## Is It Wrong to Try to Find APT Techniques in Ransomware Attack? ###### Secureworks Kiyotaka Tamada Keita Yamazaki You Nakatsuru 2020/01/17 Japan Security Analyst Conference 2020 ----- ##### Agenda ###### • Overview • Case Study • Result of Targeted Ransomware Incident Investigations • Tactics, Techniques, and Procedures • Initial Access • Dominance (Privilege Escalation, Discovery, Lateral Movement) • Ransom • Anti-Forensics • Comparison with Targeted Attack • Fight Against Targeted Ransomware Incidents • Summary, and Prediction of Targeted Ransomware ----- ### Overview ----- ##### Trend Changes of Ransomware Incidents Wannacry (May 2017) 2018 ~ ###### More and more 2017 cases of attackers manually attacking Large scale incident corporate networks - Wannacry Change decryption CryptoLocker (Sep 2013) Organization’s ###### ~ 2017 price according to infected via public size of organization Infected by mail facing servers and whether they attachment or vulnerable to MS17 have paid in the drive-by download 010 past ----- ----- ### Case Study ----- ### Conference Presentation Only ----- #### Results of Targeted Ransomware Incident Investigations ----- ##### Tactics, Techniques, and Procedures ``` Results of Targeted Ransomware Incident Investigations ``` ----- ##### Initial Access Techniques ###### • Domestic and overseas cases ###### Initial Access ###### Dominance - Privilege Escalation, Discovery, Lateral Movement ###### • Via public RDP or VPN • Use brute-force tools like NLBrute to identify weak passwords • Through malware attached to e-mail • Via Emotet (then download TrickBot) • Only in domestic cases • Via portable connection devices assigned global IP address + hosts vulnerable to MS17-010 • Only in overseas cases • Via Dridex (Bugat v5) • Via CobaltStrike • Via Empire • Via Meterpreter ###### Ransom ###### Anti-Forensics ----- #### NLBrute ----- ##### Privilege Escalation Techniques ###### • Domestic and overseas cases ###### Initial Access ###### Dominance - Privilege Escalation, Discovery, Lateral Movement ###### • Password dump using Mimikatz • Executed via tools such as TrickBot and Empire • The account used for the intrusion is often already an administrator • Only in domestic cases • Use PoC tools for specific vulnerabilities on Github ###### Ransom ###### Anti-Forensics ----- ##### MS16 032 ###### https://github.com/SecWiki/windows-kernel-exploits ----- ##### Discovery Techniques ###### • Domestic and overseas cases ###### Initial Access ###### Dominance - Privilege Escalation, Discovery, Lateral Movement ###### • Scan and gather information using malware functionality • Only in domestic cases • Use Advanced IP Scanner, Advanced Port Scanner, SoftPerfect Network Scanner, ProcessHacker, KPortScan3, PowerTools, etc. • Only in overseas cases • Use Hyena • Search AD using BloodHound and SharpHound ###### Ransom ###### Anti-Forensics ----- ##### Advanced IP Scanner ###### https://www.advanced-ip-scanner.com ----- ##### PCHunter ###### https://www.bleepingcomputer.com/download/pc-hunter/ ----- ##### BloodHound/SharpHound ###### https://github.com/BloodHoundAD/BloodHound • Uncover hidden relationships and attack paths in an active directory environment • Aggregate various information such as usernames, computer names, groups, domains, and OUs about PCs/servers on the network and visualize their relationships • Identify possible attack routes to the AD server • SharpHound is C# version of BloodHound Ingestor • Operate at high speed and stability Source: https://wald0.com/?p=68 ----- ##### NS.exe (NetworkShare) ###### Explore network shared folders ----- ##### Lateral Movement Techniques ###### • Domestic and overseas cases ###### Initial Access ###### Dominance - Privilege Escalation, Discovery, Lateral Movement ###### • Use RDP, PsExec and WMI • Only in domestic cases • Use MRemoteNG, MRemoteNC, Putty, Ammyy Admin, etc. • Brute-force password breach using bruttoline • Only in overseas cases • Use Empire, CobaltStrike and ReGeorg ###### Ransom ###### Anti-Forensics ----- ##### mRemoteNG ----- ##### Ammyy Admin ###### http://www.ammyy.com/en/ Source: http://www.ammyy.com/en/admin_screenshots.html ----- ##### Ransom Techniques ###### • Domestic and overseas cases ###### Initial Access ###### Dominance - Privilege Escalation, Discovery, Lateral Movement ###### • Run ransomware using PsExec, RDP and WMI • Deploy and execute ransomware using RAT and post-exploitation framework function • Use batch files or powershell scripts • Distribute ransomware using group policy function (software installation and logon scripts) via AD server • Use various families of ransomware ###### Ransom ###### Anti-Forensics ----- ##### Ransomware Distribution from AD Server ###### Use “Software installation” to broadcast ransomware ----- ##### Ransomware Distribution from AD Server ###### Use “Logon Script” to broadcast ransomware ----- ##### Types of Ransomware ###### Matrix Phobos GandCrab GlobeImposter Cropp Dharma Ryuk MedusaLocker Frendi CrySiS Scarab Samsam BitPaymer Defray 777 REvil/Sodinokibi rsa.exe/aes.exe ----- ##### Typical Features of Ransomware ###### File encryption ###### • Use in combination with RSA-2048/RSA-4096 and AES-256 • Encrypt file data with AES, which allows high-speed encryption. Then, the used AES secret key is encrypted with the RSA public key ###### Scan the network and add more PCs/servers to encrypt ###### • Explore A-Z drives • Explore network shared folders, administrative shares, etc. • Disable firewall ###### Anti-forensics ###### • Erase VSS • Disable startup repair ###### Display ransom note ----- ##### Command Line Tools rsa.exe ###### Ransomware but closer to an encryption tool ----- ##### Command Line Tools rsa.exe |Confirm multiple versions|Col2|Col3| |---|---|---| |||No usage version (Encrypt file if there is no arguments)| |||| |Usage version||| ----- ##### Command Examples ###### • Spread of infection • "netsh advfirewall set currentprofile state off" • "netsh firewall set opmode mode=disable” • Anti-forensics • "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0" • "vssadmin delete shadows /all /quiet" • "wmic shadowcopy delete /nointeractive" • "bcdedit /set {default} bootstatuspolicy ignoreallfailures" • "bcdedit /set {default} recoveryenabled no” • "C:¥Windows¥system32¥cmd.exe“ /c del ¥ > nul ----- ###### MedusaLocker ----- ###### Instead of Bitcoin transfers, attacker requires direct email contact |Col1|Col2|Col3|Col4| |---|---|---|---| ||||| ||||| ----- ##### Anti Forensics Techniques ###### • Domestic and overseas cases ###### Initial Access ###### Dominance - Privilege Escalation, Discovery, Lateral Movement ###### • Erase VSS, disable FW using ransomware • Delete file using “sdelete.exe –p 5 ” • Delete eventlog using “pslog.exe -c security”, etc. • There are many cases in which evidence deletion has not been carried out both domestic and overseas • Some evidence is erased because ransomware encrypts registry, eventlog and other files • Only in domestic cases • Use xDedicLogCleaner ###### Ransom ###### Anti-Forensics ----- ###### g y g PowerShell • Execution history • C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell ¥PSReadline¥ConsoleHost_history.txt • Commands • (Get-WmiObject -Class Win 32_Product -Filter "Name = 'Symantec Endpoint Protection'" - ComputerName. ).Uninstall() • (Get-WmiObject -Class Win 32_Product -Filter "Name = 'Endpoint Protection'" ComputerName. ).Uninstall() ----- ##### xDedicLogCleaner ###### One click to clear various PC history ----- ### Comparison with Targeted Attacks ###### Results of Targeted Ransomware Incident Investigations ----- ##### TTPs in Each Case ###### TTPs differs depending on the case Initial Access Dominance Ransom Domestic and Mail (Emotet) TrickBot Ryuk N/A Overseas 1 MS16 -032, NLBrute, Advanced IP Scanner, AmmyAdmin, Domestic 2 RDP Matrix N/A NetworkShare.exe Advanced Port Scanner, ProcessHacker Domestic 3 RDP Phobos N/A NetworkShare.exe Domestic 4 RDP PCHunter, ProcessHacker, Mimikatz Phobos N/A KPortScan3, SoftPerfectNetworkScanner, Powertools, Domestic 5 RDP GandCrab mRemoteNG, Bruttoline, Putty, ProcessHacker, Mimikatz PsExec Domestic 6 VPN rsa.exe Batch file about DomainUser listing Domestic 7 RDP PsExec GlobeImposter 2.0 N/A Overseas 2 RDP Hyena, Mimikatz, WMIexec, reGeorg Samsam N/A Overseas 3 Mail (Dridex) Empire, PsExec BitPaymer N/A Overseas 4 Mail CobaltStrike, Meterpreter, SharpHound Defray 777 N/A |Col1|Initial Access|Dominance|Ransom|Evidence Deletion| |---|---|---|---|---| |Domestic and Overseas 1|Mail (Emotet)|TrickBot|Ryuk|N/A| |Domestic 2|RDP|MS16 -032, NLBrute, Advanced IP Scanner, AmmyAdmin, NetworkShare.exe|Matrix|N/A| |Domestic 3|RDP|Advanced Port Scanner, ProcessHacker NetworkShare.exe|Phobos|N/A| |Domestic 4|RDP|PCHunter, ProcessHacker, Mimikatz|Phobos|N/A| |Domestic 5|RDP|KPortScan3, SoftPerfectNetworkScanner, Powertools, mRemoteNG, Bruttoline, Putty, ProcessHacker, Mimikatz|GandCrab|xDedicLogCleaner| |Domestic 6|VPN|PsExec Batch file about DomainUser listing|rsa.exe|pslog.exe sdelete.exe| |Domestic 7|RDP|PsExec|GlobeImposter 2.0|N/A| |Overseas 2|RDP|Hyena, Mimikatz, WMIexec, reGeorg|Samsam|N/A| |Overseas 3|Mail (Dridex)|Empire, PsExec|BitPaymer|N/A| ----- ##### Characteristics Unique to Targeted Ransomware Attacks ###### • Attempt to break into various organizations and attack targets with weak security measures and easy ransomware deployment • Heavily use brute force when attacker cracks password • Heavily use free tools when attacker dominates systems • Use AD server’s group policies function (software installation and logon scripts) • Ransomware type/version used by the attacker changes quickly • Many overseas cases are similar to TTPs for targeted attacks (penetration test) ----- ##### Fight Against Targeted Ransomware Incidents ----- ###### p Prepare countermeasures and response plans from the following perspectives # 1. Prevention # 2. Detection and Initial containment ----- ##### 1. Prevention ###### • Implement countermeasures to prevent “Initial Access” “Dominance" and “Ransom" to increase the cost of successful attacks • Unlike targeted attacks, attacker aims organization with poor security. ----- ###### • In most incidents, existing security products can detect something signs of attacks. • Unlike targeted attacks, attacks are less stealthy • However, requires quick initial containment to minimize damage. • Initial containment planning is essential for quick response. ----- ###### p g • Recovery plan is required to quickly recover encrypted data and minimize business impact. • Just acquire backup is not enough for practical recovery • Investigation, containment, and eradication processes must be planned in advance like targeted attacks. ----- ###### p ###### ① Identification - ccurately recognize the current situation from security alerts and interviews ###### ② Initial containment - ontrol and contain damage that can be done in a short time ###### ③ Create specific response plan - repare a specific response plan from investigation to recovery, based on the status of the incident. ###### ④ Investigation and threat hunting - dentifying the root cause of initial intrusion. - Identifying TTPs of the attack. - dentification of hidden affected computers. ###### ⑦ Recovery - ecovering encrypted data. - ecovering a Stopped System Network - Monitoring new attacks and remaining threats. ###### ⑥ Eradication - radicate all attacker activities. - alware infected computers, settings, etc. ###### ⑤ Containment - ontains attacker activities based on investigation results. ----- ##### Balance between Business and Safety ###### • System recovery is often a priority because data encryption means business disruption • In some cases, the previous incident response process cannot be performed step by step. • A response plan that balances business continuity and safety needs to be developed within a limited time frame • What should be kept to a minimum to prevent the recurrence of attacks and the spread of damage? ###### Examples of incidents and responses in Japan and overseas should be widely shared with incident handlers, in order to create best practices is especially important for quick, safe incident response and minimize business Impact ----- ##### Important points for preventing damage expansion and recurrence ----- ##### Examples in a domestic incident ###### ① Identification ###### • Interview • Two ransomware encryptions were discovered at different times • Logon scripts ware abused to distribute ransomware • Investigation of AV detection log • SMB/RDP brute-force tools were detected by AV ###### ② Initial containment ###### • Blocking all Internet connections • Reset password for domain administrator account • Fixed logon scripts ----- ##### Examples in a domestic incident ###### ③ Create specific response plan Phase 1 - Implement countermeasures to ensure a certain level of safety and recover network and system within 48 hours • Identification and countermeasures for initial intrusion routes (root cause) • Identification of Lateral Movement techniques attacker used and implementation of mitigation measures • Domain Controllers Safety Check • Implement EDR and establish company-wide threat monitoring operation. Phase 2 – Further investigation and implement additional countermeasures • Forensics for compromised server/terminal and clarify attack details • Update IOCs based on forensic result and continuous monitoring with EDR • Implementation of additional countermeasures ###### Phase 2 – Further investigation and implement additional countermeasures ----- ##### Examples in a domestic incident ###### ④ Investigation andThreat Hunting ----- ##### Examples in a domestic incident ###### ⑤ Containment ###### • Restricting Source IP Address that can access VPN, and Implement Certificate Authentication • Resolving vulnerabilities in VPN devices • Limitations of RDP/SMB access to servers and computers. • Password reset for compromised domain administrator account • Countermeasures for Golden Tickets attack • Implement Detecting and preventing the execution of existing attack tools ###### ⑥ Eradication ###### • Restoring a compromised terminal/server from a safe backup • *As there was no use of RAT, the risk of continuous access is low. ----- ##### Summary and Predictions for Targeted Ransomware ----- ##### Domestic Ransom(ware) in 2020 ###### Initial access – following international cases ###### • Vulnerable devices (On-Premise/Cloud) will continue to be compromised directly from Internet • Ransomware downloaded by other Malware which is spreading via e-mail (Emotet, etc.) is (will be) increasing in Japan, same as overseas. • Increasing ransomware incidents even in organizations which properly implement “Perimeter Defense” ###### Dominance – close to targeted attack methods ###### • Use of RAT and penetration testing tools such as BloodHound and other APT like tools are expected to increase in Japan. • Use of RAT makes containment and eradication more difficult • Attacker may repeatedly or continuously distribute ransomware using RAT in same organization, even after security team recovers their encrypted data. ----- ##### Domestic Ransom(ware) in 2020 ###### Ransom – methods other than file encryption ###### • Attack on availability • Attacker may find other ways to attack on availability other than encryption. • Changing passwords for all domain accounts • Interference with system operation by deleting files or changing settings on various servers • Attack on confidentiality • Attacker may threaten organization using confidential information they steal. • Cases of obtaining confidential information, such as intellectual property, R & D information, and personal information, and threatening in exchange for disclosure will occur also in Japan • Attack on integrity • Secondary damage may occur about data integrity • Obstruction of business by partial file wiping or encryption ----- ###### Ransomware Attack? ----- ##### IoC |Malware/Tool name|SHA-256 Hash| |---|---| |NLBrute1.2|E21569CDFAFBBDD98234EF8AFCC4A8486D2C6BA77A87A57B4730EB4A8BD63BC2| |NS.exe|F47E3555461472F23AB4766E4D5B6F6FD260E335A6ABC31B860E569A720A5446| |KPortScan3|080C6108C3BD0F8A43D5647DB36DC434032842339F0BA38AD1FF62F72999C4E5| |SoftPerfect Network Scanner|66C488C1C9916603FC6D7EC00470D30E6F5E3597AD9F8E5CE96A8AF7566F6D89| |MS16-032|9F023D74CF5E16A231660805ADFC829C1BE24A6B1FA6CB3ED41F0E37FE95062B 9AFAE820C8F7ED5616A4523A45968CFDABF646C5151A9C1DB1A6E36D7A9D1E11| |rsa.exe|48303E1B50B5D2A0CC817F1EC7FA10C891F368897B0AEA2D02F22701D169CE54 E6CCB71FD62783DE625CBFCDAE1836B9FFB33B0E2344D709F5B6C5B2E6EAC8D8| |mRemoteNC|3BC3038749427E1D6DA05FD3972A86F3403B40102974BD241A233EBD2C3B8C5C| |mRemoteNG|9476FE1896669163248747785FA053ACA7284949945ABD37C59DAE4184760D58| |Ammyy Admin|5FC600351BADE74C2791FC526BCA6BB606355CC65E5253F7F791254DB58EE7FA A0C996178FAA8320948D886F47EF394C712F1E5DC0F7C8867CD4BB1DB5F2A266| |xDedicLogCleaner|878706CD11B5223C89AAEF08887B92A655A25B7C630950AFFA553574A60B922E| |Advanced IP Scanner|02EC949206023F22FE1A5B67B3864D6A653CC4C5BFCB32241ECF802F213805E8| |PCHunter|D1AA0CEB01CCA76A88F9EE0C5817D24E7A15AD40768430373AE3009A619E2691| ----- -----