Security Market Segment LS
Monday, 10 August 2020 10:20

Windows ransomware attackers have upped their game in recent months: Sophos Featured

By
Windows ransomware attackers have upped their game in recent months: Sophos Pixabay

The tactics employed by cyber criminals who deploy Windows ransomware on systems for monetary gain have changed over the last 10 months in order to evade detection by endpoint security that has improved markedly, a researcher from the global security firm Sophos claims.

Principal researcher Andrew Brandt (below, right) said, in a detailed study titled Ransomware's evasion-centric arms race, that nearly every ransomware attack involved live engagement by the attackers, who first surveilled and took inventory of the intended victim's network before focusing attention on closing down or disabling existing layers of protection.

This is the second in a series of five studies on ransomware published by Sophos; iTWire reported on the first, a detailed study of WastedLocker, last week.

Brandt said at the same time that these evasive tactics had grown, the average ransom demanded had also increased and the gangs had widened their attacks to include data that was exfiltrated from a target's network at an early stage of the attack.

Gangs that stage ransomware attacks on companies exfiltrate data from the victims' website using scripts written in PowerShell, a scripting language created by Microsoft.

matrix

They then use this data to put pressure on the victim as it provides them with a double-edged sword: the victim's data is encrypted and not accessible and the threat of data being leaked to world+dog also exists.

After the process of encrypting the victim's files on-site is completed, the ransomware generates a ransom note which shows up on the victim's system, stating the amount of ransom demanded, the deadline for payment and the method of payment, usually through cryptocurrency to a designated wallet.

The gangs release the data in drips and drabs and if the victim resists, then the entire data dump is leaked on dark Web forums frequented by people who use data from these sites to stage phishing attacks or else steal people's identities. Data that can embarrass people is used in extortion attempts.

Brandt said the theft of data increased the chances that a victim would pay a ransom, even if they had back-ups and could restore their data from those back-ups right away.

andrew brandt sophos"These two factors — the need to evade detection and the need to strengthen the criminal’s hand in ransom negotiations — have been the dominant factors driving the most dramatic behaviour changes, some of which we’ll discuss," he said.

"They also indicate the increasingly strenuous degree of effort it now requires to pull off a successful attack, a positive sign that the work defenders do has measurable effect on the attackers’ workloads."

He said the study had concentrated on some escalations by attackers that had been found to be interesting. " We think these indicate a level of frustration on the part of the ransomware criminals at their inability to terminate or disable these security controls," he duo said.

Brandt cited the case of the ransomware named Snatch which had begun rebooting infected computers into Windows Safe Mode and then begin the process of encrypting hard drives in the Western autumn of 2019.

He pointed out that rebooting into Safe Mode - which is used for troubleshooting as it brings up a Windows system with a minimal set of drivers and programs - could inhibit the operation of endpoint protection as that form of protection doe not normally operate in Safe Mode.

"There are certain situations where a PC needs a specific driver or file to run, even during Safe Mode, in order to do something critical (for example, have a working display)," the Sophos researcher said.

"Snatch unexpectedly took advantage of this intentional feature of Safe Mode. During its infection process, the malware sets the registry keys that need to be there in order to run a particular file in Safe Mode. It plants its payload (the encrypting component), points the registry keys at it, and reboots the machine."

In another case, that of ransomware known as Robbinhood, attackers were found to have installed an otherwise harmless third-party driver to leverage a flaw in that driver. This driver then provided an entry point for the remainder of the attack.

"The attackers behind Robbinhood loaded a long-disused motherboard driver digitally signed by Gigabyte, the hardware manufacturer. Recent updates to Windows 10 mean that only these kinds of digitally signed drivers can run under normal circumstances," Brandt explained.

sophos part two

"The attackers use the Gigabyte driver, ironically, to turn off this feature in Windows that prevents the installation of hardware drivers that haven’t been cryptographically signed. Gigabyte withdrew the driver several years ago and replaced it with newer software that isn’t vulnerable to the same types of abuse. But the Robbinhood operators found a copy and used it anyway."

Once the Driver Signature Enforcement feature had been disabled, the attackers them uploaded another driver, this time an unsigned component, to the victim's PC.

"The ransomware then used this second driver to load itself at an operational level low enough that, the attackers believed, they were able to make an end-run around endpoint protection tools. Using the cover of this driver, the Robbinhood attackers attempted to either terminate or hobble a large number of files and processes associated with a wide variety of security software."

Brandt said extortion had become a secondary way for ransomware attackers to make money, with the exfiltration of data taking place at early stages of an attack as detailed earlier.

"As novel ransomware tends to appear at a regular pace, we’ve observed that most ransomware creators, who launch a new ransomware family go through a similar set of growth stages over the first six to nine months of operation, slowly escalating the feature set to incorporate a variety of techniques the attackers use to establish their persistence and move undetected within the network. Extortion is just the latest additional behaviour we see from the more mature ransomware families," he noted.

He said an additional feature employed by ransomware known as Lockbit was to not only delete its own executable binaries, but also overwrite the space occupied by those binaries so that they were not recoverable by using data recovery software.

An outstanding evasion technique was found in the case of ransomware known as Ragnar Locker.

Said Brandt: "The malware could not perform its encryption while Intercept X was loaded, so the attackers built a headless Windows image for a VirtualBox hypervisor, and put the VM on every box they wanted to attack.

"It was a devious ploy, since it appeared that any actions taken by the ransomware running inside the guest operating system had been taken by the process running the hypervisor. Since this is a trusted application, endpoint protection didn’t immediately kick in when the attackers executed all their commands from inside the VM guest."

He said the VM in this case was relatively huge, with an installer that was bigger than 122MB; ransomware binaries are usually less a few MB in size.

"This was a real chunk. The attackers bundled an installer for an old copy of VirtualBox and the guest operating system disk image into an MSI file then tried to download a copy and launch it on every infected endpoint.

"Only when the virtual environment was set up, did the malware begin attempting to prepare its environment and then begin encrypting the hard drive. Initially, it appeared that the trusted VirtualBox process was the origin of the ransomware’s file encrypting behaviour on the host computer, which was confusing for a number of reasons."

Brandt said the discovery of the malware repository used by attackers who used the Netwalker ransomware gave them insight into planning and techniques that these gangs used to carry out an attack.

He said these attackers had in their possession an exhaustive set of tools used to spy, escalate privileges, steal, sniff, or stage brute-force attacks on Windows systems.

"We [research team] also found a nearly complete set of the Microsoft SysInternals PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and anti-virus tools from a computer.

"Once inside the network of their target, the attackers apparently use the SoftPerfect Network Scanner to identify and create target lists of computers with open SMB ports, and subsequently may have used Mimikatz, Mimidogz, or Mimikittenz to obtain credentials.

"The files we recovered also revealed their preferred collection of exploits. Among them, we found variations on the EternalDarkness SMBv3 exploit (CVE-2020-0796), a CVE-2019-1458 local privilege exploit against Windows, the CVE-2017-0213 Windows COM privilege escalation exploit published on the Google Security Github account, and the CVE-2015-1701 'RussianDoll' privilege escalation exploit," Brandt said.

Attacks using the WastedLocker ransomware this year had focused attention on the newcomer, Brandt said.

"The malware has already been implicated in some serious attacks, including against GPS device manufacturer Garmin, who reportedly paid a hefty ransom in order to re-enable business operations. WastedLocker has taken a different approach to the ransomware detection-evasion playbook by performing most of its malicious operations within volatile system memory. The technique is called memory mapped I/O," he said.

"This behaviour has some benefits. With 'traditional' ransomware, the behaviour is observable because a binary executable makes a large number of file reads and writes as it encrypts the victim’s important data. Behavioural detection engines that look for this type of unusual activity would otherwise alert the user and/or halt the operation, limiting the damage. Because WastedLocker reduces the number of detectable reads and writes by a significant percentage, it may fall below the threshold that governs suspicious activity in some behavioural detection rules.

"In addition, WastedLocker takes advantage of an unintended consequence of how Windows manages memory, using a component called the Cache Manager. The Cache Manager is a kernel component that sits between the file system and the Memory Manager. The Memory Manager keeps an eye on memory that has been modified (known as 'dirty pages').

"If a process encrypts the mapped memory, the Memory Manager knows which pages need to be written back to disk. This writing is done by the Cache Manager’s 'Lazy Writer' component; dirty pages are allowed to accumulate for a short time, and are then flushed to disk all at once, reducing the overall number of disk I/O operations."

Brandt said as a secondary unintended consequence of this, the writing of the modified files from their 'dirty pages' back to the filesystem was done in the context of the system (PID 4), rather than the ransomware process, which then further complicated behavioural detection.

"After all, nobody wants to cause a victim’s computer to crash because an anti-malware utility decided that the operating system itself was harming the computer," he said. "This technique also can hamstring less well-qualified behavioural detection."

Brandt had the following advice for security professionals. "If you work in IT security, your organisation is relying on you to close the most obvious loopholes and backdoors into the network," he said. "Basic PC hygiene, including installing all the latest patches, shutting down Remote Desktop entirely (or putting it behind a VPN), and applying multi-factor authentication to services hosting the most sensitive data in the organisation are just some of these fundamental steps you can take to protect yourself and your network today.

"If endpoint protection tools are the metaphorical net below the high wire act, applying patches and shutting down unnecessary holes in the firewall are the daily practice routines that will keep you out of the net when it matters most."


Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.

CLICK HERE!

WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.

REGISTER HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments