Threat Thursday

SCYTHE Library: #ThreatThursday - Ransomware

Written by Jorge Orchilles | Jul 2, 2020 4:00:00 AM

A day hardly goes by without hearing about another ransomware attack. Just this week I read, on SANS NewsBites, that University of California San Francisco (UCSF) paid $1.1 million to regain access to their data. This week’s #ThreatThursday we take a look at a ransomware example, learn how criminals are evolving to get paid, create an adversary emulation plan that is safe but valuable for enterprises, and speak to industry thought leader, Olaf Hartong, about defending against ransomware attacks using Sysmon. Hope you enjoy this week’s post!

Cyber Threat Intelligence

Ransomware is a type of malicious software designed to block access to systems and/or data until a sum of money is paid. It is one of the dominant methods that criminals are getting return of investment (ROI) from their malicious activities. There are lots of examples of ransomware in the past few years, from WannaCry to NotPetya to almost a daily news feed of new attacks. 

The latest one in the news is from the University of California San Francisco (UCSF) that paid $1.1 million to the criminals in order to get their data back. The attack was first detected in early June, as reported by Bloomberg. The criminal gang, known as Netwalker, used a strain of ransomware by the same name. BBC documented the negotiations that occurred to arrive at the $1.1 million figure.

So who is this Netwalker gang and how do they operate? Our friends at Sophos provided excellent Cyber Threat Intelligence related to the Netwalker gang and their modus operandi. They have even mapped it to MITRE ATT&CK as you can see in Figure 1.


Figure 1 - Source: https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/

Adversary Emulation Plan

Is emulating ransomware even possible? Of course it is! SCYTHE users can emulate ransomware without introducing risk to the target organization by following our Ransomware Example campaign. The secret is to not encrypt or destroy production data. SCYTHE will instead create new files to then execute the typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. This method ensures no data is ever at risk of being encrypted, destroyed, or leaked.

As usual, we have provided this Ransomware Example in our Community Threats Github. Let’s take a look at the steps for this campaign:

  • Establish Command and Control via HTTPS
  • Load run, file, crypt, and downloader modules
  • Creates a new directory in %USERPROFILE%\Desktop\ called x_all_the_stolen_files
  • Creates 5 new files of 10MB each
  • Encrypts the newly created files with a password
  • Download and saves a ransom note from PasteBin to the newly created folder
  • Shutdown the agent

Defend against Ransomware

This week, we had the pleasure of sitting down with industry thought leader, and recently awarded Microsoft MVP, Olaf Hartong, to discuss how to defend against ransomware attacks. Given there are many strains of ransomware in the wild, it is important to focus on the behaviors that ransomware has shown in the past and continue to monitor as these criminal gangs evolve. 

Olaf gives us an introduction to Sysmon, a Windows system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Olaf is an industry contributor and has an excellent Sysmon configuration that he demos in this video after executing the SCYTHE Ransomware Example.

Conclusion

In this week’s #ThreatThursday we looked at ransomware and how it has evolved from smash-and-grab to more sophisticated modus operandi to achieve the objective of getting paid. We heard about UCSF paying $1.1 million ransom to the Netwalker gang. We consumed Cyber Threat Intelligence mapped to MITRE ATT&CK thanks to the excellent write up from Sophos. We emulated how ransomware functions in a SCYTHE campaign without introducing risk to the target organization. Lastly, we spoke with our friend Olaf Hartong about defending against Ransomware attacks using Sysmon. Look out for next’s #ThreatThursday write up!

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.