Ransomware continues to be a significant threat to organizations of all sizes. Every day in our SOC monitoring activities, we observe different indicators of compromise (IOCs) that point to impending ransomware attacks.
In a recent case, we observed the Trojan.Ransom.WannaCryptor.H present in several networks. This trojan was introduced by a malicious program, mssecsvc.exe, often seen in the popular WannaCry ransomware attacks. The file, running from the path c:\windows\mssecsv keeps attempting to execute using system privileges. Execution of this program initiates a process to encrypt all endpoints in the network. Lucky enough, endpoint security in these networks had been adequately configured and this file was being quarantined, with the ransomware vaccine module on the EDR to thank for this.
One of the other common ways ransomware infects a system is through an ill-advised click. An employee receives a legitimate-looking email and is instructed to click on a link in it to receive some additional information, or other benefit.
However, the most common vector that attackers take advantage of is known vulnerabilities that exist in certain platforms.
Ransomware continues to evolve, and more sophisticated variants are being introduced all the time, offering better encryption and new features. Detecting a ransomware attack before encryption begins is difficult. However, if you know what to look for, it is possible to identify an infection before encryption even starts.
Stages of a Ransomware Attack
- Stage 1: Campaign
There are a variety of delivery channels for ransomware, but we have observed that known vulnerabilities that mostly leverage on missing patches is the most common. For example, the popular missing patch MS17_010, is still not applied in many networks with Windows-based sendpoitns and servers, even after making such headlines in 2017.
- Stage 2: Infection
In this stage the malicious code is downloaded and code execution begins. At this point your system has been infected with ransomware, however none of your files are encrypted yet. Encryption is a reversible mathematical calculation that is a rather high CPU intensive task. In a typical ransomware attack, It doesn’t occur immediately because it takes time for the malware to determine the scope of data to encrypt. It’s important to note that at this point, all your automated detection controls have failed. Your firewall, proxy, antivirus solution, and intrusion detection system have all allowed the traffic.
- Stage 3: Staging
At this stage the malicious code ensures connectivity with its command and control (C2) server. A C2 server is controlled by the attacker and is typically used to send commands to the compromised system. However, with ransomware, the primary C2 communications is to obtain the encryption key. At this point, various systems changes are made, and persistence is established. The attacker now “owns” the system.
- Stage 4: Scanning
Here is when things start to slow down a little bit. First the malware scans your local computer to find files to encrypt. This can take seconds to minutes. It also scans for data stored in the cloud, which is synced via folders and appears as local data. Then it looks for file shares. This can take hours depending on how many shares you have on your network. The goal is to investigate what data is available and determine which level of permissions the compromised user has (e.g., list, write, delete).
- Stage 5: Encryption
Once all data is inventoried, encryption begins. Local file encryption can occur in minutes; however, network file encryption can take many hours. This is because in most ransomware attacks, data on network file shares are copied down and encrypted locally. Then the encrypted files must be uploaded and the original files deleted. This process gives you some time. Say you’ve got a 25 GB file share. It’s going to take the local computer a while to encrypt that data and then push it back up.
- State 6: Pay Day
Once you’ve reached this stage, your data is gone, and the attacker is demanding payment. And you are now in recovery mode.
If hit, the best-case scenario is that you have clean backups to restore your systems and can avoid paying the ransom. However, downtime is often more detrimental than ransom costs. Recovery is expensive, and there is a significant cost in system downtime, emergency response, and reputation damage.
Detecting a ransomware attack
The key learning from this is that you can’t sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network.
Threat hunting is a proven methodology for identifying ransomware, so the threat can be contained before encryption begins. A threat hunter analyzes network traffic and endpoint activity looking for indicators of compromise. In the case of most malware, including ransomware, a persistence mechanism is the best clue.
Apart from that, preventive measures such as regular training of employees on popular attacks, implementation of patches on software and having an adequately configured endpoint antivirus system are paramount in warding off ransomware attacks.