption utility that can be used to restore encrypted files. Payment is often in the form of Bitcoin or other cryptocurrency.

Recently, Cloudflare onboarded and protected a Fortune 500 customer from a targeted Ransom DDoS (RDDoS) attack — a different type of extortion attack.

Prior to joining Cloudflare, I responded to and investigated a large number of data breaches and ransomware attacks for clients across various industries, including healthcare, financial, and education, to name a few. I’ve been in the trenches analyzing these types of attacks and working closely with clients to help them recover from the aftermath.

In this blog post, I want to share what I learned from those network intrusions and how Cloudflare can help prevent a similar attack in your environment.

Attack Evolution

Before peeling back the layers of targeted ransomware attacks, I want to briefly describe the differences between opportunistic vs. targeted types of attacks.

An opportunistic attack is one where a crime group casts a wide net with the end goal of infecting whoever and whatever they can. This is often accomplished by mass distribution of spam email that contains malicious URLs or file attachments that execute malicious code on user endpoints, ultimately infecting them with ransomware.

Other methods of distribution include drive-by downloads and malvertising campaigns where unsuspected users visit compromised websites that lead to a series of redirection chains that ultimately serve the user with malicious content. This is where Cloudflare’s Remote Browser Isolation (RBI) solution really shines!

Over the past few years, threat actors have shifted to much more targeted attacks that net higher Bitcoin payment returns for their efforts. These attacks generally focus on compromising critical systems, exfiltrating data, and installing backdoors in target environments. Now let’s walk through what I’ve seen from the trenches.

Initial Compromise

From my experience, the majority of the targeted investigations I conducted all started from one of three common initial attack vectors:

  • An attacker compromised Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) servers
  • An attacker exploited an unpatched vulnerability in a web application or server
  • An attacker spear-phished key individuals to gain a foothold in the target environment

Not surprisingly, the most common method I came across were attacks against RDP and VPN servers. Most of which were accessed from traditional brute force login attempts where two-factor authentication was not enabled. In other cases, attackers leveraged compromised credentials to access the environment over VPN.

In reality, the initial compromise stage was not very complex at all. In most cases, attackers simply scanned the Internet for low hanging fruit and looked for any exposed RDP servers that listened on the standard 3389 RDP port. Thankfully, Cloudflare Access makes it very easy to protect your RDP servers from these types of attacks. Last year, with the pandemic shifting the majority of the workforce to a remote-first environment, Cloudflare announced the ability to protect your RDP servers at scale. Taking security a step further, Cloudflare announced Magic WAN & Firewall to allow users to have further control over other internal resources by segmenting what they can interact with and from where.

In cases where direct exploitation of unpatched vulnerabilities was used as the attack vector to spread ransomware and a patch is not immediately available, using a web application firewall such as Cloudflare’s WAF, is a great way to apply short-term mitigation strategies to block exploitation attempts until a patch becomes available.

Lateral Movement, Data Exfiltration, and Extortion

One particular compromise was particularly scary. After the attacker gained access to the client’s environment by compromising an RDP server, they began to perform internal reconnaissance to identify critical systems in their environment.

After the attacker mapped out the network, they leveraged compromised credentials to remotely install backdoors on two critical systems in order to maintain persistence. This was one of the first times I saw an attacker do this in a ransomware compromise, but it speaks to the level of effort threat actors are willing to go. Unfortunately, this wasn’t all they did.

After installing the backdoors, the threat actor then moved laterally to the company’s internal backup servers to permanently delete all data backups to prevent the client from restoring from them. Unfortunately, they did not maintain offsite copies of this data. And  the threat actor also exfiltrated sensitive customer data from the environment before deploying the ransomware.

The final blow was when the threat actor deployed ransomware across the environment, crippling their entire operations and literally bringing everything to a halt. Following the ransomware deployment, the threat actor emailed key decision makers of the organization, including the board, and demanded a very high sum of Bitcoin in exchange for the keys to decrypt their systems. They also threatened to release customer data if they did not pay the amount and provided proof as evidence.

I remember this investigation vividly because it was quite devastating for the founder. This attack literally took everything he had built away over the span of a day or two.

Using Cloudflare

While threat actors may only need one way to get in, defenders have more than one opportunity to detect them. One exciting announcement this week that helps with just that is Gateway with AV! By adding malware scanning to Gateway, defenders can now detect malicious files that unsuspecting users download or a threat actor places. Oftentimes, these are early signs of compromise that should be investigated.

From a response and investigation standpoint, Gateway can be used to block malicious domains to prevent other users from reaching them. As a bonus, Gateway logs are especially useful for scoping other potentially compromised devices that also communicate with malicious domains. In fact, the Security team at Cloudflare uses Gateway to keep our own users secure and to help us conduct investigations.

Combined with Gateway, Cloudflare Access and WAF can be used to add an extra layer of security and visibility into your users and applications, both of which also provide valuable insight to security teams. Threat actors look for different ways to compromise your environment at the user, application, and network level. With Access, you can protect and control what users have access to, monitor authentication activity, and revoke access easily if a compromise is suspected. Critical web applications, especially those that are Internet-facing, should be protected by a WAF to block malicious attacks from legitimate web traffic. All it takes is one vulnerability to be exploited for an attacker to potentially gain access to your data, or worse, embed malicious content that can be used to infect users that visit your web application.

Lastly, while I only focused on ransomware on the endpoint, I should point out that threat actors can also leverage botnets to conduct attacks over the network. Imagine being surrounded by a small army of bulldozers threatening to destroy your home unless you pay them a large sum of money. That’s as Ransom DDoS and it’s why DDoS mitigation is so important.


Ransomware attacks continue to be on the rise and there’s no sign of them slowing down in the near future. With ransomware as a service (RaaS) models, it’s even easier for inexperienced threat actors to get their hands on them today. RaaS is essentially a franchise that allows criminals to rent ransomware from malware authors. It takes away the need to build their own and creates a win-win opportunity for both parties.

Here are some general recommendations to help you and your organization stay secure:

  • Use 2FA everywhere, especially on your remote access entry points. This is where Cloudflare Access really helps.
  • Maintain multiple redundant backups of critical systems and data, both onsite and offsite
  • Monitor and block malicious domains using Cloudflare Gateway + AV
  • Sandbox web browsing activity using Cloudflare RBI to isolate threats at the browser

Source:: CloudFlare