Table of contents
Ransomware are still boasting a first rank among cyber threats in 2022 for all companies from SMEs to large groups, and even in the public sector. Yet this threat, albeit very real and dangerous, is no longer unavoidable thanks to open XDR.
Source : Sekoia.io DarkWeb Monitoring
Use Case: Beating ransomware with Sekoia.io XDR
Ransomware groups deploy a diverse arsenal of tools, techniques and malware to carry out their attacks. The sophistication level is also quite heterogeneous depending on attackers and their targets’ maturity level.
If the advantage seems to reside with attackers, the defence can still rely on various opportunities to detect and block the attack before any data gets exfiltrated or the ransomware spreads to the entire information system.
Dynamics of ransomware activity in Q1 2022
The Kill Chain displays the various stages of a computer intrusion. It lists the numerous tactiques, techniques and procedures that attackers use. It also offers defenders as many possibilities to block the intrusion before impacts get too large.
MITRE ATT&CK Kill Chain
At Sekoia.io we adapted this Kill chain to counter-ransomware operations:
Ransomware operators can rely on several means to breach their victims’ information system:
- Exploiting a vulnerability on an internet-exposed piece of equipment (VPN, Microsoft Exchange and Sharepoint, Citrix, etc.)
The Sekoia.io XDR catalogue of rules is regularly updated with new rules that can detect the actual exploitation of the most in-use vulnerabilities.
Example of rules detecting the exploit of CVEs, available from the Sekoia.io XDR rules catalogue
Detecting the exploitation of such vulnerabilities as soon as possible enables to stop or slow down the attackers, who will have to find another point of entry into your information system.
- Attack attempt by brute force on RDP accesses
Sekoia.io XDR can also rely on an anomaly detection engine [FR] enabling the creation of statistical rules based on the “normal” behaviour of the information system. These rules then provide a baseline to detect abnormal behaviour. For instance: A higher-than-usual count of failed authentication attempts on an internet-facing service (such as RDP) will trigger an alert.
- Sending a phishing e-mail with a booby-trapped attachment carrying malware such as Emotet, QBot, or even BazarLoader
In the case where a user would have opened a malevolent attachment containing malware such as Emotet, its execution will leave numerous traces. These can offer several detection opportunities. This is where Cyber Threat Intelligence (CTI) enters the stage.
Knowing and following the QBot threat on a daily basis enables the availability of the most fresh Indicators of Compromise (IOC) in order to detect, for instance, communications between the Emotet instance and the attackers Command & Control (C2) servers.
One contextualised alert based on a malevolent Emotet communication
To obtain higher permissions throughout their victims’ information systems, ransomware operators use various techniques and tools such as Mimikatz to procure accounts credentials with elevated privileges.
With Sekoia.io XDR, these techniques and tools are swiftly detected thanks to rules and IOCs dedicated to such TTPs. A remediation playbook, combined with an EDR such as HarfangLab offers an easy way to stop the threat.
Attackers generally reuse the same techniques across their intrusions. One of their favourite actions consists in deactivating the antivirus (notably Microsoft Defender) or the log generation on compromised machines.
The Sekoia.io XDR catalogue contains around 50 rules to detect the deactivation of security tools.
After compromising at least one machine, the attackers will pursue lateralisation. This means that they will move through the victims’ information systems in order to reach other workstations or servers, and thus extend their privileges or find confidential data.
To that end, they generally use turnkey tools such as Cobalt Strike, or even native Microsoft tools such as PsExec that can be routinely used by legit system administrators. This is why contextualisation is paramount. Without it, activity that is legitimate when wielded by an administrator could be indistinguishable from malevolent business. IOCs alone cannot make that distinction.
Mars, a red-hot information stealer
When attackers look for confidential information, they pursue one single objective: exfiltrate this data. This is the jist of what is called double extortion. Firstly, the victim is demanded a payment to liberate their system; secondly, exfiltrated data are held hostage under the threat of public divulgation. This is why ransomware groups proceed to exfiltrate as much sensitive data as possible: before cyphering data in place, they secure their back.
An anomaly detection rule will identify an unusual peak in the output feed of an information system, notably during week-ends or holidays. These are privileged periods for ransomware groups to carry on their attacks.
More classical rules will detect the use of tools such as RClone: such tools are in wide use among certain ransomware groups.
Command & Control
All along their intrusion, the tools that attackers use such as Cobalt Strike are communicating from within the victim’s network towards malevolent servers.
Thanks to Sekoia.io’s CTI that tracks the C2 servers of hundreds of malevolent codes such as Cobalt Strike, these communications can be quickly detected and blocked. Bespoke rules designed from the careful lab analysis of malware samples will complete or confirm the initial detection.
Sekoia.io XDR leverages a balanced catalogue of interfaces and rules that can seize attacks at any point along the kill chain, thus deterring further impacts on a target’s information system. This is made possible by the cross-domain observability and actionnability that only open XDR provides, and the accuracy and relevancy that only highly contextualised Threat Intelligence is capable of.