Is It Wrong to Try to Find APT

Techniques in Ransomware Attack?

Secureworks
Kiyotaka Tamada
Keita Yamazaki
You Nakatsuru

2020/01/17
Japan Security Analyst Conference 2020
0
Classification: //Secureworks/Public Use
 Agenda
• Overview
• Case Study
• Result of Targeted Ransomware Incident Investigations
• Tactics, Techniques, and Procedures
• Initial Access
• Dominance (Privilege Escalation, Discovery,
Lateral Movement)
• Ransom
• Anti-Forensics
• Comparison with Targeted Attack
• Fight Against Targeted Ransomware Incidents
• Summary, and Prediction of Targeted Ransomware

1
Classification: //Secureworks/Public Use
 Overview

2
Classification: //Secureworks/Public Use
 Trend Changes of Ransomware Incidents

Wannacry (May 2017) 2018 ~

More and more

2017 cases of attackers
manually attacking
Large scale incident
corporate networks
- Wannacry
Change decryption
CryptoLocker (Sep 2013) Organization’s
~ 2017 price according to
infected via public-
Infected by mail size of organization
facing servers
attachment or and whether they
vulnerable to MS17-
drive-by download have paid in the
010
past
3
Classification: //Secureworks/Public Use
 Typical Flow of Targeted Ransomware Incident

Initial Access
• Mass-scan or mass-phish to find easily infected organization

Dominance
• Dominate organization's network through privilege escalation, discovery and
lateral movement

Ransom
• Encrypt large number of systems (and backups) using ransomware

Anti-Forensics
• Remove evidence using ransomware function and command/tools

4
Classification: //Secureworks/Public Use
 Case Study

5
Classification: //Secureworks/Public Use
 Conference
Presentation Only

6
Classification: //Secureworks/Public Use
 Results of Targeted Ransomware Incident
Investigations

7
Classification: //Secureworks/Public Use
 Tactics, Techniques, and Procedures
Results of Targeted Ransomware Incident Investigations

8
Classification: //Secureworks/Public Use
 Initial Access Techniques
• Domestic and overseas cases
Initial Access • Via public RDP or VPN
• Use brute-force tools like NLBrute to identify weak
passwords
Dominance
• Through malware attached to e-mail
• Privilege Escalation, • Via Emotet (then download TrickBot)
Discovery, Lateral Movement
• Only in domestic cases
• Via portable connection devices assigned global IP address
+ hosts vulnerable to MS17-010
Ransom • Only in overseas cases
• Via Dridex (Bugat v5)
• Via CobaltStrike
• Via Empire
Anti-Forensics • Via Meterpreter

9
Classification: //Secureworks/Public Use
 NLBrute
Tools for brute force using IP list, username list and password list

10
Classification: //Secureworks/Public Use
 Privilege Escalation Techniques
• Domestic and overseas cases
Initial Access • Password dump using Mimikatz
• Executed via tools such as TrickBot and Empire
• The account used for the intrusion is often
Dominance already an administrator
• Privilege Escalation,
Discovery, Lateral Movement
• Only in domestic cases
• Use PoC tools for specific vulnerabilities on Github

Ransom

Anti-Forensics

11
Classification: //Secureworks/Public Use
 MS16-032
[Link]

12
Classification: //Secureworks/Public Use
 Discovery Techniques
• Domestic and overseas cases
Initial Access • Scan and gather information using malware
functionality
• Only in domestic cases
Dominance • Use Advanced IP Scanner, Advanced Port Scanner,
• Privilege Escalation, SoftPerfect Network Scanner, ProcessHacker,
Discovery, Lateral Movement
KPortScan3, PowerTools, etc.
• Only in overseas cases
• Use Hyena
Ransom
• Search AD using BloodHound and SharpHound

Anti-Forensics

13
Classification: //Secureworks/Public Use
 Advanced IP Scanner
[Link]

14
Classification: //Secureworks/Public Use
 PCHunter
[Link]

15
Classification: //Secureworks/Public Use
 BloodHound/SharpHound
[Link]
• Uncover hidden relationships and attack paths in
an active directory environment
• Aggregate various information such as
usernames, computer names, groups,
domains, and OUs about PCs/servers on the
network and visualize their relationships
• Identify possible attack routes to the AD
server
• SharpHound is C# version of BloodHound
Ingestor
• Operate at high speed and stability

Source: [Link]

16
Classification: //Secureworks/Public Use
 [Link] (NetworkShare)
Explore network shared folders

17
Classification: //Secureworks/Public Use
 Lateral Movement Techniques
• Domestic and overseas cases
Initial Access • Use RDP, PsExec and WMI
• Only in domestic cases
• Use MRemoteNG, MRemoteNC, Putty, Ammyy
Dominance Admin, etc.
• Privilege Escalation,
Discovery, Lateral Movement
• Brute-force password breach using bruttoline
• Only in overseas cases
• Use Empire, CobaltStrike and ReGeorg
Ransom

Anti-Forensics

18
Classification: //Secureworks/Public Use
 mRemoteNG
[Link] [Link]

19
Classification: //Secureworks/Public Use
 Ammyy Admin
[Link]

Source: [Link]

20
Classification: //Secureworks/Public Use
 Ransom Techniques
• Domestic and overseas cases
Initial Access • Run ransomware using PsExec, RDP and WMI
• Deploy and execute ransomware using RAT and
post-exploitation framework function
Dominance • Use batch files or powershell scripts
• Privilege Escalation, • Distribute ransomware using group policy function
Discovery, Lateral Movement
(software installation and logon scripts) via AD
server
• Use various families of ransomware
Ransom

Anti-Forensics

21
Classification: //Secureworks/Public Use
 Ransomware Distribution from AD Server
Use “Software installation” to broadcast ransomware

22
Classification: //Secureworks/Public Use
 Ransomware Distribution from AD Server
Use “Logon Script” to broadcast ransomware

23
Classification: //Secureworks/Public Use
 Types of Ransomware

Matrix Phobos GandCrab GlobeImposter

Cropp Dharma Ryuk MedusaLocker

Frendi CrySiS Scarab Samsam

BitPaymer Defray 777 REvil/Sodinokibi [Link]/[Link]

24
Classification: //Secureworks/Public Use
 Typical Features of Ransomware
File encryption

• Use in combination with RSA-2048/RSA-4096 and AES-256

• Encrypt file data with AES, which allows high-speed encryption. Then, the used AES secret key is encrypted with
the RSA public key

Scan the network and add more PCs/servers to encrypt

• Explore A-Z drives
• Explore network shared folders, administrative shares, etc.
• Disable firewall

Anti-forensics
• Erase VSS
• Disable startup repair

Display ransom note

25
Classification: //Secureworks/Public Use
 Command Line Tools “[Link]”
Ransomware but closer to an encryption tool

26
Classification: //Secureworks/Public Use
 Command Line Tools “[Link]”
Confirm multiple versions
No usage version
(Encrypt file if there is no arguments)

Usage version

27
Classification: //Secureworks/Public Use
 Command Examples
• Spread of infection
• "netsh advfirewall set currentprofile state off"
• "netsh firewall set opmode mode=disable”
• Anti-forensics
• "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
• "vssadmin delete shadows /all /quiet"
• "wmic shadowcopy delete /nointeractive"
• "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
• "bcdedit /set {default} recoveryenabled no”
• "C:¥Windows¥system32¥[Link]“ /c del <malware execution path>
¥<malware name> > nul

28
Classification: //Secureworks/Public Use
 Commands Hard-Coded into the Ransomware
MedusaLocker

29
Classification: //Secureworks/Public Use
 Ransom Note Trends
Instead of Bitcoin transfers, attacker requires direct email contact

There is case that attacker

manually creates a ransom note
instead of ransomware creates
automatically

30
Classification: //Secureworks/Public Use
 Anti-Forensics Techniques
• Domestic and overseas cases
Initial Access • Erase VSS, disable FW using ransomware
• Delete file using “[Link] –p 5 <FileName>”
• Delete eventlog using “[Link] -c security”, etc.
Dominance • There are many cases in which evidence deletion
• Privilege Escalation, has not been carried out both domestic and
Discovery, Lateral Movement
overseas
• Some evidence is erased because ransomware
encrypts registry, eventlog and other files
Ransom • Only in domestic cases
• Use xDedicLogCleaner

Anti-Forensics

31
Classification: //Secureworks/Public Use
 Uninstalling Security Products Using
PowerShell
• Execution history
• C:¥Users¥<UserName>¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell
¥PSReadline¥ConsoleHost_history.txt
• Commands
• (Get-WmiObject -Class Win 32_Product -Filter "Name = 'Symantec Endpoint
Protection'" - ComputerName. ).Uninstall()
• (Get-WmiObject -Class Win 32_Product -Filter "Name = 'Endpoint Protection'" -
ComputerName. ).Uninstall()

32
Classification: //Secureworks/Public Use
 xDedicLogCleaner
One click to clear various PC history

33
Classification: //Secureworks/Public Use
 Comparison with Targeted Attacks
Results of Targeted Ransomware Incident Investigations

34
Classification: //Secureworks/Public Use
 TTPs in Each Case
TTPs differs depending on the case
Initial Access Dominance Ransom Evidence Deletion
Domestic and
Mail (Emotet) TrickBot Ryuk N/A
Overseas 1
MS16 -032, NLBrute, Advanced IP Scanner, AmmyAdmin,
Domestic 2 RDP Matrix N/A
[Link]

Advanced Port Scanner, ProcessHacker

Domestic 3 RDP Phobos N/A
[Link]

Domestic 4 RDP PCHunter, ProcessHacker, Mimikatz Phobos N/A

KPortScan3, SoftPerfectNetworkScanner, Powertools,

Domestic 5 RDP GandCrab xDedicLogCleaner
mRemoteNG, Bruttoline, Putty, ProcessHacker, Mimikatz

PsExec [Link]
Domestic 6 VPN [Link]
Batch file about DomainUser listing [Link]

Domestic 7 RDP PsExec GlobeImposter 2.0 N/A

Overseas 2 RDP Hyena, Mimikatz, WMIexec, reGeorg Samsam N/A
Overseas 3 Mail (Dridex) Empire, PsExec BitPaymer N/A

Overseas 4 Mail CobaltStrike, Meterpreter, SharpHound Defray 777 N/A

35
Classification: //Secureworks/Public Use
 Characteristics Unique to Targeted
Ransomware Attacks
• Attempt to break into various organizations and attack targets with weak security
measures and easy ransomware deployment
• Heavily use brute force when attacker cracks password
• Heavily use free tools when attacker dominates systems
• Use AD server’s group policies function (software installation and logon scripts)
• Ransomware type/version used by the attacker changes quickly
• Many overseas cases are similar to TTPs for targeted attacks (penetration test)

36
Classification: //Secureworks/Public Use
 Fight Against Targeted Ransomware Incidents

37
Classification: //Secureworks/Public Use
 Preparation
Prepare countermeasures and response plans from the following perspectives

1. Prevention

2. Detection and Initial containment

3. Response and Damage control

38
Classification: //Secureworks/Public Use
 1. Prevention
• Implement countermeasures to prevent “Initial Access” “Dominance" and “Ransom" to increase
the cost of successful attacks
• Unlike targeted attacks, attacker aims organization with poor security.

Prevent “Initial Access" Prevent “Dominance" Prevent “Ransom"

• FW (Network, Personal, • Network Segmentation and • Appropriate data access

Security Group for Cloud, Access Control restrictions(Least privilege
etc.) • Application whitelists, etc. principle)
• Vulnerability Management • Appropriate management of • Acquire backup and store
for VPNs and Other Network Local and Domain Ransomware-safely
Devices administrative accounts • Implement advanced
• E-Mail Security • Domain Controller endpoint security which can
• Anti-virus Protection detect and protect against
file encryption

39
Classification: //Secureworks/Public Use
 2. Detection and Initial containment
• In most incidents, existing security products can detect something signs of attacks.
• Unlike targeted attacks, attacks are less stealthy
• However, requires quick initial containment to minimize damage.
• Initial containment planning is essential for quick response.

Monitoring security alerts Identify threat type and severity Initial containment planning

• Anti-virus • Identify type of malware and • Isolation of affected computers

• EDR attack tools. • Cut off corporate networks as a
• Mail • Malicious Usage of high- precaution
• Malicious usage of privilege accounts • Cut off all Internet access as a
administrative accounts • Any activities related to precaution
• VPN “Dominance" • Resetting passwords for all
administrative account as a
precaution

40
Classification: //Secureworks/Public Use
 3. Response and Damage control
• Recovery plan is required to quickly recover encrypted data and minimize business impact.
• Just acquire backup is not enough for practical recovery
• Investigation, containment, and eradication processes must be planned in advance like targeted
attacks.

Recovery plan after encryption “investigation" “containment" and "eradication"

plans
• System Recovery Priority • Manpower, Operation, and Costs
• Recovery time objectives • Target response time
• Prepare a cold standby system for most critical • Targets to be achieved at each stage of incident
systems response process
• Manpower and procedures for carrying out • Preparation of specific tasks and procedures of
restoration each stage of incident response process

41
Classification: //Secureworks/Public Use
 Incident Response Process and Points
① Identification ② Initial containment ③ Create specific ④ Investigation and
•Accurately recognize the response plan threat hunting
•Control and contain damage
current situation from that can be done in a short •Prepare a specific response •Identifying the root cause of
security alerts and interviews time plan from investigation to initial intrusion.
recovery, based on the • Identifying TTPs of the
status of the incident. attack.
•Identification of hidden
affected computers.

⑦ Recovery ⑥ Eradication ⑤ Containment

•Recovering encrypted data. •Eradicate all attacker •Contains attacker activities
•Recovering a Stopped activities. based on investigation
System Network •Malware infected computers, results.
• Monitoring new attacks and settings, etc.
remaining threats.

42
Classification: //Secureworks/Public Use
 Balance between Business and Safety
• System recovery is often a priority because data encryption means business disruption
• In some cases, the previous incident response process cannot be performed step by step.
• A response plan that balances business continuity and safety needs to be developed within a
limited time frame
• What should be kept to a minimum to prevent the recurrence of attacks and the spread of
damage?

Examples of incidents and responses in Japan and overseas should be

widely shared with incident handlers, in order to create
best practices is especially important for quick, safe incident response and
minimize business Impact

43
Classification: //Secureworks/Public Use
 Important points for preventing damage
expansion and recurrence
Identify and block the Mitigation of Company-wide
way attackers continue
“Dominance” activity monitoring and research
to access
• Identifying and blocking • Password reset of all • Utilize EDR, Event logs,
remote access methods stolen accounts Client management
• Patch vulnerabilities • Limiting accessible software logs, anti-
• Identification and ports of servers and virus, etc.
Blocking of RAT- computers • Utilize IOC findings
Infected computers • Network Segmentation from Investigation,
and access control create custom
signatures for above
• Application white-list,
security products.
etc

44
Classification: //Secureworks/Public Use
 Examples in a domestic incident

① • Interview
• Two ransomware encryptions were discovered at different times
Identification •
• Logon scripts ware abused to distribute ransomware
Investigation of AV detection log
• SMB/RDP brute-force tools were detected by AV

② Initial
• Blocking all Internet connections
• Reset password for domain administrator account
• Fixed logon scripts
containment

45
Classification: //Secureworks/Public Use
 Examples in a domestic incident
③ Create specific response plan

Phase 1 - Implement countermeasures to ensure a certain level of safety and recover network
and system within 48 hours

• Identification and countermeasures for initial intrusion routes (root cause)

• Identification of Lateral Movement techniques attacker used and implementation of mitigation
measures
• Domain Controllers Safety Check
• Implement EDR and establish company-wide threat monitoring operation.

Phase 2 – Further investigation and implement additional countermeasures

• Forensics for compromised server/terminal and clarify attack details

• Update IOCs based on forensic result and continuous monitoring with EDR
• Implementation of additional countermeasures

46
Classification: //Secureworks/Public Use
 Examples in a domestic incident
④ Investigation and Threat Hunting

•Identifying domain Administrator Accounts were abused.

Event logs •Identify the login source private IP address which attacker used
to access internal computers, and identified attacker abuse VPN.

•Identification of activities by the attacker (malicious file name, execution history,

etc).
Client management software logs
•Extracting IOC Information
•Found mstsc and PsExec are used for Lateral Movement

•Quick Triage (Persistence, Memory, FileSystem, Program Execution)

Domain Controller Safety Check •Confirmation of RAT and other malware infection in order to prevent continuous
access of attacker

Establishment of a company-wide •Urgent deployment required for devices reconnecting to the network
hunting system using EDR •Use IOCs as signatures

47
Classification: //Secureworks/Public Use
 Examples in a domestic incident

⑤ Containment
• Restricting Source IP Address that can access VPN, and Implement Certificate
Authentication
• Resolving vulnerabilities in VPN devices
• Limitations of RDP/SMB access to servers and computers.
• Password reset for compromised domain administrator account
• Countermeasures for Golden Tickets attack
• Implement Detecting and preventing the execution of existing attack tools

⑥ Eradication
• Restoring a compromised terminal/server from a safe backup
• *As there was no use of RAT, the risk of continuous access is low.

48
Classification: //Secureworks/Public Use
 Summary and Predictions for Targeted
Ransomware

49
Classification: //Secureworks/Public Use
 Domestic Ransom(ware) in 2020
Initial access – following international cases
• Vulnerable devices (On-Premise/Cloud) will continue to be compromised directly from Internet
• Ransomware downloaded by other Malware which is spreading via e-mail (Emotet, etc.) is (will
be) increasing in Japan, same as overseas.
• Increasing ransomware incidents even in organizations which properly implement “Perimeter
Defense”

Dominance – close to targeted attack methods

• Use of RAT and penetration testing tools such as BloodHound and other APT like tools are
expected to increase in Japan.
• Use of RAT makes containment and eradication more difficult
• Attacker may repeatedly or continuously distribute ransomware using RAT in same
organization, even after security team recovers their encrypted data.

50
Classification: //Secureworks/Public Use
 Domestic Ransom(ware) in 2020
Ransom – methods other than file encryption
• Attack on availability
• Attacker may find other ways to attack on availability other than encryption.
• Changing passwords for all domain accounts
• Interference with system operation by deleting files or changing settings on various servers
• Attack on confidentiality
• Attacker may threaten organization using confidential information they steal.
• Cases of obtaining confidential information, such as intellectual property, R & D
information, and personal information, and threatening in exchange for disclosure will
occur also in Japan
• Attack on integrity
• Secondary damage may occur about data integrity
• Obstruction of business by partial file wiping or encryption

51
Classification: //Secureworks/Public Use
 Is It Wrong to Try to Find APT Techniques in
Ransomware Attack?
"Targeted"?

• Attackers aren't targeting specific organizations to encrypt or steal money.

• After widespread attacks, attacker target organizations with weak security
organizations that are likely to pay ransoms or have valuable information
• Although there are the same/similar methods as targeted attacks in terms of
each method, the overall attack flow is unique.

Ransom "ware"?

• Ransomware is just one way to make threats for money.

• Attacker don't have to use "Ransomware“ if there are another ways of
obtaining money.
• Don’t pay too much attention to ransom”ware”. It is important in incident
response to understand and prepare overall attack process.

52
Classification: //Secureworks/Public Use
 IoC
Malware/Tool name SHA-256 Hash
NLBrute1.2 E21569CDFAFBBDD98234EF8AFCC4A8486D2C6BA77A87A57B4730EB4A8BD63BC2
[Link] F47E3555461472F23AB4766E4D5B6F6FD260E335A6ABC31B860E569A720A5446
KPortScan3 080C6108C3BD0F8A43D5647DB36DC434032842339F0BA38AD1FF62F72999C4E5
SoftPerfect Network Scanner 66C488C1C9916603FC6D7EC00470D30E6F5E3597AD9F8E5CE96A8AF7566F6D89
MS16-032 9F023D74CF5E16A231660805ADFC829C1BE24A6B1FA6CB3ED41F0E37FE95062B
9AFAE820C8F7ED5616A4523A45968CFDABF646C5151A9C1DB1A6E36D7A9D1E11
[Link] 48303E1B50B5D2A0CC817F1EC7FA10C891F368897B0AEA2D02F22701D169CE54
E6CCB71FD62783DE625CBFCDAE1836B9FFB33B0E2344D709F5B6C5B2E6EAC8D8
mRemoteNC 3BC3038749427E1D6DA05FD3972A86F3403B40102974BD241A233EBD2C3B8C5C
mRemoteNG 9476FE1896669163248747785FA053ACA7284949945ABD37C59DAE4184760D58
Ammyy Admin 5FC600351BADE74C2791FC526BCA6BB606355CC65E5253F7F791254DB58EE7FA
A0C996178FAA8320948D886F47EF394C712F1E5DC0F7C8867CD4BB1DB5F2A266
xDedicLogCleaner 878706CD11B5223C89AAEF08887B92A655A25B7C630950AFFA553574A60B922E
Advanced IP Scanner 02EC949206023F22FE1A5B67B3864D6A653CC4C5BFCB32241ECF802F213805E8
PCHunter D1AA0CEB01CCA76A88F9EE0C5817D24E7A15AD40768430373AE3009A619E2691

53
Classification: //Secureworks/Public Use
 54
Classification: //Secureworks/Public Use