Skip to Main Content
October 30, 2019

Incident Response Ransomware Series - Part 2

Written by Justin Vaicaro
Incident Response Incident Response & Forensics

Opening

In part one of this blog post series, we provided an introduction into what ransomware is and how it works. We also provided examples of different types of ransomware, variation of ransomware tactics, and identified that ransomware delivery is traditionally accompanied by other malware to assist in lateral movement and deployment. If you haven't had a chance to read the first part of this series, take a few minutes to get caught up and then jump back into part two where I will cover ransomware attack vectors, ransomware threat reduction, and ransomware detection and protection.

Ransomware Attack Vectors, Don't Click!

This year, we have seen an increase in ransomware attack activity, including new strains and evolving tactics. Some of the noteworthy ransomware tactic changes we have investigated are: the utilization of remotely exposed vulnerabilities as the initial attack vector, the dwell time (can be days, months, or even years) before detonating its destructive payload, an increase in the use of exploit kits for first-stage infection of compromised hosts, and the proliferation of supply chain-based attacks.

https://www.slideshare.net/OpenDNS/wb-cryptolockerprinthttps://www.slideshare.net/OpenDNS/wb-cryptolockerprint

Ransomware Evolving Tactics Examples

  • Exploiting publicly exposed remote desktop protocol (RDP) services to use as a beach head for further ransomware infection
  • RIG exploit kit (EK) being used to deploy ransomware such as: Sodinokibi, ERIS, Burna, etc.
  • Managed security service providers (MSSPs) targeted to spread ransomware to their clients

Outside of these evolving tactics, ransomware still relies on two (2) signature attack vectors to reach victim systems: web and email channels. Attackers target the web channel due to the complexities of protecting the user's browser and the stealth deployment capabilities of the ransomware through the compromised user's browser. Attackers target the email channel due to the predominant lack of perimeter mail filtering and inspection as well as the presence of the weakest link in the defensive chain: humans.

Web Channel Ransomware Tactic Examples

Drive-by download and malvertising scenarios

  • Hosting ransomware on download repositories to look like legitimate software
  • Legitimate website containing malicious advertisement in which clicking the link exploits the web browser and then installs EK that would then install ransomware

Email Channel Ransomware Tactic Examples

Phishing attack scenarios

  • Attached double file extension file in which default Windows settings would make this file look like a non-executable file
  • Attached Microsoft Word file with weaponized macro

Email Combined with Web Channel Ransomware Tactic Example

Phishing attack scenario

  • Embedded download link that, when browsed to, contains a self-extracting installer

Additional ransomware attack vectors to be aware of are:

  • SMSishing - Malicious text message used to bait a user to a malicious site
  • Vishing - Malicious voicemail message used to bait a user to a malicious site
  • Online shared services - Online file-sharing or syncing services used to host ransomware

By understanding the threat vectors used by ransomware, security operations analysts and threat hunters can work to build robust threat detection layers and proactive threat hunting tactics in attempts to get ahead of the evolving ransomware threat posed to modern-day organizations.

Ransomware Threat Reduction - A Layered Approach

Not something easily achieved, but attack surface reduction is the common denominator when attempting to limit ransomware attack vectors. Organizations must adequately prepare for ransomware threats in order to catch up to external threat actors’ evolving techniques, tactics, and procedures (TTPs). This preparation promotes a proactive capability in avoiding future ransomware-based attacks. The attack surface is not solely contained to all things technical but spans across many lines of critical business processes.

The single most targeted threat vector is the human. Therefore, the following will provide a solid protective foundation in reducing the ransomware threat landscape:

  • A combined series of technical defensive layers
  • Integration of ongoing, meaningful, and relevant user security training
  • Robust backup and disaster recovery plan (DRP)

User Layer

Understanding the enemy's intent and the threat posed by ransomware should extend well beyond the technical teams of an organization. Users at all levels need to be informed and trained on how to recognize and know what to do when they encounter a ransomware threat.

User training for ransomware awareness content should include topics such as:

  • Learning what malware and ransomware are and how threat actors use them
  • Why you should be cautious when opening any email attachment or clicking a link, even if the sender is recognized
  • Becoming familiar with how threat actors use email as a threat vector to infect a user’s computer through phishing techniques

Business Layer

Ransomware scenarios should be integrated into the business continuity plan (BCP) and DRP of any organization in order to reduce downtime for business operations.

Some critical areas to cover within the BCP and DRP are:

  • Restore and recovery - options tailored to the particular organization
  • Asset management -  identifying critical systems and data and how to protect them
  • Data backups - where to store and how to protect them

Technical Layer

Haphazardly throwing technology at the ransomware threat is not a winning solution or a mindful methodology. Defensive layers must be properly thought out and designed accordingly. Most importantly, an organization should exhaust the full capabilities of already deployed security solutions and identify any existing technology overlap. This process will allow an organization to properly uncover and identify security gaps within their data infrastructure.

Some examples of the technical layers that can be used to slow down the ransomware threat:

  • Operating system, browser, and application security patching
  • Network segmentation isolating critical assets and data
  • Network defense-in-depth layered protection
    • Incorporate threat intelligence to identify existing and evolving ransomware and its communication vectors
    • Network threat protection using firewall, IDS\IPS, email, DNS, web security gateways, and honeypot and canary token deployment
    • Endpoint and server threat protection using anti-virus, endpoint detection and response (EDR), account least privilege, resource access control, and Group Policy Object (GPO) restrictions

The identified defensive layers above are by no means an exhaustive list of protective measures. The intent is to depict the level of comprehensive effort the entire organization must perform in order to be properly prepared for a ransomware threat.

Proactive Detection for Rapid Protection

Proactive detection capabilities are necessary in order to be adequately prepared for a ransomware attack. By taking a reactive approach, an organization has already lost the battle and is now sinking in the damage control black hole with little to no recovery options.

Detection capabilities will be limited to the invested effort given within the implementation process of the recommended defensive layers (user, business, and technical). If sufficient design consideration and training was adhered to, effective detection and containment capabilities will be the outcome shortening the meantime to detect (MTTD) and mean time to respond (MTTR) to a ransomware incident.

These detection capabilities will incorporate two of the discussed layers: user and technical. By understanding the ransomware attack chain, an organization can quickly identify how crucial early detection is within phases 1 and 2. This early detection could potentially save an organization tens, hundreds, or even millions of dollars based on the required ransomware recovery requirements or expected ransom payout.

Ransomware Attack Chain

  • Phase 1 - Identify and Reconnaissance (Technical Detection)
  • Phase 2 - Initial Attack (Technical and User Detection)
  • Phase 3 - Command and Control (Technical Detection)
  • Phase 4 - Discover and Spread (Technical Detection)
  • Phase 5 - Ransom Retrieval (Too Late!!)

Ransomware Attack Chain - Detection and Protection in Layers

Proactive threat intelligence monitoring and properly placed perimeter network defensive layers would be the first lines of defense in the detection chain. Threat intelligence would allude to a possible targeted phish campaign ramping up. If a well-crafted phishing email or a properly classified malicious website circumvents reputation-based content filtering, the user would be the next critical line of defense in the detection chain. If the ransomware bypasses the user detection layer, the organization is looking at a scenario where sound internal detection layers come into play. Ransomware is inherently accompanied by another piece of malware that will accomplish internal reconnaissance and lateral movement stages. Once key systems and users are targeted, the ransomware is deployed and staged for detonation. Limiting the scope of impact is crucial across the organization.

Ransomware Attack Chain - Detection Coverage

Phase 1

Scenario

Particular ransomware targeting a specific business sector or geographic region of interest.

  • Threat intelligence ransomware threat monitoring

Detection and Protection

Proactive monitoring could potentially detect this evolving threat and allow for immediate defensive layer tuning to mitigate the threat.

Phase 2

Scenario

Phish email with embedded malicious link or attached weaponized Microsoft Word document.

  • Email security gateway
  • SPAM filter
  • Web security gateway
  • Anti-Virus (AV)
  • Microsoft Window AppLocker
  • Endpoint Detection and Response (EDR)
  • Microsoft Attack Surface Reduction

Detection and Protection

Proactively scanning all email attachments and embedded links using a SPAM filter or email security gateway. If a malicious embedded macro is detected, immediately block offending email from ever reaching the end user's mailbox.

Phase 3 & Phase 4

Scenario

Affiliated first-stage exploit kit or malware downloader has started laterally moving, dropped and installed ransomware, began its command and control (C2) communication, and has started beginning stages of encryption activity.

  • Firewall
  • Intrusion Detection/Prevention System (IDS/IPS)
  • File Integrity Monitoring (FIM)
  • Honeypot/Canary Tokens
  • Centralized logging and alerting

Detection and Protection

Proactive file activity monitoring using FIM for known ransomware file extensions or using honeypot network share or strategically placed canary token-based files. If activity is detected, immediate auto-action to block offending user or endpoint network activity. IDS/IPS properly implemented to view horizontal propagation and updated rules to block exploit kit and ransomware C2 communication.

The identified detection layers above lay the beginning foundation in forming a holistic detection strategy that is necessary to adequately monitor all critical points within the ransomware attack-chain. Certain detection technologies will span multiple attack phases. As the detection layers are implemented, overall centralizing detection alerting, monitoring, and visibility becomes a crucial operational component that should not be overlooked. Organizations must identify how to move past a reactive security mindset and set forth the path toward proactive detection capabilities.

Closing

As we have seen, understanding the general ransomware threat vectors is crucial for building and enhancing an organization’s defensive layers. One must also take note that these ransomware threat vectors are not static and are constantly evolving in order to stay ahead of the vigilant defender’s. Through these defensive layers comes robust detection capabilities that lead to rapid protection capabilities moving an organization into a proactive security state of mind.

In the third part of this blog post series, we will look at ransomware response strategies, how to identify the ransomware once infection occurs, and digging into the particular data recovery options available.

Resources

https://www.proofpoint.com/us/threat-reference/ransomware

https://www.ncxgroup.com/2017/05/business-continuity-plans-key-ransomware-attacks-wannacry/#.XTE8wHtlDx4

https://www.alertlogic.com/resources/security-checklists/dissecting-ransomware-through-the-cyber-kill-chain/

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-now-pushed-by-exploit-kits-and-malvertising/

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

https://www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/

https://www.spamtitan. com /web-filtering/buran-ransomware-distributed-via-rig-exploit-kit/


Missed Part One? Go back and read it now! "Incident Response Ransomware Series: Part 1"