Ransomware attacks are well documented from the point of the execution of the payload, including details of how organizations are damaged by the hit and the various options for recovery.

We know much less about what happens in the days before an organization is alerted by the appearance of ransom notes.

Contemporary ransomware attacks are not simple hit-and-run campaigns triggered by phishing emails. The attackers gain a foothold within the organization, they spend days, if not weeks, disabling protection software, then gathering information and performing lateral movement in order to establish access to as many systems as possible. When they are ready to deploy the ransomware with a quick and devastating blow, the preparations have already been made to disable large parts of the organization, making a stronger case for the organization to pay the ransom.

Our research is based on information collected from actual attacks. We have uncovered the toolset and techniques prolific ransomware groups use in the preparation phase of their attacks. This presentation will provide very detailed coverage of the toolsets used by different ransomware groups, and the typical infection procedures we have observed in the field. We hope this knowledge helps organizations recognize and stop the attacks before the damage is done.

Key points:

Case study 1: Netwalker

• Initial access to the organization (Tomcat, Weblogic exploitation)


• Privilege escalation


• Disabling security software (legacy tools)


• Tools and methods of information gathering (Mimikatz, NLBrute, WinPwn)


• Mapping the network (Network Scanner)


• Lateral movement


• Ransomware deployment

Case study 2: Dharma (Threat actor A and B)

• Initial access to the organization (RDP)


• Privilege escalation


• Disabling security software (Gmer, Process Hacker)


• Tools and methods of information gathering (Mimikatz, NLBrute)


• Mapping the network (Advanced IP Scanner)


• Lateral movement


• Ransomware deployment