How malicious Office files and abused Windows privileges enable ransomware

Ransomware groups most often gain entry to Windows networks through malicious Office documents and then move laterally by abusing Windows privileges. Here's how to defend against both.

Ransomware  >  A masked criminal ransoms data for payment.
Mikkel William / Getty Images

McAfee recently released research on the Cuba ransomware. These attackers have pivoted to leaking data to extort funds from the firms they are attacking. As is typical these days, the attackers had access to the network before they activated the ransomware. This allowed them to examine the network and review how best to attack the network.

The attackers used PowerShell commands to move laterally in the network. PowerShell was called from the SysWOW64 folder using the command Powershell -windowstyle hidden to hide it from the user. The ransomware looked for specific languages, for example Russian, to provide flexibility for the attacker. The attackers then reviewed what each workstation has access to and the last connection to each workstation to gain more targets. The attackers also used the SeDebugPrivilege process to elevate privileges. The attack sequence disabled certain services including ones related to SQL, email and other communication processes.

Attackers’ favorite Windows privileges

Windows privileges are often used and abused in other attacks:

To continue reading this article register now

21 best free security tools to make your job easier