Ransomware is here to stay. Recent alerts from the Cybersecurity and Infrastructure Security Agency (CISA) report that there is no end in sight. There are many versions of ransomware in use and group and nations behind the extortion attempts. These cyber actors are motivated by money. Ransomware can be described simply as a type of malware from crypto virology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.
In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Will my organization become another ransomware victim? Security experts say the warning signs were there and security teams missed some of the clues. I want to thank Steve Zurier for compiling this list.
This is every CEO and CISO’s nightmare: Your organization has been hit with ransomware, and every machine and server has been encrypted. You are worried that confidential and private data will begin to be posted on the Internet. Security experts say the warning signs were there all along: misdirected DNS requests, bad VPN reboots, and Active Directory login failures should have been setting off alarms that a ransomware attack was in progress
Once the attackers are in your network, you have anywhere from 48 hours to 12 days before they pull the trigger, says Mike Hamilton, CISO of CI Security. What signs have your security team missed?
Active Directory Will Show Multiple Login Failures
CI Security's Hamilton advises security teams to monitor Active Directory for login failures. For example, if you see three login failures in a row on RDP servers, that is a surefire sign the network has been attacked. The same holds for administrative login failures. Because companies did not have time to prepare for COVID-19, and it looks like working from home will go on for the foreseeable future, it is time to develop a safe list of good IP addresses, Hamilton adds.
Brute-Force Attacks Will Hit the Network
According to Awake Labs vice president Jason Bevis, who recently published a blog about ransomware warning signs, you should also look for brute-force attacks on RDP systems. Once in the network, attackers typically look for additional passwords. You also need to watch for unusual file-copying activity, especially of .bat, .zip, .txt, and other common files. It is not common for one account to copy files to and from multiple user accounts or devices. There are also situations where the attackers could have compromised administrative accounts and start copying files. The attackers also use these accounts to persist and quickly encrypt the file systems.
All WinSysLog files should be sent to a security information and event management (SIEM) system for analysis because it can detect whether files are being encrypted, Domain Tools' Saleh adds. And in a blog posted earlier this week, Red Canary says to watch for the use of the Windows Backup Administration Tool wbadmin.exe to delete system backups. Other signs of ransomware include manipulation of vssadmin.exe to hinder recovery from backups and processes making hundreds of file modification operations on files with the string readme in them.
Phishing Emails Land with Strange Domains
Watch for emails that come in with strange domain names that have never been in the company's environment, Awake's Bevis advises. Analysis tools let you look for every new domain that has come through the network in the past seven days. It's possible to filter out known good and bad domains, such as those with a good reputation. These tools can also look at what was downloaded and determine what might seem unusual.
The Network Starts Making a String of Questions about a Single Machine
Peter Mackenzie, an incident response manager at Sophos, says attackers typically start by gaining access to one machine, where they search for information and ask questions that everyday users wouldn't normally pose -- for example, "Is this a Mac or Windows machine?" "What is the domain and company name?" "What kind of admin rights does the computer have?"
Next, attackers will want to try to find out what else is on the network and what they can access. In most circumstances, they will try to use a network scanner, such as Angry IP or Advanced Port Scanner. If you detect unusual activity and no one on the admin staff was using the scanner for normal corporate use, Mackenzie says it's time to investigate.
Security Tools Are Being Used in Environments They Were not Assigned To
Once attackers have admin rights, they will try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IObit Uninstaller, GMER, and PC Hunter. These types of tools are legitimate, but if a specific tool is showing up on a system for which it's not assigned, then something is wrong.
Any detection of Mimikatz (used in NotPetya) should get investigated, Sophos' Mackenzie adds. If no one on your security team confirms using it, that is a red flag because Mimikatz has become one of the most commonly used hacking tools for credential theft.
Unusual Time Stamps Appear on VPN Connections
Be on the lookout for anomalous time stamps on VPN connections, says Saleh of DomainTools. If the organization has normal levels of traffic between 9 a.m. and 5 p.m. PT, and then suddenly there's traffic with IP addresses from Russia or Mozambique at 2 a.m. should set off warning signs. You also need to figure out what attackers are trying to access. In addition, watch out for bad reboots on VPN concentrators, CI Security's Hamilton says.
Traffic Is Suddenly Redirected to Questionable Places on the Dark Web
Normal network traffic should never get redirected to a TOR site, DomainTools' Saleh says. The average user probably doesn't know what that is in the first place, he says, let alone would have any business on a TOR network. Also, watch out for unusual DNS requests. If the requests are heading back to known malware sites, that's potentially a problem and the network could get infected.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating, and monitoring of firewalls, cybersecurity and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company-wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com.
Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941