Destroy the Ransomware Threat: Part 1.1 — Detection and Prevention

Alican Kiraz
9 min readApr 24, 2023
Source : John Wick 4 Movie

Hi everyone, in this series of articles we’ll discuss a more exciting topic: ransomware. First, we will learn how to detect ransomware before it takes over the entire system. Then we will consider how we can protect our systems.

A ransomware attack is not a threat that we can prevent with a single defense structure or product solution. Just like L.M’s Cyber Kill Chain model, it has many stages. And a different methodology is followed at each step. The Ransomware Kill Chain model below in the article by GroupSense Intelligence analyst Nicole Hoffman explains the situation very well. Against Ransomware we should consider a Kill Chain in the following style. We need to evaluate this pipeline step by step and build our detection mechanism with protection at each stage.

https://www.groupsense.io/

In the detection step, we will have some tools to enhance our defense. These:

  • NDR — NIDS
  • EDR/EPP/AV
  • Sandbox
  • Workflow Management
  • SIEM — SOAR — SOC
  • Honeypot
  • DNS Visibility
  • Mail Gateway
  • AD and DC Ransomware specific monitoring

Now let’s examine what we can do with these tools one by one.

NDR — NIDS

https://www.microsoft.com/en-us/security/blog/2022/11/03/stopping-c2-communications-in-human-operated-ransomware-through-network-protection/

During the ransomware attack, the malicious file continues its C2 (C&C) communication. Sometimes attackers take advantage of the remote access they have obtained and continue their activities on the network for months. In this way, it detects token acquisition, lateral movement areas and pivot points in the system they access without permission. It then takes advantage of these points and gains access that will allow the malicious file to spread. It should not be forgotten that the more inventory they encrypt, the more money they will demand and the more helpless the victim will be.

Mirror traffic from the VLANs in the corporate network is sent to the Network — IDS (NIDS) product. NIDS examines this traffic with rules and finds possible threats.

https://www.geeksforgeeks.org/

In this way, we can capture the communication of a malware or attacker on the network with the external network with NIDS. You can review the Suricata IDS rules written for some ransomware (Wannacry and WannaLocker) from the examples below.

alert dns $HOME_NET any -> any 53 (msg:”MOBILE_MALWARE Android WannaLocker-A DNS Lookup”; dns_query; content:”biaozhunshijian.51240.com”; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,88136a40b295fe41c4c21e1a086cdad4; classtype:trojan-activity; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_24, malware_family Android_WannaLocker;)

alert dns $HOME_NET any -> any 53 (msg:” MOBILE_MALWARE Android WannaLocker-A DNS Lookup”; dns_query; content:”biaozhunshijian.51240.com”; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,88136a40b295fe41c4c21e1a086cdad4; classtype:trojan-activity; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_24, malware_family Android_WannaLocker;)

alert dns $HOME_NET any -> any any (msg:”Possible WannaCry DNS Lookup 1"; dns_query; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; depth:41; nocase; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_12, malware_family wannacry;)

alert dns $HOME_NET any -> any any (msg:”Possible WannaCry DNS Lookup 2"; dns_query; content:”ifferfsodp9ifjaposdfjhgosurijfaewrwergwea”; nocase; fast_pattern; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_14, malware_family wannacry, performance_impact Moderate;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern:only; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; content:”ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf”; http_header; fast_pattern; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern:only; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:” W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:”iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea”; http_header; fast_pattern:only; content:”Host|3a 20|”; http_header; pcre:”/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi”; metadata: former_category TROJAN; reference:cve,2017–0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)

NDR, on the other hand, does the work of NIDS faster and with less FP rate with Artificial intelligence. It is also a more useful product technology as there are ready-made rule sets. It also becomes very powerful with its integration with NDR and SIEM.

For Suricata setup and rule structure;

  1. https://suricata.io/download/ Download the installation file for Kali.
  2. Then execute the following commands

tar xzvf suricata-

cd suricata-*

./configure

apt-get install build-essential libpcap-dev libnet1-dev libyaml-0–2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev python-yaml rustc cargo libpcre2-dev

make

make install

https://giphy.com/

Rule Structure

Our goal should be to design two sets of rule categories that provide Analysis and Detection by examining the rules. Basic diagram of the rules while creating the rules;

action protocol from_ip port -> to_ip port (msg:”defend us”; content:”something”; content:”something else”; sid:10000000; rev:1;)

  • Header (action — port part): This section specifies which port and which action should be performed. Also, the direction of IPs includes an arrow indicating the direction of the ports.

action part;

  • Alert <- Create alarm
  • Log <- To log traffic
  • Pass <- To Exclude
  • Drop <- To drop the package if in IPS mode
  • Reject <- TCP RST to send packet

protocol can be: tcp, udp, icmp, ip, http, tls, smb, dns

-> (Rule direction) : To determine the rule direction

  • Outbound traffic HOMENET any−>EXTERNAL_NET any
  • Inbound traffic EXTENRALNET any−>HOME_NET any
  • Bidirectional traffic EXTENRALNET any<>HOME_NET any

Rule Message: Name or description that will appear when the rule is triggered

Dsize: Allows matching using the size of the packet payload

Rule Content: The value that identifies particular network traffic or activity.

sid : This is the signature identification number.

revision : This field is the version of the rule.

For example rule sets: https://rules.emergingthreats.net/open/

EDR/EPP/AV Combination

https://media.giphy.com

One of the tools that will strengthen our corporate defense against malicious software will be EDR and combinations with EPP or AV. Here are the points we should pay attention to:

  • Define application whitelists on servers in EDR/EPP/AV
  • After the signature control of the applications to be installed on the client, the EDR Sandbox or the external sandbox should check the relevant software
  • Policy hardening in EDR
  • Blocking USB access and integrating this structure into the Ticket & Workflow structure
  • Analysis of application process tree from EDR of suspicious applications. If necessary, file inspection is provided by the in-house Malware Analyst.
  • It will be very useful to have the containment feature in EDR.

You can also find the wonderful Ransomware IOC kit prepared by Sophos below;

For example, Lockbit’s IOCs

## LockBit ransomware IoCs

Ransom gates
- lockbitkodidilol.onion
- lockbitks2tvnmwk.onion

Ransom note
- Restore-My-Files.txt

Ransom extension
- .lockbit

E-mail
- ondrugs@firemail.cc

Persistence
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01

Mutex
- Global\{BEF590BE-11A6-442A-A85B-656C1081E04C}
Executed commands
- bcdedit /set {default} recoveryenabled No
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- vssadmin delete shadows /all /quiet
- wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
- wbadmin DELETE SYSTEMSTATEBACKUP
- wbadmin delete catalog -quiet
- wevtutil cl system
- wevtutil cl security
- wevtutil cl application
- wmic SHADOWCOPY /nointeractive
- wmic shadowcopy delete
- ping 1.1.1.1 -n 22 > Nul & \"%s\"
- ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "%s" & Del /f /q "%s"

Registry keys
- SOFTWARE\LockBit
- SOFTWARE\LockBit\full
- SOFTWARE\LockBit\Public

Source : https://github.com/sophoslabs/IoCs/blob/master/Ransomware-LockBit

Sandbox

https://media.giphy.com

Sandbox environments are very useful in malware detection. The important points here are;

  • What operating systems does Sandbox support in the file
  • Does Sandbox support x86-x64 in file
  • ARM support is also important, as many institutions use Macs.
  • Sandbox compliance with EDR will be an important factor. Integrations such as launching Containment in EDR according to the sandbox output are important. Otherwise, we can strengthen our defense by preparing Playbooks in SOAR.

Workflow Management

We must follow the application installation and USB usage permission configurations that will be created by the end-user or service accounts. Ensuring coordination with systems such as Ticket&Workflow Management will provide protection against malicious software.

https://media.giphy.com/media/gJpw5LQo81ipOO21WD/giphy.gif

SIEM — SOAR — SOC

We can detect vertical and lateral movements with the correlations to be written in SIEM. We can take precautions against the spread of the infection at the enumeration stage. We can increase our monitoring power considerably with WinEvent, Linux Auditd and Sysmon logs in SIEM.

For example, you can write rules like the following great work;

https://www.researchgate.net/figure/Event-ID-1-Sysmon-Log-Related-to-WannaCry-Ransomware_fig4_354836748

Source : https://www.researchgate.net/figure/Event-ID-1-Sysmon-Log-Related-to-WannaCry-Ransomware_fig4_354836748

In Splunk you can list the ParentCommandLine with Sysmon and use the following query to get a timestamp for this activity. For detailed work on this topic, check out Splunk’s great article below.

sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” [ search sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventDescription=”File Create Time”
| streamstats time_window=1m count(EventDescription) AS “new_files”
| search new_files>10 | fields + Image ]
| stats last(Image) as File by sha1, _time, ParentCommandLine

Source : https://www.splunk.com/en_us/blog/industries/detecting-ransomware-attacks-with-splunk.html

We can turn the outputs of these tools, which we have examined separately on the SOAR side, into playbooks.

For example;

  1. If a file was sent via mail, put it in the malicious_inspection playbook pipeline.
  2. First, see if this file is triggered in Mail Gateway. If triggered, send file to sandbox as attachment. If malicious, notify Threat Hunting team and have Malware Analyst review it.
  3. If it didn’t trigger the Mail Gateway, inspect it in the sandbox. If there is no warning in the sandbox, forward the file to the client. Check the Client’s External DNS and FW accesses from SIEM.
  4. Check the EDR outputs when the file is run on the client. Match it with External DNS and FW outputs and evaluate it in Virus Total. If the score is high, take the client to containment.

With scenarios like the above, we can establish a strengthened defense network by ensuring the integration and interaction of tools.

For example, a playbook designed by Rapid7 for Malware Containment;

https://www.rapid7.com/info/security-orchestration-and-automation-playbook/

You can also find a few more examples below;

Thank you for reading. See you soon :)

https://media.giphy.com/media/zoq5U0I5YLHGrWZeY2/giphy.gif

--

--

Alican Kiraz

Head of Cyber Defense Center | CSIE | CSAE | CCISO | CASP+ | OSCP | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ and more...