The forensic analysis of a ransomware attack [Q&A]
A ransomware attack can be devastating for businesses. But while in the aftermath of an attack the focus will be on recovery, it's also important to look at how the attack happened and what information can be gleaned to help prevent future incidents.
We spoke to Joseph Carson, chief security scientist at privileged access management specialist Delinea, to talk through the analysis of a typical attack and what lessons can be learned.
BN: Let's start by looking at how attackers gain access to a system?
JC: While ransomware attacks can be crafted through a wide array of methods, credential compromise is often the most popular one. In a recent ransomware case I analyzed, the attackers gained access to the organizational system through a compromised credential. As we see in most ransomware attacks, the threat actors had access to the system for a substantial period of time without security teams picking up their trail. In this incident, attackers gained access to the credential’s months prior to the ransomware attack.
Once the initial breach occurred, they had more than 15 days of hands-on keyboard access before encrypting the files and data. Ransomware attackers can go undetected within a network for weeks, or even months, before encrypting files. They spend this time exploiting vulnerabilities across the network and creating backdoors to the system.
After the ransomware was delivered and files were encrypted, the attackers notified the IT team about the breach via email. This is the most common approach for criminals looking to make a good profit, although in many cases the attacker will notify an employee or member of the public before the security team becomes aware of the issue. Some threat groups might also pile on the pressure by publicly announcing the attack.
How the breach is disclosed or notified has a critical impact on the organization's ransomware response. This is why it's always important to consider different scenarios when organizations create their incident response strategy.
BN: What tools do you use for analyzing the ransomware?
JC: In this particular case, we were dealing with the ransomware variant -- CryLock. This is an upgrade from its previous version 'Cryakl'. One of the most concerning features of this malware is its efficiency. It took the malicious program a mere couple of minutes, after execution, to encrypt the files. Also, CryLock only encrypts the header of the files meaning that even the bigger files are encrypted in minutes.
The first step when a breach has been detected is for the security teams to uncover the attacker's digital footprint. Security teams must identify all the malicious files living in the system along with possible backdoors and remove them before thinking about the encrypted files.
In this case, I started by trying to find a sample of the cryptor from the infected system. My personal preference is to use 'Joe Sandbox', a web-based automated and deep malware analysis engine. The platform executes files and URLs, in a fully automated and controlled environment, to detect suspicious activities. It's a great tool to identify which files in your system might be corrupted. Once the cryptor has been identified, the tool can produce a detailed analysis report of its features. This allows you to understand the cryptor's capabilities and ways to contain it.
I also uploaded the hash of the malicious files to 'VIRUSTOTAL', a platform that analyses the malicious files to identify whether security tools or anti-virus software can detect them. In this case, the CryLock ransomware variant was so new that only a few out of the 71 available AV software solutions could detect them. The victim had several versions of an AV installed in its system, but it couldn't detect the ransomware.
In addition, I used FLARE VM from FireEye to analyse the cryptor sample. It’s a digital forensic tool that helps to analyse and identify any weaknesses in the ransomware payload. Sometimes, the encryptions are weak, and the encryption key can often be obtained using a debugger. These aspects can be identified through FLARE VM. Unfortunately, in this case, the CryLock ransomware was so efficient that even the VM couldn’t detect any weakness.
Tools such as Immunity Debugger and CAPA are also useful in further analyzing the malware. These tools help to understand the malware more comprehensively in terms of whether it’s a new variant, or if there’s any scope for reverse engineering.
BN: What commands does the ransomware execute?
JC: In most ransomware attacks, the malicious program tries to override the system by replacing its parent processes with temporary processes and attaining admin privileges. In this particular case, when CryLock was executed, it replicated itself as a temporary user folder and deleted the Windows parent processes. Then the ransomware communicated with Windows Command Line (CMD) to execute several administrative commands such as using PING and connect to a Command and control system.
Primarily, when attackers gain access through credential compromise, they tend to check the access privileges of the account through remote access and execute commands using the command line interface. In this case, the attacker executed the 'Net Local Group' command to find the machines within the network that are used by the local admin. Once those machines were accessed, the attacker was able to make the necessary configuration changes such as adding new users, searching for passwords, making registry changes and modifying reg keys for persistence. These tactics are used to create backdoors to the system so that attackers can move in and out without being detected.
In some cases, the attackers would execute the PsExec command to remotely make changes to other systems within the network.
BN: How do attackers achieve Active Directory elevation?
JC: In this case the attackers used Mimikatz to achieve AD elevation -- a powerful post-exploitation tool that dumps passwords and hashes from system memory. Mimikatz makes it easy for attackers to laterally move within the network once an initial access point has been breached. The attackers used this tool along with the DCSync tactic to simulate the behavior of a Windows Domain Controller, and remotely obtain passwords from the Active Directory account.
BN: What would be your advice to organizations for creating an effective ransomware response?
JC: Once a ransomware attack happens, there are basically three decisions an organization can make -- restore the backup, pay the ransom, or do nothing and hope to rebuild. That's why it’s critical to be incident-response ready. You don't want to make these decisions after an attack takes place, rather you should be preparing for such incidents on a continual basis.
In addition to having an effective incident response strategy, it’s important to conduct regular incident response drills, so that your workforce can anticipate the different scenarios of a ransomware attack. Clearly define your in-house technical capabilities, third-party responsibilities, user access privileges, security policies, and regularly assess your security infrastructure. These actions can go a long way in mitigating the risks of ransomware or containing the damage.
Moreover, re-think your data backup strategy as attackers will also try to encrypt the backup system if it is an online backup. So, consider your options -- think about both online and on-site backup servers, or even hybrid options to minimize the potential damage.