Ransomware: Privileged vs. Non-Privileged Attacks

TL;DR

Ransomware *can* succeed without root (administrator) privileges, but attacks are far more damaging and widespread with them. Without root access, ransomware is limited to what the current user can modify. With privileged access, it can encrypt critical system files, disable backups, and spread across the network.

Understanding the Difference

Ransomware needs to encrypt your data to hold it hostage. The permissions needed to do this depend on where the data lives:

• Non-Privileged Access: Limited to user files, documents in ‘My Documents’, and potentially network shares accessible with the current user’s credentials.
• Privileged Access: Can encrypt system drives (C:), program files, databases, and anything else the administrator account can touch.

Ransomware Attacks Without Root Privileges

These attacks usually happen through phishing emails or malicious downloads that trick a user into running ransomware.

1. Initial Infection: A user clicks a bad link or opens a malicious attachment, launching the ransomware.
2. User-Level Encryption: The ransomware encrypts files in the user’s profile and any network shares they have access to.
3. Limited Damage: Recovery is often possible by restoring from backups (if available) or cleaning the infected machine.

Ransomware Attacks *With* Root Privileges

This is much more serious, usually happening when an attacker compromises an administrator account.

1. Privilege Escalation: Attackers find ways to gain administrator access (e.g., exploiting vulnerabilities, stealing credentials).
2. System-Wide Encryption: The ransomware encrypts the entire system drive and critical files.
3. Backup Disablement: Attackers often try to delete or encrypt backups to make recovery harder.
4. Network Spread: Ransomware spreads laterally across the network, infecting other machines with administrator access.
5. Data Exfiltration (Often): Before encryption, attackers may steal sensitive data for double extortion.

Steps to Protect Against Non-Privileged Attacks

1. User Education: Train users to identify phishing emails and suspicious links.
2. Antivirus Software: Keep antivirus software up-to-date on all machines.
3. Regular Backups: Regularly back up important data, storing backups offline or in a separate location.
4. Principle of Least Privilege: Users should only have the permissions they need to do their job. Avoid giving everyone administrator access.

Steps to Protect Against Privileged Attacks

1. Strong Passwords & MFA: Enforce strong, unique passwords and multi-factor authentication (MFA) for all accounts, especially administrator accounts.
2. Account Monitoring: Monitor administrator account activity for suspicious behaviour.
3. Patch Management: Keep systems patched with the latest security updates to close vulnerabilities.
4. Network Segmentation: Divide your network into segments to limit the spread of ransomware if one machine is compromised.
5. Cyber security Incident Response Plan: Have a plan in place for how to respond to a ransomware attack, including steps for isolation, containment, and recovery.

Checking User Permissions (Windows)

You can check the permissions of a file or folder:

icacls "C:PathToFileOrFolder"

This command will show you which users and groups have access to the specified resource.

Checking User Permissions (Linux)

You can check the permissions of a file or folder:

ls -l "/path/to/fileOrFolder"

This command will show you the owner, group, and permissions for the specified resource.