A continually evolving threat, ransomware has forever changed how organizations approach incident response, particularly now that adversaries incorporate data theft and extortion into the scheme. Red Canary has conducted hundreds of short-term incident response engagements where a ransomware infection has already taken hold, and we’ve detected thousands of threats that possibly precluded a ransomware infection down the line. Here are two of the many things we’ve learned from these experiences:
- Most of the ransomware campaigns we’ve observed exhibit a predictable pattern of behaviors during the cycle of their operation.
- A combination of detective and mitigatory controls can offer organizations defense-in-depth against different strains of ransomware.
Frequently, detection focuses on a specific artifact or behavior of the malware itself. In the case of ransomware, this often means looking for behaviors such as rapid-fire “access-create-delete” sequences or running
vssdmin.exe to delete volume shadow snapshots. These actions are clear indicators of a ransomware infection. However, when detection operations observe these actions, it’s often too late—the encryption is already underway and you may as well start up your recovery operations.
In this post, we’ll look at a more holistic approach to detecting ransomware, with a specific goal of narrowing the gap between the initial compromise and detection, minimizing or eliminating the ransomware’s chances of succeeding.
Ransomware doesn’t walk alone. It is often the payload delivered by another malware component, such as a trojan. Two prominent examples are the Ryuk ransomware and, of late, WastedLocker. While there are many other combinations of deployment and action-on-objective tools, our experience with this particular pair provides deep insight to ransomware’s methodology as a whole.
In our experience, as well as in documented public research, infections from the WastedLocker ransomware variant have occurred in environments that were initially infected by another strain of malware, called “SocGholish.” Based on incidents we’ve observed, SocGholish is initially introduced into an environment by way of a malicious web browser update script. The adversary then uses Cobalt Strike for execution and lateral movement, gathering certain information before ultimately delivering the WastedLocker payload using PsExec and other native Windows administration tools. If victims detect the intrusion during the initial phase, while adversaries are using SocGholish or Cobalt Strike, they may be able to successfully remediate the incident before the WastedLocker ransomware is ever deployed.
In recent years, we have observed a similar pattern of ransomware being delivered as a follow-on payload with numerous other malware families. The most notable example may be the trio of Emotet, TrickBot, and Ryuk. In this common sequence, adversaries use Emotet to gain initial access to an environment and then drop TrickBot. TrickBot, in turn, gathers information and moves laterally, compromising as many machines as possible before finally deploying the Ryuk ransomware.
Detecting trojans that deliver ransomware
Given these common sequences, we can consider ways to detect early, during the first phase of the incident. We’ve had a great deal of success detecting SocGholish by looking for a particular combination of processes, network connections, and command-line parameters. Specifically, SocGholish often uses
wscript.exe to make an external network connection and download a malicious payload masquerading as a browser update. As such, a useful behavioral analytic for detecting SocGholish might look like the following:
process == 'wscript.exe' &&
command line includes 'firefox.update' or 'chrome.update'
While our detection engineers custom built the above analytic to detect SocGholish, other activity that might indicate the presence of a SocGholish infection (and a number of other threats for that matter) includes:
wscript.exe establishing network connections to external hosts
- Scripts executing from ZIP files
- PowerShell commands leveraging the
DownloadString function to download remote files
- PowerShell commands that contain encoded command switches, obfuscation characters, or Base64 strings
- Office products spawning PowerShell or Regsvr32 (to execute DLLs)
We’ve published a lot of research around how security teams can detect TrickBot. If you want to dive deep on that, then we’d suggest reading through the Threat Detection Report, and specifically reading the detection strategies sections compiled for:
Detecting ransomware itself
Of course, not all ransomware is delivered by a first-stage trojan. As such, it’s probably useful to look out for the following, ransomware-related activity, especially in conjunction with traditional, indicator-based detection:
- Manipulation of
vssadmin.exe to hinder recovery from backups
- Processes making hundreds of file modification operations on files with the string
readme in them
- Use of the Windows Backup Administration Tool
wbadmin.exe to delete system backups
- PowerShell using the
Get-WMIObject cmdlet to enumerate the
- Instances of the Windows binary
cipher.exe executing and clearing data from unused disk space
- Execution of
rundll32.exe loading a DLL with the command line including
Another beneficial byproduct of looking for trojan behaviors is that ransomware is not the only payload they can deliver. There is no benign use of these trojans or other similar payloads, so when you observe behaviors associated with them, you’ve probably identified a problem worth remediating. In other words, behavioral analytics designed to catch threats like Emotet, SocGholish, and TrickBot will also help you detect a wide variety of other threats—making the search for these behaviors a very worthwhile investment.
Prevention and mitigation
Of course, detecting a ransomware incident as it’s underway—even in the precursor phase—is less ideal than instituting some form of preventive controls to mitigate or eliminate the possibility of it occurring in the first place. While security practitioners have always taken the approach that “eventually, prevention fails,” that should never be taken to mean we don’t try to prevent malicious activity where feasible.
Perhaps the most effective means of preventing ransomware outbreaks is to implement application controls, which ensure only approved binaries are allowed to execute in the environment. Since ransomware requires some form of custom executable to function, this all but guarantees that unapproved binaries will be blocked from execution. On the other hand, implementing, tuning, and maintaining an adequate application control program is a significant amount of both initial and ongoing work, leading many organizations to shy away from implementing one.
Perhaps the most advisable means of preparing for a potential ransomware incident is to ensure the organization has proper backups. Even more importantly, ensure that the organization tests and validates their ability to restore from backup on a periodic basis. Being able to revert to a known-good state is the most comprehensive and reliable way to prevent having to make a difficult decision regarding payment of a ransom. While the recent trend toward extortion-based ransoms (e.g., “we’ll release your data if you don’t pay”) would not be thwarted by restoring from a backup, the ability to return to normal operations quickly is a significant advantage against most current ransomware schemes.
Lastly, common environmental hygiene is among the most effective means of preventing the initial implantation of ransomware, as well as numerous other malware types. The age-old recommendation of granular network segmentation will minimize the chances that laterally-spreading malware can propagate. Using strong and unique passwords on user and service/system accounts will both slash the chances of a successful brute-force attack as well as minimize the chances for a credential stuffing attack that reuses known passwords to expand the attacker’s footprint across the victim’s environment.
Overall, the ransomware trend is not likely to abate any time soon. Its frequent success, as well as the evolving tactics used to extort victims, leads to a regrettably profitable business model. However, by focusing on detectable behaviors that ransomware often exhibits in the earliest phases of its overall execution, defenders have an opportunity to prevent the later, far more damaging phases of these attacks. While no prevention methodology is failsafe, a robust detection and response strategy can help swing the balance back away from the attackers.