Advanced Hunting to Find the Ransomware

0

OVERVIEW

The cyberworld is constantly threatened by malicious ransomware, hence it’s becoming more trendy, recent attacks like the colonial pipeline proves that it’s just the beginning of an era of ransomware war as attackers take advantage of cloud delivery models like Software as a service (SaaS) Platform-as-a-Service (PaaS) to run ransomware as a service and targeting the organization.

The ransomware attacks around the globe have gone up by 102 percent in 2021 compared to 2020. Further, the statistics reveal that India is the most impacted country with 213 weekly ransomware attacks per organization which is 17 percent up from the beginning of the year.

Ransomware Hunting

Hunting ransomware needs a more proactive and reactive approach to detect and defend it, many researchers keep on analyzing the root cause for the ransomware, but attackers easily trick to disable the antivirus without attracting the attention of incident responders or security operations centers (SOCs). 

Ransomware attacks often involved in an activity such us

  • EDR & AV evasion
  • Encrypting the entire disc
  • Deleting backups
  • Clearing forensic evidence
  • Demand huge ransome

Indication of Ransomware Activity

The below listed are the common artifacts that have been observed in many ransomware.

STOP PROCESS

Tool: taskkill.exe, net stop

Taskkill.exe: windows internal service used to end one or more task or processes 

Net stop: An command line utility used to stop a network service

The stop process used by attackers to ensure files targeted for encryption are not locked or detected by various applications

Stopping multiple processes using taskkill.exe

// Find attempts to stop processes using taskkill.exe

DeviceProcessEvents

| where Timestamp > ago(1d)

| where FileName =~ “taskkill.exe” 

| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)

| where taskKillCount > 10

Stopping multiple processes using Netstop

// Find attempts to stop processes using net stop

DeviceProcessEvents

| where Timestamp > ago(1d)

| where FileName =~ “net.exe” and ProcessCommandLine has “stop”

| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)

| where netStopCount > 10

Also Read: Latest Ransomware CVEs – Vulnerabilities Abused by Ransomware Actors

Turn OFF Service

Tool: sc.exe

SC.exe: An command-line utility used to Create, Start, Stop, Query, or Delete any Windows SERVICE. 

The Turn off services is used by attackers to evade locks by various applications and prevent security software from disrupting encryption and other ransomware activity.

Turning service on/off using sc.exe

// Look for sc.exe disabling services

DeviceProcessEvents

| where Timestamp > ago(1d)

| where ProcessCommandLine has “sc” and ProcessCommandLine has “config” and ProcessCommandLine has “disabled”

| summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)

| where ScDisableCount > 10

Delete Logs and Files

Tools: cipher.exe, wevtutil, fsutil.exe

Cipher.exe: Command-line utility to wipe data permanently.

wevtutil: An command-line utility used to retrieve information about event logs and used to install and uninstall event manifests.

Fsutil.exe: An command-line utility used to perform task-related file allocation table (FAT) and NTFS file system and used to managing sparse files, or dismounting a volume.

Deleted log and files are used by attacks to evade from forensics analysing and remove forensic evidence

Deletion of data on multiple drives using Cipher.exe

// Look for cipher.exe deleting data from multiple drives

DeviceProcessEvents

| where Timestamp > ago(1d)

| where FileName =~ “cipher.exe” 

// cipher.exe /w flag used for deleting data 

| where ProcessCommandLine has “/w” 

| summarize CipherCount = dcount(ProcessCommandLine),

CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) 

// cipher.exe accessing multiple drives in a short timeframe 

| where CipherCount > 1

Clearing forensics traces from event logs using Wevtutil

// Look for use of wevtutil to clear multiple logs

DeviceProcessEvents

| where Timestamp > ago(1d)

| where ProcessCommandLine has “WEVTUTIL” and ProcessCommandLine has “CL”

| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)

| where LogClearCount > 10

Delete Shadow Copy

Shadow copy is a technology used to create backup copies or snapshots of computer files or volumes,

Tools: vsadmin.exe, wmic.exe

Vsadmin.exe: An command-line utility used to manage the Shadow Volume Copies.

Wmic.exe: An command-line utility to perform Windows Management Instrumentation (WMI) operations

Attackers are used to Destroying drive shadow copies that can be used to recover encrypted files.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Delete & Stop Backup

Tool: wbadmin.exe

Wbadmin.exe: An command line utility used to create/delete operating system backup.

Attacker used to deleted existing backups to preventing recovery after encryption.

Removing/deleting backups

DeviceProcessEvents

| where FileName =~ “wmic.exe”

| where ProcessCommandLine has “shadowcopy” and ProcessCommandLine has “delete”

| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,

ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName

Modify Boot settings

Tool: bcdedit.exe

Bcdedit.exe: Primary tool for modifying or configuring boot settings

Attackers use modify boot settings to turn off warnings and automatic repairs after boot failures

Turn off recovery tools

Tools: schtasks.exe, regedit.exe

Schtasks.exe: An command-line utility to create, delete, query, change, run, and end scheduled tasks on a local or remote computer

Regedit.exe: An command-line utility used to view and edit keys and entries in the Windows registry database

The attacker used to turn off System Restore and other system recovery options.

Turning off system restore

DeviceProcessEvents

//Pivoting for rundll32  

| where InitiatingProcessFileName =~ ‘rundll32.exe’   

//Looking for empty command line   

and InitiatingProcessCommandLine !contains ” ” and InitiatingProcessCommandLine != “”  

//Looking for schtasks.exe as the created process  

and FileName in~ (‘schtasks.exe’)  

//Disabling system restore   

and ProcessCommandLine has ‘Change’ and ProcessCommandLine has ‘SystemRestore’ 

and ProcessCommandLine has ‘disable

Also Read: Free Automated Malware Analysis Sandboxes for Incident Response

Conclusion

The above mentioned are some commonly observed artifacts used by attackers to encrypt, prevent detection, and clear forensic evidence. Hence it clearly states that the prevention of ransomware attacks needs both a proactive and reactive approach, the above-mentioned indication or sign helps you to create queries that locate individual artifacts associated with ransomware activity.

Reference:

  1. https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender/advanced-hunting-find-ransomware.md
  2. https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  3. https://www.proofpoint.com/us/threat-reference/ransomware
Previous articleThreat Hunting with EventID 5145 – Object Access – Detailed File Share
Next articleLateral Movement Detection with Windows Event Logs
Harisuthan
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here