Principal researcher Andrew Brandt (below, right) said, in a detailed study titled Ransomware's evasion-centric arms race, that nearly every ransomware attack involved live engagement by the attackers, who first surveilled and took inventory of the intended victim's network before focusing attention on closing down or disabling existing layers of protection.
This is the second in a series of five studies on ransomware published by Sophos; iTWire reported on the first, a detailed study of WastedLocker, last week.
Brandt said at the same time that these evasive tactics had grown, the average ransom demanded had also increased and the gangs had widened their attacks to include data that was exfiltrated from a target's network at an early stage of the attack.
They then use this data to put pressure on the victim as it provides them with a double-edged sword: the victim's data is encrypted and not accessible and the threat of data being leaked to world+dog also exists.
After the process of encrypting the victim's files on-site is completed, the ransomware generates a ransom note which shows up on the victim's system, stating the amount of ransom demanded, the deadline for payment and the method of payment, usually through cryptocurrency to a designated wallet.
The gangs release the data in drips and drabs and if the victim resists, then the entire data dump is leaked on dark Web forums frequented by people who use data from these sites to stage phishing attacks or else steal people's identities. Data that can embarrass people is used in extortion attempts.
Brandt said the theft of data increased the chances that a victim would pay a ransom, even if they had back-ups and could restore their data from those back-ups right away.
"These two factors — the need to evade detection and the need to strengthen the criminal’s hand in ransom negotiations — have been the dominant factors driving the most dramatic behaviour changes, some of which we’ll discuss," he said.
"They also indicate the increasingly strenuous degree of effort it now requires to pull off a successful attack, a positive sign that the work defenders do has measurable effect on the attackers’ workloads."
He said the study had concentrated on some escalations by attackers that had been found to be interesting. " We think these indicate a level of frustration on the part of the ransomware criminals at their inability to terminate or disable these security controls," he duo said.
Brandt cited the case of the ransomware named Snatch which had begun rebooting infected computers into Windows Safe Mode and then begin the process of encrypting hard drives in the Western autumn of 2019.
He pointed out that rebooting into Safe Mode - which is used for troubleshooting as it brings up a Windows system with a minimal set of drivers and programs - could inhibit the operation of endpoint protection as that form of protection doe not normally operate in Safe Mode.
"There are certain situations where a PC needs a specific driver or file to run, even during Safe Mode, in order to do something critical (for example, have a working display)," the Sophos researcher said.
"Snatch unexpectedly took advantage of this intentional feature of Safe Mode. During its infection process, the malware sets the registry keys that need to be there in order to run a particular file in Safe Mode. It plants its payload (the encrypting component), points the registry keys at it, and reboots the machine."
In another case, that of ransomware known as Robbinhood, attackers were found to have installed an otherwise harmless third-party driver to leverage a flaw in that driver. This driver then provided an entry point for the remainder of the attack.
"The attackers behind Robbinhood loaded a long-disused motherboard driver digitally signed by Gigabyte, the hardware manufacturer. Recent updates to Windows 10 mean that only these kinds of digitally signed drivers can run under normal circumstances," Brandt explained.
"The attackers use the Gigabyte driver, ironically, to turn off this feature in Windows that prevents the installation of hardware drivers that haven’t been cryptographically signed. Gigabyte withdrew the driver several years ago and replaced it with newer software that isn’t vulnerable to the same types of abuse. But the Robbinhood operators found a copy and used it anyway."
Once the Driver Signature Enforcement feature had been disabled, the attackers them uploaded another driver, this time an unsigned component, to the victim's PC.
"The ransomware then used this second driver to load itself at an operational level low enough that, the attackers believed, they were able to make an end-run around endpoint protection tools. Using the cover of this driver, the Robbinhood attackers attempted to either terminate or hobble a large number of files and processes associated with a wide variety of security software."
Brandt said extortion had become a secondary way for ransomware attackers to make money, with the exfiltration of data taking place at early stages of an attack as detailed earlier.
"As novel ransomware tends to appear at a regular pace, we’ve observed that most ransomware creators, who launch a new ransomware family go through a similar set of growth stages over the first six to nine months of operation, slowly escalating the feature set to incorporate a variety of techniques the attackers use to establish their persistence and move undetected within the network. Extortion is just the latest additional behaviour we see from the more mature ransomware families," he noted.
He said an additional feature employed by ransomware known as Lockbit was to not only delete its own executable binaries, but also overwrite the space occupied by those binaries so that they were not recoverable by using data recovery software.
An outstanding evasion technique was found in the case of ransomware known as Ragnar Locker.
Said Brandt: "The malware could not perform its encryption while Intercept X was loaded, so the attackers built a headless Windows image for a VirtualBox hypervisor, and put the VM on every box they wanted to attack.
"It was a devious ploy, since it appeared that any actions taken by the ransomware running inside the guest operating system had been taken by the process running the hypervisor. Since this is a trusted application, endpoint protection didn’t immediately kick in when the attackers executed all their commands from inside the VM guest."
He said the VM in this case was relatively huge, with an installer that was bigger than 122MB; ransomware binaries are usually less a few MB in size.
"This was a real chunk. The attackers bundled an installer for an old copy of VirtualBox and the guest operating system disk image into an MSI file then tried to download a copy and launch it on every infected endpoint.
"Only when the virtual environment was set up, did the malware begin attempting to prepare its environment and then begin encrypting the hard drive. Initially, it appeared that the trusted VirtualBox process was the origin of the ransomware’s file encrypting behaviour on the host computer, which was confusing for a number of reasons."
Brandt said the discovery of the malware repository used by attackers who used the Netwalker ransomware gave them insight into planning and techniques that these gangs used to carry out an attack.
He said these attackers had in their possession an exhaustive set of tools used to spy, escalate privileges, steal, sniff, or stage brute-force attacks on Windows systems.
"We [research team] also found a nearly complete set of the Microsoft SysInternals PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and anti-virus tools from a computer.
"Once inside the network of their target, the attackers apparently use the SoftPerfect Network Scanner to identify and create target lists of computers with open SMB ports, and subsequently may have used Mimikatz, Mimidogz, or Mimikittenz to obtain credentials.
"The files we recovered also revealed their preferred collection of exploits. Among them, we found variations on the EternalDarkness SMBv3 exploit (CVE-2020-0796), a CVE-2019-1458 local privilege exploit against Windows, the CVE-2017-0213 Windows COM privilege escalation exploit published on the Google Security Github account, and the CVE-2015-1701 'RussianDoll' privilege escalation exploit," Brandt said.
Attacks using the WastedLocker ransomware this year had focused attention on the newcomer, Brandt said.
"The malware has already been implicated in some serious attacks, including against GPS device manufacturer Garmin, who reportedly paid a hefty ransom in order to re-enable business operations. WastedLocker has taken a different approach to the ransomware detection-evasion playbook by performing most of its malicious operations within volatile system memory. The technique is called memory mapped I/O," he said.
"This behaviour has some benefits. With 'traditional' ransomware, the behaviour is observable because a binary executable makes a large number of file reads and writes as it encrypts the victim’s important data. Behavioural detection engines that look for this type of unusual activity would otherwise alert the user and/or halt the operation, limiting the damage. Because WastedLocker reduces the number of detectable reads and writes by a significant percentage, it may fall below the threshold that governs suspicious activity in some behavioural detection rules.
"In addition, WastedLocker takes advantage of an unintended consequence of how Windows manages memory, using a component called the Cache Manager. The Cache Manager is a kernel component that sits between the file system and the Memory Manager. The Memory Manager keeps an eye on memory that has been modified (known as 'dirty pages').
"If a process encrypts the mapped memory, the Memory Manager knows which pages need to be written back to disk. This writing is done by the Cache Manager’s 'Lazy Writer' component; dirty pages are allowed to accumulate for a short time, and are then flushed to disk all at once, reducing the overall number of disk I/O operations."
Brandt said as a secondary unintended consequence of this, the writing of the modified files from their 'dirty pages' back to the filesystem was done in the context of the system (PID 4), rather than the ransomware process, which then further complicated behavioural detection.
"After all, nobody wants to cause a victim’s computer to crash because an anti-malware utility decided that the operating system itself was harming the computer," he said. "This technique also can hamstring less well-qualified behavioural detection."
Brandt had the following advice for security professionals. "If you work in IT security, your organisation is relying on you to close the most obvious loopholes and backdoors into the network," he said. "Basic PC hygiene, including installing all the latest patches, shutting down Remote Desktop entirely (or putting it behind a VPN), and applying multi-factor authentication to services hosting the most sensitive data in the organisation are just some of these fundamental steps you can take to protect yourself and your network today.
"If endpoint protection tools are the metaphorical net below the high wire act, applying patches and shutting down unnecessary holes in the firewall are the daily practice routines that will keep you out of the net when it matters most."