Sponsored Post: By CrowdStrike - Ryan Hunt, CrowdStrike OverWatch Senior Intrusion Researcher
Ransomware is a term that evokes fear in many—and with good reason. CrowdStrike’s Falcon OverWatch™ threat hunters continue to see increasing numbers of hands-on-keyboard intrusions, with eCrime adversaries representing the most prominent threat type. Opportunistic cybercriminals await any opportunity to leverage your data against you for large payouts.
This risk is heightened when you consider the speed of eCrime adversaries’ “breakout time,” or the time it takes for them to move laterally from an initially compromised device to another asset within the victim's environment. A closer look at eCrime activity in 2021 revealed an average breakout time of only 1 hour and 38 minutes.
Even with the ubiquity of ransomware activity, there are still many myths surrounding these attacks—and, more importantly, how businesses can proactively defend against them. Armed with insights from the front lines, this blog aims to dispel these myths and highlight how you can harden and prepare your organization to defend against a potential ransomware attack.
Phishing, spearphishing, vishing, and other user-enabled initial entry points represent only a fraction of ways in which sophisticated adversaries can breach your organization’s environment.
For example, in a recent intrusion by an unknown eCrime adversary, CrowdStrike’s OverWatch team observed the threat actor use password spraying against a Remote Desktop Protocol (RDP) connection to gain initial access. This was followed by a wide range of activity indicative of the preliminary stages of a Dharma ransomware attack. Password spraying is a technique commonly used to acquire valid user credentials to operate within a victim environment as it circumvents the need to deceive a user into providing access.
With so many potential access vectors at an adversary’s disposal, defenders should focus their efforts on identifying the signs of hands-on-keyboard activity that follows initial access. Further, it is important to closely monitor existing tooling within your environment that could potentially be used by an adversary to access the network remotely or perform lateral movement once they are inside. Any out-of-hours use of such tooling could highlight malicious activity.
Ransomware attacks are not one-step events. Once an adversary gains access to one device, they still must go through several steps to understand the enterprise environment, gain access across multiple devices, and—finally—execute ransomware. Defenders can look for the tell-tale signs of this type of pre-ransomware behavior to disrupt an adversary before they can do any damage.
Adversaries also don’t just strike once. In many cases, disrupting an initial attack won’t stop an adversary from trying again. Remember that eCrime intrusion we just highlighted? Well, the adversary returned to the network because the exposed and compromised RDP service was not fully remediated. In this instance, the adversary continued their second attempt at ransomware deployment by using native tooling to tamper with the device’s security configurations.
Detecting the early stages of a ransomware intrusion is all about knowing your environment to effectively separate malicious from benign. Defenders should review existing remote access points and ensure logging is enabled and actively monitored to identify unusual access. Further, it’s important to understand the applications you have installed and maintain an up-to-date network diagram, as these provide a baseline of normal operations. OverWatch also recommends using frequency analysis to elevate the least common activities and artifacts within an environment—these can be an indication of adversaries looking to blend into the noise.
Once an eCrime adversary gains access, they often attempt to compromise additional valid accounts to extend their reach onto more devices or elevate their access to the level needed to execute ransomware. By increasing the number of infected devices, adversaries improve their chances of the victim paying the ransom demand.
During deployment into new customer environments, it is not uncommon for OverWatch to find signs of well-entrenched adversaries, with malicious activity uncovered under multiple valid accounts. In one such case, threat hunters uncovered the eCrime group PINCHY SPIDER operating over RDP and under the context of multiple user accounts. PINCHY SPIDER had successfully brought REvil ransomware into the environment and was actively extending their foothold in the victim organization’s network through the use of valid domain accounts, the creation of new accounts, and credential harvesting in preparation for the ransom operation.
Defenders should audit creation events related to new user and administrator accounts as well as permission changes to user accounts. Maintaining proper visibility of administrative changes is required to track and trace malicious activity wherever it appears.
As part of pre-ransomware tradecraft, eCrime adversaries will frequently employ techniques that frustrate the victims’ ability to successfully recover from a ransomware infection. The last thing you want as a criminal enterprise seeking financial gain is for your victim to use backups to negate the effects of data encryption. Some techniques adversaries use to do this include deleting the Windows backup catalog or disabling the Windows automatic recovery features. Another technique, which was also observed in the same intrusion we touched on in myths 1 and 2, included the adversary attempting to remove volume shadow copies.
Organizations hoping a quick payout will lead to a quick return to normal business operations may also find themselves wanting. There is no guarantee if victims pay the ransom that the decryption key will be provided to them. Furthermore, there has been a surge in popularity of using data extortion techniques to extract payment from victims when data encryption falls short. Threats to leak or sell stolen data provide adversaries an additional ransom lever even if organizations are able to successfully recover from a backup or acquire a decryption key.
It is important for backups to be stored in a secure location, inaccessible to the internet, to prevent adversaries from causing significant damage, and inhibiting recovery efforts in the event of a successful ransomware deployment. Organizations, and defenders specifically, must also understand where critical assets reside and ensure an emergency set of contacts and procedures are in place. This is especially true for out-of-hours operations such as device containment, firewall changes, or account changes in the event of a compromise.
Ransomware infections are highly damaging events for organizations. As we touched on, adversaries purposely aim to expand their foothold in an environment to infect as many devices as possible. Even if a ransom demand is paid, the attack itself will have significant impacts in terms of time needed to recover, both physically and in the eyes of the public. Reputational damage and supply chain disruptions originating from a ransomware attack can be detrimental to an organization long after the ransomware tools have been removed from the environment.
To ensure your organization is free of blindspots where adversaries can effectively launch ransomware attacks, OverWatch recommends investigating your environment for systems that may be running outdated software and could be low-hanging fruit for an adversary to exploit. This is especially important if your organization has recently been through a merger. Timely patching and good IT hygiene remain a perennial challenge in cybersecurity.
Year on year, OverWatch threat hunters are finding increasing numbers of hands-on-keyboard intrusions. According to OverWatch data, criminally motivated intrusions remain the most prominent threat to organizations globally. Adversaries continue to evolve their techniques to bypass existing controls, exploit infrastructure, and ultimately profit from a compromise.
Preparing for a ransomware attack is possible. Mature threat hunting operations, such as OverWatch, prioritize pursuing the post-exploitation behaviors adversaries employ, which remain constant regardless of the initial attack vector. OverWatch conducts proactive 24/7 hunting operations to unearth a variety of ransomware operators before they can achieve their mission objectives. You, too, can help harden and prepare your organization against these threats by implementing the recommendations above.