Destroy the Ransomware Threat: Part 1.1 — Detection and Prevention
Hi everyone, in this series of articles we’ll discuss a more exciting topic: ransomware. First, we will learn how to detect ransomware before it takes over the entire system. Then we will consider how we can protect our systems.
A ransomware attack is not a threat that we can prevent with a single defense structure or product solution. Just like L.M’s Cyber Kill Chain model, it has many stages. And a different methodology is followed at each step. The Ransomware Kill Chain model below in the article by GroupSense Intelligence analyst Nicole Hoffman explains the situation very well. Against Ransomware we should consider a Kill Chain in the following style. We need to evaluate this pipeline step by step and build our detection mechanism with protection at each stage.
In the detection step, we will have some tools to enhance our defense. These:
- NDR — NIDS
- EDR/EPP/AV
- Sandbox
- Workflow Management
- SIEM — SOAR — SOC
- Honeypot
- DNS Visibility
- Mail Gateway
- AD and DC Ransomware specific monitoring
Now let’s examine what we can do with these tools one by one.
NDR — NIDS
During the ransomware attack, the malicious file continues its C2 (C&C) communication. Sometimes attackers take advantage of the remote access they have obtained and continue their activities on the network for months. In this way, it detects token acquisition, lateral movement areas and pivot points in the system they access without permission. It then takes advantage of these points and gains access that will allow the malicious file to spread. It should not be forgotten that the more inventory they encrypt, the more money they will demand and the more helpless the victim will be.
Mirror traffic from the VLANs in the corporate network is sent to the Network — IDS (NIDS) product. NIDS examines this traffic with rules and finds possible threats.
In this way, we can capture the communication of a malware or attacker on the network with the external network with NIDS. You can review the Suricata IDS rules written for some ransomware (Wannacry and WannaLocker) from the examples below.
alert dns $HOME_NET any -> any 53 (msg:”MOBILE_MALWARE Android WannaLocker-A DNS Lookup”; dns_query; content:”biaozhunshijian.51240.com”; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,88136a40b295fe41c4c21e1a086cdad4; classtype:trojan-activity; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_24, malware_family Android_WannaLocker;)
alert dns $HOME_NET any -> any 53 (msg:” MOBILE_MALWARE Android WannaLocker-A DNS Lookup”; dns_query; content:”biaozhunshijian.51240.com”; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,88136a40b295fe41c4c21e1a086cdad4; classtype:trojan-activity; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_24, malware_family Android_WannaLocker;)
alert dns $HOME_NET any -> any any (msg:”Possible WannaCry DNS Lookup 1"; dns_query; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; depth:41; nocase; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_12, malware_family wannacry;)
alert dns $HOME_NET any -> any any (msg:”Possible WannaCry DNS Lookup 2"; dns_query; content:”ifferfsodp9ifjaposdfjhgosurijfaewrwergwea”; nocase; fast_pattern; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_14, malware_family wannacry, performance_impact Moderate;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern:only; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; content:”ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf”; http_header; fast_pattern; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern:only; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern:only; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)
NDR, on the other hand, does the work of NIDS faster and with less FP rate with Artificial intelligence. It is also a more useful product technology as there are ready-made rule sets. It also becomes very powerful with its integration with NDR and SIEM.
For Suricata setup and rule structure;
- https://suricata.io/download/ Download the installation file for Kali.
- Then execute the following commands
tar xzvf suricata-
cd suricata-*
./configure
apt-get install build-essential libpcap-dev libnet1-dev libyaml-0–2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev python-yaml rustc cargo libpcre2-dev
make
make install
Rule Structure
Our goal should be to design two sets of rule categories that provide Analysis and Detection by examining the rules. Basic diagram of the rules while creating the rules;
action protocol from_ip port -> to_ip port (msg:”defend us”; content:”something”; content:”something else”; sid:10000000; rev:1;)
- Header (action — port part): This section specifies which port and which action should be performed. Also, the direction of IPs includes an arrow indicating the direction of the ports.
action part;
- Alert <- Create alarm
- Log <- To log traffic
- Pass <- To Exclude
- Drop <- To drop the package if in IPS mode
- Reject <- TCP RST to send packet
protocol can be: tcp, udp, icmp, ip, http, tls, smb, dns
-> (Rule direction) : To determine the rule direction
- Outbound traffic HOMENET any−>EXTERNAL_NET any
- Inbound traffic EXTENRALNET any−>HOME_NET any
- Bidirectional traffic EXTENRALNET any<>HOME_NET any
Rule Message: Name or description that will appear when the rule is triggered
Dsize: Allows matching using the size of the packet payload
Rule Content: The value that identifies particular network traffic or activity.
sid : This is the signature identification number.
revision : This field is the version of the rule.
For example rule sets: https://rules.emergingthreats.net/open/
EDR/EPP/AV Combination
One of the tools that will strengthen our corporate defense against malicious software will be EDR and combinations with EPP or AV. Here are the points we should pay attention to:
- Define application whitelists on servers in EDR/EPP/AV
- After the signature control of the applications to be installed on the client, the EDR Sandbox or the external sandbox should check the relevant software
- Policy hardening in EDR
- Blocking USB access and integrating this structure into the Ticket & Workflow structure
- Analysis of application process tree from EDR of suspicious applications. If necessary, file inspection is provided by the in-house Malware Analyst.
- It will be very useful to have the containment feature in EDR.
You can also find the wonderful Ransomware IOC kit prepared by Sophos below;
For example, Lockbit’s IOCs
## LockBit ransomware IoCs
Ransom gates
- lockbitkodidilol.onion
- lockbitks2tvnmwk.onion
Ransom note
- Restore-My-Files.txt
Ransom extension
- .lockbit
E-mail
- ondrugs@firemail.cc
Persistence
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
Mutex
- Global\{BEF590BE-11A6-442A-A85B-656C1081E04C}
Executed commands
- bcdedit /set {default} recoveryenabled No
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- vssadmin delete shadows /all /quiet
- wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
- wbadmin DELETE SYSTEMSTATEBACKUP
- wbadmin delete catalog -quiet
- wevtutil cl system
- wevtutil cl security
- wevtutil cl application
- wmic SHADOWCOPY /nointeractive
- wmic shadowcopy delete
- ping 1.1.1.1 -n 22 > Nul & \"%s\"
- ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "%s" & Del /f /q "%s"
Registry keys
- SOFTWARE\LockBit
- SOFTWARE\LockBit\full
- SOFTWARE\LockBit\Public
Source : https://github.com/sophoslabs/IoCs/blob/master/Ransomware-LockBitSandbox
Sandbox environments are very useful in malware detection. The important points here are;
- What operating systems does Sandbox support in the file
- Does Sandbox support x86-x64 in file
- ARM support is also important, as many institutions use Macs.
- Sandbox compliance with EDR will be an important factor. Integrations such as launching Containment in EDR according to the sandbox output are important. Otherwise, we can strengthen our defense by preparing Playbooks in SOAR.
Workflow Management
We must follow the application installation and USB usage permission configurations that will be created by the end-user or service accounts. Ensuring coordination with systems such as Ticket&Workflow Management will provide protection against malicious software.
SIEM — SOAR — SOC
We can detect vertical and lateral movements with the correlations to be written in SIEM. We can take precautions against the spread of the infection at the enumeration stage. We can increase our monitoring power considerably with WinEvent, Linux Auditd and Sysmon logs in SIEM.
For example, you can write rules like the following great work;
In Splunk you can list the ParentCommandLine with Sysmon and use the following query to get a timestamp for this activity. For detailed work on this topic, check out Splunk’s great article below.
sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” [ search sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventDescription=”File Create Time”
| streamstats time_window=1m count(EventDescription) AS “new_files”
| search new_files>10 | fields + Image ]
| stats last(Image) as File by sha1, _time, ParentCommandLine
Source : https://www.splunk.com/en_us/blog/industries/detecting-ransomware-attacks-with-splunk.html
We can turn the outputs of these tools, which we have examined separately on the SOAR side, into playbooks.
For example;
- If a file was sent via mail, put it in the malicious_inspection playbook pipeline.
- First, see if this file is triggered in Mail Gateway. If triggered, send file to sandbox as attachment. If malicious, notify Threat Hunting team and have Malware Analyst review it.
- If it didn’t trigger the Mail Gateway, inspect it in the sandbox. If there is no warning in the sandbox, forward the file to the client. Check the Client’s External DNS and FW accesses from SIEM.
- Check the EDR outputs when the file is run on the client. Match it with External DNS and FW outputs and evaluate it in Virus Total. If the score is high, take the client to containment.
With scenarios like the above, we can establish a strengthened defense network by ensuring the integration and interaction of tools.
For example, a playbook designed by Rapid7 for Malware Containment;
You can also find a few more examples below;
Thank you for reading. See you soon :)
