Ransomware Detection and Prevention in the Late Phase of the Lifecycle

Keep up to date with latest blog posts

Ransomware has become a prominent threat to organizations in all sectors as a high-profit, low-risk business for threat actors. However, security professionals have also become more proactive and set better defenses and recovery systems against ransomware attacks. As a result, the ransomware threat actors had to step up their game and improve the impact of their attacks. For example, adversaries silently infect more systems and harm the recovery infrastructure of the victim in the Late Phase of the ransomware attack lifecycle. However, no matter how stealthy they perform their attacks, there are some indicators we can use to detect and prevent ransomware attacks. This blog explains how we can detect and prevent ransomware attacks in the late phase of the attack lifecycle.

Test your security controls against ransomware

Background

How can we detect and prevent ransomware attacks? In order to answer this question, we built a four-phase approach from the defender's point of view. Ransomware threat actors' tactics and techniques evolve. However, from the defender's perspective, the overall ransomware attack lifecycle remains basically unchanged.

The ransomware attack lifecycle consists of four phases:

     Phase 1 - Initial Phase

In this phase, ransomware groups gather information on their target and obtain access to the target network. The Initial Phase includes Reconnaissance, Resource Development, and Initial Access tactics of the MITRE ATT&CK framework. In our previous blog post, we explained how to detect and prevent ransomware attacks in the Initial Phase.

     Phase 2 - Early Warning Phase

Ransomware threat actors  establish persistence, discover the system, gather sensitive data, and improve their capabilities in the target's network in this phase, which covers Persistence, Privilege Escalation, Command and Control, Discovery, and Collection tactics. In our previous blog post, we explained how to detect and prevent the adversary techniques used in the Early Warning phase.

     Phase 3 - Late Phase

Ransomware operators disable the defense and recovery capabilities  of the victim In the Late Phase, which covers Credential Access, Impact, and Lateral Movement tactics. In this blog post, we will explain ransomware prevention and detection in the Late Phase.

     Phase 4 - Final Phase

In the Final Phase, ransomware performs its primary objectives: encrypting files in the target system and exfiltrating data. So, Impact and Exfiltration are frequently used tactics in the Final Phase.

See our blog for further details of the ransomware attack lifecycle.

The Late Phase of Ransomware Attack Lifecycle

The Late Phase is the third phase of the ransomware attack lifecycle. In this phase, ransomware threat actors prepare the victim's system for the final phase of the attack by infecting other systems in the network and disabling the defense and recovery capabilities. Attackers use techniques categorized under Credential Access, Impact, and Lateral Movement tactics of the MITRE ATT&CK framework. In addition, Defense Evasion and Execution tactics are commonly utilized similar to other phases.

Let's look at prevalent Late Phase techniques and see how we can detect and prevent them.

Technique 1: Credential Access - T1003 OS Credential Dumping

T1003 OS Credential Dumping is a common Credential Access technique used by adversaries to steal credentials such as account names and passwords. Then, they use these credentials to access applications and sensitive information and move to other systems in the victim's network.

In Windows, Security Account Manager (SAM) stores information on local accounts, including the usernames and password hashes. The SAM file is located in "\system32\config\SAM" and mounted on the HKLM/SAM registry hive. Attackers acquire the SAM file to crack password hashes and reveal cleartext credentials. However, the SAM file cannot be moved or copied while Windows is running due to the Windows kernel's exclusive file system lock. Attackers circumvent this protection by dumping the SAM file from the registry, memory, or volume shadow copy.

The DarkSide ransomware group dumps the SAM file from the registry using the command given below.

reg.exe save HKLM\SAM sam.save

The detection rule for this malicious activity should look for "save" and "HKLM SAM" strings in the command line field and "reg.exe" in the image field of "Process Creation" log data. This detection rule is less likely to generate false-positive alerts because this technique is rarely used legitimately. However, a detection rule should be comprehensive and cover other uses of the TTP. For example, an attacker can also use the "export" parameter to dump the SAM file. The SIGMA rule given below includes other methods to dump the SAM file.

logsource:
  category: process_creation
  product: windows

detection:

  selection_1:

    Image|endswith: '\reg.exe'

    CommandLine|contains:

      - "save"

      - "export"

  selection_2:

    CommandLine|contains:

      - "hklm"

      - "hkey_local_machine"

  selection_3:

    CommandLine|endswith:

      - '\system'

      - '\sam'

      - '\security'

  condition: selection_1 and selection_2 and selection_3

Example 1: Example SIGMA rule for detecting the SAM file dumping

Technique 2: Impact - T1490 Inhibit System Recovery

T1490 Inhibit System Recovery is the second most popular ransomware technique, and it is used by adversaries to disrupt recovery systems. Even though it is not the ultimate goal of ransomware attacks, this technique dramatically improves the impact of the attack. T1490 Inhibit System Recovery technique  includes deleting or damaging data required for system recovery and turning off recovery features. Let's list these various methods.

1. Deleting Volume Shadow Copies


Deleting volume shadow copies to prevent the recovery of the encrypted files is a typical ransomware behavior. There are several methods to delete shadow copies.

a. Volume Shadow Copy Service Admin (VSSAdmin)
Volume Shadow Copy Service Admin (VSSAdmin) is a built-in Windows tool that can display and delete volume shadow copy backups. The command given below can be used to delete all shadow copies quietly.

vssadmin.exe delete shadows /all /quiet

b. DiskShadow
DiskShadow is a utility that exposes the volume shadow copy service's functionality. Diskshadow comes with an interactive command interpreter by default, as well as a scriptable mode. The command given below can be used to delete all shadow copies.

diskshadow.exe delete shadows /all

c. Windows Management Instrumentation Command-Line (WMIC)
Windows Management Instrumentation (WMI) is the infrastructure to manage data and operations on Windows-based operating systems. WMI scripts or applications can be used to automate administrative tasks on remote computers. Nefilim ransomware group uses the command below to delete volume shadow copies using WMIC.

wmic shadowcopy delete /nointeractive

Since PowerShell can also access WMI, it is also capable of deleting volume shadow copies. NetWalker ransomware uses the PowerShell command given below to inhibit system recovery. 

Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

Note that PowerShell commands can also be in encoded or obfuscated format. In addition to Process Creation, we can use Windows Security Event ID 4104 as a log source. The Event ID 4104 is the Powershell Script Block Logging, which records accurate code blocks as the PowerShell engine executes them.

powershell -w hidden -en "RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwBEAGUAbABlAHQAZQAoACkAOwAgAH0A"

2. Resizing Volume Shadow Copy Storage

An interesting method attackers use to delete volume shadow copies is resizing the maximum amount of storage space that can be used for shadow copy storage. Adversaries decrease the allocated storage for snapshots of volume shadow copies. Then, if the existing snapshots exceed the size of the newly resized diff area, they are deleted by the system to free up space.

Hakbit ransomware uses the command below to set the volume shadow copy storage to 401 MB. Since a regular volume shadow copy exceeds 401 MB, the operating system deletes existing snapshots of volume shadow copies.

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

3. Disabling Windows Recovery

Windows Backup Admin or WBAdmin is a built-in Windows tool that allows you to backup and restore your operating system, volumes, files, folders, and programs. Adversaries use the WBAdmin to remove backup catalog and backup data. The RanzyLocker uses the command below to delete system state backups.

wbadmin DELETE SYSTEMSTATEBACKUP

Nefilim ransomware also uses WBAdmin to delete the backup catalog.

wbadmin delete catalog -quiet

4. Deleting System State Backups

BCDEdit is a command-line tool for managing Boot Configuration Datastores that are used to describe boot applications and boot application settings. It can be used for various purposes, including creating new stores, modifying existing stores, adding boot menu parameters, and so on. Ransomware, such as Ranzy Locker, REvil, and Nefilim uses bcdedit twice to disable automatic Windows recovery features by modifying boot configuration data with the commands given below.

bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures

We can write a comprehensive SIGMA rule to detect all of these Inhibit System Recovery techniques.

logsource:
  category: process_creation
  product: windows
detection:
  selection1:
      Image|endswith:
          - '\vssadmin.exe'
          - '\diskshadow.exe'
          - '\wmic.exe'
          - '\powershell.exe'
      CommandLine|contains|all:
          - delete
          - shadow
  selection2:
      Image|endswith:
          - '\vssadmin.exe'
      CommandLine|contains|all:
          - resize
          - shadowstorage
  selection3:
      Image|endswith:
          - '\wbadmin.exe'
      CommandLine|contains|all:
          - delete
  selection4:
      Image|endswith: 

           - '\bcdedit.exe'
      CommandLine|contains: 

           - set
      CommandLine|contains|all:
          - bootstatuspolicy
          - ignoreallfailures
      CommandLine|contains|all:
          - recoveryenabled
          - no
condition: 1 of selection*

Example 2: Example SIGMA rule for detecting T1490 Inhibit System Recovery

Technique 3: Lateral Movement - T1570 Lateral Tool Transfer

Ransomware threat actors use the T1570 Lateral Tool Transfer technique to pivot through multiple systems and infect other hosts in the victim's network. Many ransomware attacks have been recorded in recent months in which malware infects a host and then laterally moves to other hosts and internal servers, compromising the entire organization. Adversaries may choose to utilize their own remote access tools for Lateral Movement or use valid credentials with native network and operating system tools, which may be more stealthy.

Ryuk ransomware operators copy ransomware encryptors to other hosts or servers using PsExec, a legitimate Microsoft utility and a part of Windows Sysinternals. PsExec can execute commands and binaries on remote systems and download or upload files over a network share. Besides Ryuk, ransomware gangs like DarkSide, Nefilim, and LockerGoga, and more than 20 threat groups such as HAFNIUM, OilRig, and Turla utilize PsExec for lateral movement.

Ryuk ransomware group uses the command given below to deploy ransomware payloads. The malicious command accepts the EULA automatically in the command line to avoid being detected by the users.

start PsExec.exe /accepteula @C:\share$\comps1.txt -u [username] -p [password] cmd /c COPY "\\[IP]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

The SIGMA rule for the malicious command is given below. This rule detects installation or execution of psexec using Windows Security Event ID 7036 "A new service was installed in the system" and Windows Security Event ID 7045 "The service state has changed" log sources.

logsource:
    product: windows
    service: system
detection:
    service_installation:
        EventID: 7045
        ServiceName: 'PSEXESVC'
        ServiceFileName|endswith: '\PSEXESVC.exe'
    service_execution:
        EventID: 7036
        ServiceName: 'PSEXESVC'
    condition: service_installation or service_execution

Example 3: Example SIGMA rule for detecting use of PsExec

Technique 4: Defense Evasion - T1562 Impair Defenses

Adversaries utilize Defense Evasion techniques in most cyber attacks. According to The Red Report 2021, Defense Evasion is the most common MITRE ATT&CK tactic covering five of the top ten most prevalent ATT&CK techniques. Ransomware threat actors also use the Defense Evasion techniques to stay hidden in the victim's network in every phase of their attacks.

One of the common Defense Evasion techniques used in the Late Phase is T1562 Impair Defenses. Adversaries use this technique to impair the following defensive measures:

  • preventative defenses
    • Firewalls
    • Antivirus
    • Anti-malware
  • built-in defensive mechanisms
    • Windows Security Center
    • Windows Defender
    • Antimalware Scan Interface
    • Microsoft Office Security features
  • logging and monitoring mechanisms
    • Windows event logging
    • Command history logging
    • Cloud logging
    • Security monitoring tools

The WastedLocker ransomware uses taskkill and mpcmdrun commands to disable security software processes.

taskkill.exe /F /IM sfc.exe
MpCmdRun.exe -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

Instead of disabling the security tools, KryptoCibule malware creates exclusions for malware artifacts and excludes them from Windows Defender's automatic scanner.

powershell -c "Add-MpPreference -ExclusionPath '<install path>'"

XingLocker ransomware disables the Windows Defender's real-time protection by modifying the registry.

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f 

Using the log data from the "Registry Event" log source, we can detect the malicious activity of the XingLocker ransomware. If any of the registry keys that can disable the Windows Defender is set to 1, the SIGMA rule below creates a detection alert. Windows Security Log Event ID 4657 "a registry value was modified" or Sysmon Event ID 13 "RegistryEvent (Value Set)" can be used to detect these attacks.

logsource:
  product: windows
  category: registry_event
detection:
  selection:
      EventType: SetValue
      TargetObject:
        - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring'
        - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection'
        - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection'
        - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring'
        - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable'
        - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen'
      Details: 'DWORD (0x00000001)'
  condition: selection

Example 4: Example SIGMA rule for detecting registry change for disabling Windows Defender

Free Course: Ransomware Detection in Late Phases of the Attack Lifecycle

Subscribe

Keep up to date with latest blog posts