October 28, 2019

Incident Response Ransomware Series: Part 1

Written by TrustedSec

Incident Response Incident Response & Forensics

In this three-part blog post series, we will provide an introduction into what ransomware is, how it works, and how it spreads to systems within an organization. We will also provide examples of different types of ransomware and variation of ransomware tactics.

In part two, we will go in-depth to understand the various attack vectors ransomware uses, as well as ways to detect, protect, and prevent ransomware. In part three, we will identify ransomware variants and sites used for identification. We will also touch on the various recovery options and answer the big question—should you pay the ransom?

What is Ransomware?

Ransomware is a class of malicious software designed to extort money from users by disabling the functionality of important computer systems or by encrypting files on the infected device as well as shared or networked drives.

Infection Kill Chain

Typically, most ransomware exhibit similar behaviors during infection. While part two of this blog series will cover ransomware attack vectors and the attack kill chain, in this section, we will X-ray the chain of events that occurs during infection.

Once the victim downloads a dropper (a program designed to install malware to a target system), the infection begins. We will examine the various infection stages and collectively identify its infection kill chain.

Malware Download: When the system is infected with a dropper, there is a command and control (C2) communication to download a malicious executable. The dropper then copies the malicious executable to a local directory, or in some cases, it injects the malicious code into a running process.

Persistence Method: The ransomware attempts to create persistence mechanisms using various methods, the most common of which are described below:
- Creates Run and RunOnce registry keys
- Copies itself into %UserProfile%/Start Menu\Programs\Startup or %USER%\appdata\roaming
- Uses Scheduled tasks

Enumeration: Once the ransomware has established a persistence mechanism, it would enumerate the local system, network system, and even cloud systems, searching for files of interest.

Encryption: At this stage, the ransomware begins to encrypt the enumerated files. It encrypts the file, copies the encrypted version to the original location, and then deletes the original file. After encryption, the attacker leaves a ransom note demanding payment.

How it Spreads

While the most common method for spreading ransomware is through phishing emails, some variants have been seen spreading through other means. Various spreading mechanisms of ransomware include:

Spam emails
Exploit kits
Removable media
Drive-by downloads
Malware campaigns
Lateral movement using SMB
Web-based messaging applications
Deployed by another malware, such as TrickBot

Variations of Ransomware

Gone are the days when important computer system functionality is disabled or files are encrypted only on the infected device. With recent variations of ransomware, a lot could be done using various modules. These ransomware variants can:

Encrypt Master Boot Record (MBR)
Delete files if the victim takes too long to make the ransom payment
Restrict access to files and data but will not encrypt them (known as non-encrypting ransomware)
Exfiltrate data to a threat actor (known as extortionware), which is normally accompanied by a threat to leak or publish the data/files if the ransom is not paid
Rename file extensions

Ransomware Samples

With over 30 active malware families, ransomware has been on the rise since the last decade. From the AIDS malware in 1989, Winlock in 2010, Locky in 2016, and even the recent Ryuk, we have seen a great increase in the number of impacted systems by various variants of ransomware. A few of these ransomware samples are:

WannaCry: First seen in 2017, this malware infected over 100,000 organizations in 150 countries. Using an EternalBlue exploit, WannaCry ransomware exploits a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol—a protocol that helps various nodes on a network communicate.
Sample: 043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

Teslacrypt: When Teslacrypt emerged in 2015, it began infection using exploit kits. Victims were redirected to a compromised site where the Nuclear exploit kit was installed. Its infection chain looks identical to another ransomware called CryptoLocker.
Sample: 83e62221df7ba94f18fc9b63fec82285d8694c0c0a2542c0196752dc81524a10

Ryuk: Similar to Hermes ransomware, Ryuk was first spotted in 2018 and was used to target enterprise environments. Dubbed as one of the most sophisticated types of ransomware, Ryuk can shut down over 40 processes and around 180 services, including anti-virus, backup, and other programs. It is also capable of deleting all the shadow copies of the various backup files on a targeted machine.
Sample: 11f70be9ad30802f7a8d48197e5e4353fc537f6b13ae7c5164fff60a4a51b2ed

Cerber: In 2016, the name Cerber ransomware began making waves. This ransomware variant targets cloud-based Office 365 users and has infected millions.
Sample: 6c9f7b72c39ae7d11f12dd5dc3fb70eb6c2263eaefea1ff06aa88945875daf27

Locky: First seen in 2016, this ransomware locks the victim’s computer with a .locky extension and prevents usage until a ransom is paid. An invoice-themed phishing email with a macro-enabled document usually kicks off the infection chain once the victim opens the attachment.
Sample: ff3e29a31f05016dedcd61a7aac588757c8364f04fa85b7a86196c9805cd811c

SamSam: One ransomware that operates in a targeted fashion is the SamSam ransomware. This ransomware has been known to target healthcare organizations. Its method of operation is to gain access to an organization’s network, spend time performing reconnaissance, then attempt to encrypt as many files as possible.
Sample: 2f294d301d8bb9b947f41faf20df104710d5c4b2f469145d4e469ca7d1998b2f

Jigsaw: This ransomware was known for its ability to start deleting files if the ransom was not paid within 72 hours.
Sample: 07955541315b1c376269b5081a25f277ae162c0a8612511c9aa65504df722d76

Sodinokibi: This ransomware exploited vulnerabilities in servers and other critical assets of SMBs. In some instances, the ransomware searches for an AV called Ahnlab in the infected machine to inject its malicious payload. Similarities in the code suggest that this ransomware was created by the same group as the GandCrab ransomware.
Sample: 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Sorebrect: This fileless ransomware variant targets the Windows Operating System and is distributed through open remote desktop protocol (RDP) ports by brute-forcing administrator credentials. Once access to the targeted server is obtained, the malicious actor installs Sorebrect using PsExec. Once installed, it injects malicious code into the Windows svchost.exe process while its primary binary self-terminates.
Sample: 4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76

Triple Threat

Is ransomware always the beginning of the attack? Absolutely not. As ransomware continues to evolve and get sophisticated, attackers are now utilizing these ransomware samples for even more sophisticated malware campaigns. A great example is the combination of Emotet, TrickBot, and Ryuk ransomware, as demonstrated in many of the recent government ransomware attacks, including one that hit 22 cities and towns in Texas (https://www.cpomagazine.com/cyber-security/massive-ransomware-attack-in-texas-hits-22-cities-and-towns-hackers-demand-millions-in-payment/) and another that affected Georgia’s court system (https://www.cbsnews.com/news/georgia-court-system-attacked-by-hackers-using-ransomware-malware-software/).

In this three-phased malware campaign, the first phase begins with the Emotet trojan. Emotet is a banking trojan that can steal financial information and credentials, and is often used as a downloader or dropper for other malware. It starts off with a Microsoft Office document containing malicious macro-based code delivered through a phishing email. Once the victim opens the document, the malicious document runs and executes a PowerShell command. The PowerShell command then attempts to download and execute the Emotet payload from different malicious domains.

The second phase begins with Emotet using its delivery mechanism to drop and execute TrickBot, another banking trojan that uses code injection and redirects to steal financial information. It can spread laterally and deploy other tools and ransomware. When TrickBot infects the user’s system, it uses various modules and attempts to do the following:

Acquire credentials from the user’s machine
Disable AV services (this terminates the service if it finds specific DLs in memory)
Inject into online banking activities to obtain credentials
Steal Bitcoin wallets
Search disk for specific files
Harvest user credentials from multiple saved locations (Outlook, browsers, RDP, VNC, etc.)
Launch additional malware. In most cases, this becomes the ransomware.

The third and final phase begins when TrickBot is used to download the Ryuk ransomware payload. Using the stolen credentials, it moves laterally to a desired target, injects the malicious payload, and encrypts the files. In our investigations, we have also seen threat actors manually deploy Ryuk onto critical systems within a victim’s environment using RDP or remote execution tools such as PsExec.

Conclusion

As we have seen thus far, knowledge of ransomware capabilities is essential to any organization. Its infection kill chain, the way it spreads, and the numerous samples and variants are a great way to stay ahead of the game.

In the next part of this blog series, we will go in-depth into understanding the various attack vectors, ransomware detection, protection, and prevention.