While ransomware attacks continue to be primarily opportunistic rather than targeted, there has been an upward trend in threat groups targeting high-revenue organizations to maximize the ransom payout. Ransom demands have reportedly reached $50 million USD. Threat actors have also innovated, threatening to leak stolen data in ‘name-and-shame’ attacks as additional leverage. In some cases, the threat actors contacted customers and partners of breached organizations to inform them that their data had been stolen in an effort to further induce victims to pay through external pressure.
Based on data from hundreds of incident response (IR) engagements and analysis of the threat groups responsible for perpetrating these attacks, Secureworks® Counter Threat Unit™ (CTU) researchers have developed a comprehensive understanding of the anatomy of post-intrusion ransomware attacks.
Figure 1 diagrams the phases of a post-intrusion ransomware attack.
Figure 1. Phases of a post-intrusion ransomware attack. (Source: Secureworks)
Post-intrusion ransomware incidents feature three primary initial access vectors (IAVs) that give threat actors a foothold in victims’ environments:
- Scan-and-exploit attacks against a vulnerable internet-facing system
- An existing malware infection initially delivered via phishing or other means
- Stolen or guessed credentials to log in via a remote access solution
Figure 2 shows the proportion of these IAVs observed in IR engagements during the first quarter of 2021. Exploitation of internet-facing devices (e.g., virtual private network (VPN) appliances, web-based management platforms, Microsoft Exchange servers) was the most commonly observed IAV. The second most common IAV was credential abuse using brute-force attacks, stolen credentials, and password spraying. Malware infection via weaponized email attachments and malicious links was not as prevalent as in prior quarters.
Figure 2. IAVs observed in Q1 2021 Secureworks IR engagements. (Source: Secureworks)
CTU™ researchers have observed the financially motivated GOLD TAHOE threat group using malicious emails as an IAV to deliver the Clop ransomware. The infection chain starts with an embedded link in an email spoofing a file-sharing service, which subsequently delivers the Get2 loader. Many loader families are used in post-intrusion ransomware incidents. These loaders can download additional offensive security tools as well as the final ransomware payload. Some of the more frequently observed loaders are Bazar, Buer, Dridex, Get2, IcedID, and Qakbot. These loaders are typically delivered via phishing campaigns. Some loaders, such as Buer, are operated as malware as a service (MaaS).
The TrickBot malware, which is operated by the GOLD BLACKBURN threat group, has been observed in many ransomware incidents. It was the exclusive IAV in Ryuk attacks until at least February 2020. TrickBot has evolved beyond a simple loader to become multi-featured, modular malware. It can also be used to exfiltrate data, enumerate hosts and networks, and facilitate lateral movement.
Threat actors can use native operating system tools (a technique known as “living off the land”) to perform many tasks, including downloading additional malware. CTU researchers commonly observe threat actors leveraging PowerShell scripts. Key differentiators between legitimate and malicious PowerShell use are obfuscation and encoding. For example, SunCrypt ransomware infections have reportedly featured PowerShell scripts containing junk if-else statements, likely in an attempt to evade analysis. GOLD TAHOE has used the BITSAdmin tool to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents (see Figure 3).
Figure 3. BITSAdmin used to download TinyMet. (Source: Secureworks)
CTU researchers have also observed threat actors using Windows Management Instrumentation Command (WMIC) and WScript to retrieve payloads (see Figure 4).
Figure 4. WScript used to download malware. (Source: Secureworks)
An uncommon technique CTU researchers observed in Hades ransomware engagements was the use of MSBuild to execute Metasploit, which was disguised as a “.proj” file (see Figure 5).
Figure 5. MSBuild used to execute Metasploit. (Source: Secureworks)
Table 1 maps these IAVs and delivery techniques to the MITRE ATT&CK® framework.
Table 1. MITRE ATT&CK IAV and delivery techniques observed during IR engagements.
After establishing a foothold in a victim’s environment, threat actors attempt to discover additional information by harvesting credentials, escalating privileges, scanning and enumerating the network, and gathering data.
Credential harvesting and privilege escalation
To expand access in an environment, threat actors typically attempt to obtain credentials of privileged accounts (e.g., service or domain administrator accounts) or local administrator credentials that are the same across multiple hosts. Organizations that allow users to have administrative privileges make this task far easier for threat actors. Threat actors can use the credentials to escalate privileges and move throughout the network.
In numerous IR engagements, CTU researchers observed use of the open-source Mimikatz tool to harvest user credentials. The lsadump module used in the command in Figure 6 dumps the contents of the Security Account Manager (SAM) registry hive, which contains NTLM hashes of user passwords. Fortunately, Mimikatz activity is highly detectible using endpoint detection and response solutions.
Figure 6. PsExec used to run the Mimikatz lsadump module. (Source: Secureworks)
CTU researchers observed the Privilege Escalation Awesome Scripts Suite (PEASS) used in both Pysa and REvil ransomware incidents. This multi-platform tool performs privilege escalation on Windows, Linux, and MacOS systems. PEASS can also be used to extract data (see Figure 7).
Figure 7. PEASS using the ‘forfiles’ executable to send a victim’s data to a batch script. (Source: Secureworks)
Threat actors can use Group Policy Objects (GPOs) to perform many tasks, including credential harvesting. CTU researchers observed the Dridex malware using GPOs to distribute a script that collected credentials from several different password managers.
After establishing a presence in the compromised network, a threat actor can begin collecting host and network data. Particularly with name-and-shame operations, threat actors seek sensitive and confidential files that can be leveraged during ransom negotiations. Threat actors use many tools to collect and exfiltrate data. Commonly observed offensive security tools and commodity malware include Cobalt Strike, PowerShell Empire, and SystemBC. Custom malware includes GOLD TAHOE’s SDBbot and GOLD BURLAP‘s Golang-based DNSGo RAT. DNSGo has used a Base64-encoded PowerShell script downloaded from Pastebin to extract host information (see Figure 8).
Figure 8. PowerShell script used by DNSGo to extract host information (truncated). (Source: Secureworks)
Threat actors also use native operating system tools to gather data. For example, the “net” command can collect information about users, groups, hosts, and files. In the command shown in Figure 9, the net command gathers information about accounts within the domain.
Figure 9. Net command used to extract domain account details. (Source: Secureworks)
Querying Active Directory (AD) is another common information gathering tactic. Threat actors can leverage extracted AD data to escalate privileges and obtain network information (e.g., domains, users, groups, devices) from AD environments via tools such as ADFind, ADRecon, and Bloodhound. These tools can be used for legitimate purposes, but they are frequently used by threat actors.
Sharphound, which is part of the Bloodhound repository, is also used to query AD but can perform other enumeration. Threat actors used the command listed in Figure 10 to collect AD data, including groups, hostnames, sessions, and domain trust information.
Figure 10. Sharphound being used to enumerate users and groups within a domain. (Source: Secureworks)
Internal network scanning and enumeration give threat actors visibility into the compromised environment in preparation for lateral movement. CTU researchers have observed Advanced Port Scanner used in Snatch, Pysa, and Hades ransomware incidents. Other port scanner tools observed in ransomware incidents include Advanced IP Scanner, Angry IP Scanner, and PingCastle (see Figure 11). These network mapping tools are free, which likely increases their attractiveness to threat actors. Organizations that use an enterprise-level network mapper instead of a free tool may better distinguish legitimate network activity.
Figure 11. PingCastle performing a ‘healthcheck’ to capture AD information. (Source: Secureworks)
Table 2 maps these discovery techniques to the MITRE ATT&CK framework.
Table 2. MITRE ATT&CK discovery techniques observed during IR engagements.
Threat actors can use native operating system tools to perform lateral movement. They may launch files over shares and access systems via Remote Desktop Protocol (RDP) using stolen credentials. WMIC can be used to run the “rdtoggle” alias to permit RDP activity (see Figure 12).
Figure 12. WMIC using rdtoggle to permit RDP activity. (Source: Secureworks)
CTU researchers have observed many ransomware groups using RDP for lateral movement. For example, GOLD ULRICK has used it in Ryuk ransomware infections, and GOLD VILLAGE has used it in Maze ransomware incidents.
The popular Cobalt Strike offensive security tool is regularly used by threat actors for lateral movement. In one incident, CTU researchers observed GOLD TAHOE using the Eternal Blue SMBv1 exploit to move laterally within an environment, likely leveraging a Cobalt Strike module designed for that purpose. In a separate incident, GOLD WATERFALL used Cobalt Strike for lateral movement within the compromised environment prior to deploying the Darkside ransomware.
Like Cobalt Strike, PowerShell Empire includes several methods for lateral movement. Figure 13 shows PowerShell Empire being used to conduct WMIC lateral movement.
Figure 13. PowerShell Empire lateral movement via WMIC. (Source: powershellempire . com)
Table 3 maps these lateral movement techniques to the MITRE ATT&CK framework.
Table 3. MITRE ATT&CK lateral movement techniques observed during IR engagements.
Threat actors use various tools and techniques to establish persistence in compromised environments. For example, GOLD BLACKBURN uses scheduled tasks (see Figure 14).
Figure 14. GOLD BLACKBURN establishing persistence through scheduled tasks. (Source: Secureworks)
Another technique to establish persistence involves modifying the registry key values located at HKLMSoftwareMicrosoftWindowsCurrentVersionRun (see Figure 15).
Figure 15. Persistence established via registry Run keys. (Source: Secureworks)
A simple but effective way to establish persistence is by creating a new user in a compromised environment using the net command (see Figure 16). However, the easiest technique to maintain access in an environment is to abuse compromised accounts.
Figure 16. Net command creating a new user. (Source: Secureworks)
A novel persistence technique observed by CTU researchers uses Tor communications. In multiple incidents, including Darkside and Snatch ransomware operations, threat actors leveraged Tor and Onion Services to create backdoors for ongoing access to compromised networks. To maintain the Tor client’s persistence, GOLD WATERFALL used the Non-Sucking Service Manager (nssm.exe) to install Tor as a service (see Figure 17).
Figure 17. Tor configuration used to establish persistence. (Source: Secureworks)
A subset of persistence is defense evasion. Threat actors hide their activity to prevent detection and to sustain their foothold in the environment. GOLD DUPONT, for example, has consistently employed anti-analysis and defensive evasion techniques, including deleting potential evidence.
One method of defense evasion is the use of WMIC to modify Windows Defender, allowing malicious files to escape detection (see Figure 18).
Figure 18. WMIC modifying Windows Defender. (Source: Secureworks)
Another method threat actors use is stopping the Windows Security Health host process to avoid detection (see Figure 19).
Figure 19. Taskkill used to stop Security Health process. (Source: Secureworks)
Table 4 maps these persistence and defense evasion techniques to the MITRE ATT&CK framework.
Table 4. MITRE ATT&CK persistence and defense evasion techniques observed during IR engagements.
Command and control
Many threat actors use the built-in command and control (C2) functionality available in offensive security tools such as Cobalt Strike, PowerShell Empire, and Metasploit. Some ransomware families rely on unique C2 techniques. Snatch ransomware, for example, uses a proprietary tool that collects and sends data to the C2 server over TCP port 80 (see Figure 20).
Figure 20. HTTP POST request sending data to C2 server. (Source: Secureworks)
When investigating Pysa ransomware incidents, CTU researchers observed the DNSGo RAT leverage DNS TXT messages for C2 communications (see Figure 21). RATs typically have some form of C2 communication capability.
Figure 21. DNS TXT messages used to exfiltrate encrypted host data. (Source: Secureworks)
Additionally, Qakbot, TrickBot, and Phorpiex can be used for ransomware C2 communications. These malware families often send C2 communications as encrypted TCP port 443 traffic.
One of the most frequently used Cobalt Strike features is Malleable C2, which creates and uses profiles that specify how data is transformed and stored. CTU researchers have encountered Malleable C2 in Darkside, Defray, and Hades ransomware incidents. One profile identified during a Darkside engagement makes C2 traffic appear to originate from a Google “web bug”.
Table 5 maps these C2 techniques to the MITRE ATT&CK framework.
Table 5. MITRE ATT&CK C2 techniques observed during IR engagements.
Data exfiltration plays a big role in name-and-shame ransomware operations. Threatening to leak the stolen data gives threat actors additional leverage to extort victims beyond just encrypting the compromised systems. The same C2 channels used for communications can be used to exfiltrate data from compromised organizations. However, the amount of exfiltrated data is often in the magnitude of gigabytes. This volume is more appropriate for cloud storage options such as MegaSync (available as a desktop application or command-line interface) or Rclone (a command-line interface). CTU researchers have observed threat actors using MegaSync in Nefilim, Pysa, and Hades ransomware operations, and Rclone in REvil and Egregor incidents.
Table 6 maps these data exfiltration techniques to the MITRE ATT&CK framework.
Table 6. MITRE ATT&CK data exfiltration techniques observed during IR engagements.
After collecting and exfiltrating data, the next step is to deploy the ransomware. Deployment can be performed using offensive security tools, malware, scripted deployment via domain controllers, AD scheduled tasks, and GPO policy implementation.
GOLD DUPONT uses Cobalt Strike extensively during its intrusions. The threat actors use Cobalt Strike stagers to deploy the 777 ransomware, to conduct C2 communications, and to move laterally movement via named pipes. Figure 22 shows the creation of a named pipe.
Figure 22. Creation of named pipe. (Source: Secureworks)
GOLD ULRICK has used shares on domain controllers and distributed Ryuk to compromised environments via batch files and PowerShell scripts (see Figure 23).
Figure 23. PsExec used to distribute Ryuk (xxx1.exe) from domain controllers. (Source: Secureworks)
GPOs can set the stage for and deploy ransomware. GOLD ULRICK leverages this technique via a PowerShell script that uses the Import-GPO cmdlet to create a new GPO to prepare the environment for deployment of Ryuk ransomware (see Figure 24).
Figure 24. PowerShell script used to create a GPO. (Source: Secureworks)
Table 7 maps these deployment techniques (and the resultant impact) to the MITRE ATT&CK framework.
Table 7. MITRE ATT&CK deployment techniques observed during IR engagements.
The many techniques used by ransomware operators can be overwhelming. However, organizations can detect and mitigate post-intrusion ransomware attacks with the correct security controls. Secureworks incident responders’ top recommendation during IR engagements in the first quarter of 2021 was to implement an endpoint detection and response solution to monitor host activity for techniques used by post-intrusion ransomware groups. Other recommendations include minimizing or eliminating exposure by addressing identified IAVs, implementing multi-factor authentication, and improving patch management. Identifying C2 communications gives network defenders the opportunity to block unwanted traffic and investigate the associated activity. By implementing these recommendations, organizations may be able to disrupt threat actor operations before ransomware is deployed. Overall, a robust security policy combined with host and network-based detection mechanisms can help organizations minimize the scourge of ransomware.
Acronis Security Team. “SunCrypt adopts attacking techniques from NetWalker and Maze ransomware.” Acronis. September 16, 2020. https://www.acronis.com/en-us/blog/posts/SunCrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware
Kirtley, Tony. “Prevent the 3 Most Common Ransomware Attack Vectors.” Secureworks. June 1, 2021. https://www.secureworks.com/blog/prevent-the-3-most-common-ransomware-attack-vectors
Lyons, Kim. “Acer reportedly hit with $50 million ransomware demand.” The Verge. March 20, 2021. https://www.theverge.com/2021/3/20/22341642/acer-ransomware-microsoft-exchange-revil-security
Secureworks. “Hades Ransomware Operators Use Distinctive Tactics and Infrastructure.” June 15, 2021. https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
Secureworks. “Ransomware Groups Use Tor-Based Backdoor for Persistent Access.” May 13, 2021. https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access