The landscape of ransomware has undergone rapid evolution, shifting from a relatively straightforward form of malicious software primarily affecting individual computer users, to a menacing enterprise-level threat that has inflicted substantial harm on various industries and government institutions.
Ransomware attacks are strategically designed to either encrypt or delete critical data and system files, compelling organisations to meet the attackers’ financial demands. These assaults specifically focus on compromising data repositories, backup systems, and vital records that are essential for recovery without capitulating to the attackers’ demands, thus increasing the likelihood of organisations acquiescing.
Perpetrators utilise ransomware as a means to extort funds from their targets, typically requesting payment in cryptocurrencies, in exchange for a decryption key or as a condition to prevent the exposure of sensitive information on the dark web or public internet.
Human-operated ransomware has emerged as a distinct variant, where organised groups of human attackers, under the guidance of skilled operators, systematically target an organisation’s entire IT infrastructure. This contrasts with earlier iterations of ransomware, which predominantly relied on software-driven propagation, through phishing attacks across multiple computing systems.
A ransomware attack can:
- Encrypt data and systems, causing downtime and recovery costs
- Steal confidential data, exfiltrate it outside the organisation, and threaten to release it
- Steal organisation, employee and customer login credentials
- Use compromised victims’ systems and earned trust to compromise customers and business partners
- Publicly shame victim, causing reputational damage
Today, over 80% of all ransomware attacks involve “double extortion,” data and credential exfiltration
Ransomware leverages the attackers’ knowledge of common system and security weaknesses and vulnerabilities to infiltrate an organisation. It then traverses through the corporate network, adapting to its environment and exploiting any weaknesses it encounters.
Before executing the ransomware on a predetermined date, there may be a preparatory stage where the malware exfiltrates data over the course of several weeks or months.
By keeping the encryption key on the infected device, ransomware may gradually encrypt files. During this time, files can still be accessed since the encryption key remains in place, rendering the malware less detectable. However, it’s important to note that the data that gets encrypted is what you typically back up.
Once all data is encrypted, including recent backups that now contain encrypted data, the key is withdrawn. This renders the data inaccessible, making it impossible for you to view or recover your files.
How are victims of Ransomware exploited?
Since the beginning of computers, only two root cause methods have accounted for the vast majority of malicious breaches to most devices and most organisations:
- Social Engineering
- Unpatched Software
There are various other malware and hacking methods that became very popular for a few years (such as boot viruses, USB key infections, etc.), but social engineering and unpatched software have been either the number one or number two most popular exploit methods for most years over three decades.
Although numerous attack vectors are categorized differently by the various vendors, it is clear that a third additional common attack vector is commonly used by ransomware groups: password attacks. Either the ransomware group logs into the victim’s devices using a previously stolen valid login name and password or they successfully guess at a login credential.
This initial login access is then leveraged into additional exploitations, which eventually allow more of the network to be compromised.
With that said…Password Attacks are honestly in the past.
Attempting password attacks is often futile due to increasingly sophisticated security measures, including strong password policies, multi-factor authentication, and automated intrusion detection systems, making it extremely challenging for attackers to compromise user accounts.
With ransomware attacks, in particular, it is clear that three attack vectors allow the vast majority of ransomware attacks:
- Social engineering
- Unpatched software
- Password attacks (last resort, lazy, too challenging, 0.001% chance of success)
Detecting Signs of ransomware activity
Microsoft security researchers have observed various common yet subtle artefacts in many ransomware campaigns launched by sophisticated intruders.
These signs mostly involve use of system tools to prepare for encryption, prevent detection, and clear forensic evidence.
The below table represents activity, tools & possible intent.
|Ransomware activity||Common tools||Intent|
|Stop processes||taskkill.exe, net stop||Ensure files targeted for encryption are not locked by various applications.|
|Turn off services||sc.exe||– Ensure files targeted for encryption are not locked by various applications.|
|Turn off services||sc.exe||– Prevent security software from disrupting encryption and other ransomware activity.|
|Turn off services||sc.exe||– Stop backup software from creating recoverable copies.|
|Delete logs and files||cipher.exe, wevtutil, fsutil.exe||Remove forensic evidence.|
|Delete shadow copies||vsadmin.exe, wmic.exe||Remove drive shadow copies that can be used to recover encrypted files.|
|Delete and stop backups||wbadmin.exe||Delete existing backups and stop scheduled backup tasks, preventing recovery after encryption.|
|Modify boot settings||bcdedit.exe||Turn off warnings and automatic repairs after boot failures that can be caused by the encryption process.|
|Turn off recovery tools||schtasks.exe, regedit.exe,||Turn off System Restore and other system recovery options.|
Detecting for individual signs of ransomware activity
Many activities that constitute ransomware behaviour, including the activities described in the above table, can be benign.
When using the following queries to locate ransomware, run more than one query to check whether the same devices are exhibiting various signs of possible ransomware activity.
Stopping multiple processes using taskkill.exe
This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility.
// Find attempts to stop processes using taskkill.exe DeviceProcessEvents | where Timestamp > ago(1d) | where FileName =~ “taskkill.exe” |summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) | where taskKillCount > 10
From this simple KQL detection query you can see that it’s looking for any taskkill commands, which as the above table suggest, an adversary might utilise this for ensuring files targeted for encryption are not locked by various applications.
But this also can mean an Administrator could be using this to kill a common program which maybe stuck or frozen, which is why would should attempt to filter these types of specific queries into maybe a watchlist with known administrators, either way, this should definitely be investigated.
Thanks to Microsoft and their incredible security experts, they have provided a hugely detailed KQL detection query to Check for multiple signs of ransomware activity.
The code and more explanation is below 🙂
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-find-ransomware?view=o365-worldwide#check-for-multiple-signs-of-ransomware-activityIn case you haven’t seen my video on “Detecting Ransomware with Sentinel”. In that, I run a piece of malware which encrypts a bunch of files, which relies on a private key to “un-encrypt” them without the private key that data is gone forever, but with the private key you can easily decrypt the files.
As an extra step of incident response, you want to ensure any of your files were not officially compromised you might want to considering doing a file signature analysis.
File Signature Analysis:
Carrying out a file signature analysis to ensure the file extension matches the file type. Many file types you will find in the filesystem have been standardised and possess unique file signatures to identify themselves to the filesystem. This is not the file extension, such as a Microsoft Word document with a file extension of .doc or .docx.
A user or programme can change the file extension to hide incriminating evidence. The intention behind carrying out a file signature analysis is to determine whether the file signature and file extension match.
To do this, you need to reference the signature header for the the file in question.
For example, a GIF file should have a hexadecimal 47 49 46 38 file signature, not hexadecimal FF D8 FF E0.
In some cases, the mismatch is through normal usage of the filesystem and not from user interaction.
You must examine the data to ensure the mismatch can be attributed to a specific user.
Gary Kessler has created a website that allows you to search a database based on the file extension or signature. You can refer to this website at https://filesignatures.net/
Craig is a finalist in the Cyber Writer category in this year’s Security Serious Unsung Heroes Awards.