What is ransomware?
Threat actors use a form of malware called Ransomware to infect computers and encrypt files until a ransom is paid by the victim. Ransomware sometimes attempts to spread to other connected systems, including storage drives.
How does ransomware work?
Ransomware encrypts files and generally adds an extension to each such as .encrypted, .locky, .crypt, .cryptolocker. Following the file encryption, a message is displayed containing instructions on how the victim can decrypt their files by paying a ransom. An affected organisation would then need to restore the encrypted data from backups. In the unfortunate incident of being affected by ransomware, the following process can be used as a general guideline.
The Ransomware Incident Response Process
- Incident Assessment and Specific Response Plan
Firstly, follow your Cyber Incident Response Plan or similar process to analyse your data, the urgency of your response effort, your budget, the ransomware variant and the threat actor (cyber-attacker). Cyber insurance providers may also require this information.
Your response team should be formed, including identifying authorised representatives. If required, external experts can assist you through the process. In the unfortunate event that backups can’t be restored or a decryption tool is not available, then payment of the Ransom may be required. There are however, a number of risk mitigation steps that will need to be taken first, including informing the authorities and conducting AML/CFT sanction checks.
Activities undertaken by your experts will involve discovering the scope of the cyber-attack by collecting all ransomware ID’s and notes and samples of encrypted files. Where required, forensic copies of affected computers will be created. Additionally, the state of your backups should be assessed, and mitigations completed to prevent further spread of the malware. If you can successfully restore from backup, you should conduct a post incident review. Stages two, three and four below may not be required.
- Risk Assessment
If you are unable to fully recover from backup, then you may need to pay the ransom. Expert assistance is recommended at this point. There are organisations who specialise solely in handling ransomware payments, where they will work with you to attempt to achieve the best outcome. Any known information about the threat actor will be reviewed including whether they have been involved in prior payments and whether any information about them can be obtained from their wallet address or other sources.
A risk assessment would be undertaken based on any insight found (e.g. how likely is settlement to be successful, is the technical likelihood of decryption high or low etc.). You will set a ransom budget. Negotiations may take time but can also lower the ransom demand.
You will then supply a sample of encrypted files to the threat actor who will then provide proof of decryption. It is preferable not to provide them with confidential information for this process, however bear in mind that the threat actors may have viewed or copied your data during the cyber-attack.
- Payment of the Ransom
Payment of the ransom to the threat actor may be in cryptocurrency or multiple payment forms. This is another reason why using an intermediary specialised in negotiation and ransom payment who maintains cryptocurrency accounts is advisable. If professional negotiators are engaged, an Anti-Money Laundering (AML) check is used before any money is transferred to ensure none of the parties involved in the transaction (including the threat actor’s wallet address) are on an OFAC Sanctions list. The negotiating entity then manages the financial exchange.
Once the decryption tool is received and run, troubleshooting of any failed files is undertaken and occasionally further communication with the threat actor is required. Any clean data is moved to clean environments and standard restoration services performed. A post-incident review should always be undertaken, and any lessons learned adopted into your incident response plan.
Recent Government Advisories
Ransomware: What board members should know and what they should be asking their technical experts
On 2 June 2021, the United Kingdom’s National Cyber Security Centre (NCSC) published this advisory.
The impact of a ransomware attack on an organisation can be devastating. So what should board members be doing to ensure that their organisation is prepared for such a ransomware attack, and in the best possible place to respond quickly ? This blog, part of the Cyber Security Toolkit for Boards, explains the basics of ransomware, and suggests relevant questions that board members might want to ask their technical experts to help drive greater cyber resilience against these types of attack.
Ransomware: Your organisation should be both protected and prepared
On 31 May 2021, the New Zealand National Cyber Security Centre (NCSC) published this advisory.
Recent high-profile ransomware incidents, both in New Zealand and abroad, offer a timely reminder to all New Zealand organisations about the importance of information security and cyber resilience. Preparation is everything. Your organisation needs to practise defence in depth to protect your systems and people against malicious cyber activity, and to be prepared for an incident should one occur.
Ransomware: Your organisation should be both protected and prepared
On 30 September 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published the CISA and MS-ISAC Release Ransomware Guide.
This joint Ransomware Guide that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The in-depth guide provides actionable best practices for ransomware prevention as well as a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
Fact Sheet: Rising Ransomware Threat to Operational Technology Assets
On 10 June 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Fact Sheet: Rising Ransomware Threat to Operational Technology Assets.
On June 9, 2021, CISA published Rising Ransomware Threat to Operational Technology Assets, a fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
Recent Major Ransomware Decryption Tools
Emsisoft Decryptor for Avaddon
The Avaddon ransomware encrypts victim’s files using AES-256 and RSA-2048, and appends a random extension. The criminal group behind the Avaddon ransomware has recently shut down its operation and released decryption keys for past victims. The keys have now been shared with Emsisoft, a security firm that has previously released tens of free decryption utilities for all kinds of ransomware strains. Obtain the tool here.
Recent Major Ransomware Variants
Ransomware is a type of cyber crime involving a demand for payment. This mainly follows a cyber attack where malicious software is deployed to encrypt and restrict access to data, or confidential data is stolen and threatened to be posted online.
The ‘Conti’ Ransomware variant has been observed since 2020. Unlike most ransomware, Conti focusses on network-based targets using a large number of computing threads to perform encryption (up to 32 simultaneous encryption efforts), resulting in faster encryption compared to other variants.
Conti has also been observed by Cyber research firms to use command line options to be directly controlled by the attackers, skipping the encryption of local files and targeting networked Server Message Block’s (SMB’s). Conti also uses Windows Restart Manager to ensure all files are encrypted.
Whilst there are many methods by which cyber attackers can gain access to an organisation’s network, the operators of the Conti ransomware have been observed exploiting vulnerabilities in hardware firewall appliances to obtain domain admin access to an organisation’s internal servers. Once inside the victims network, the attackers used a Cobalt Strike beacon to maintain persistence and issue commands to gather a list of domain admin accounts and also map the network topology. In addition, the attackers used the compromised domain admin account to deploy Cobalt Strike beacons to other servers via the Windows Management Instrumentation (WMI) functionality.
The operators of Conti ransomware leverage the threat of exposing exfiltrated data to pressure the victim organisation into paying the demanded ransom amount. Unlike some ransomware variants that simply claim to have exfiltrated data, the operators of Conti have been observed scanning the victim’s environment looking for sensitive information and then uploading what they find to the cloud storage provider Mega. To facilitate the data theft process, Conti uses Rclone, a legitimate tool for managing cloud storage that supports several backend providers. An important point to note here is that the copy process performed by Rclone is similar to other cloud storage synchronisation tools in that files are transferred in bulk from source folders on the victims devices to destination folders in Mega. As such, the attackers do not first prepare the data for exfiltration using compression software, instead a multithreaded stream of files is transferred which is harder to detect during a forensic investigation.
Once the operators of Conti have exfiltrated sensitive data they then move onto the deployment of the ransomware itself. As with the initial attack vector, Cobalt Strike beacons are used to spread and then execute the malicious code throughout the victim’s network. A list of network endpoints that was created in an earlier stage of the attack is used in combination with a batch script to deploy a Cobalt Strike beacon to every identified endpoint and subsequently trigger the ransomware.
Once triggered, the Cobalt Strike beacons deploy the ransomware using a two-stage loading process that uses reflective DLL injection to load the malware directly into memory. The first stage of the process reserves memory space and then decrypts and loads Meterpreter shellcode into system memory. This shellcode then contacts a Command-and-Control (C2) server to retrieve the payload to be used in the next stage of the attack. The ransomware binary is downloaded from the C2 server and again, reflective DLL injection techniques are used to load it directly into memory. At this point, the encryption of local files begins whilst at the same time, the ransomware attempts to connect to other computers on the same subnet via the Server Message Block (SMB) port.
Technical Characteristics of Conti Ransomware
The Conti ransomware variant has features consistent with modern ransomware implementations in that it iterates through files on the local system, as well as those on remote SMB network shares, to decide which files to encrypt. The encryption is then carried out using AES-256 and a variant of ChaCha while using a hard-coded public key. The use of the hard-coded public key is interesting as this allows the encryption to progress even if the ransomware is unable to contact the C2 server.
The unique characteristics of Conti begin to appear once the mechanisms are analysed in depth, this ransomware variant has multiple anti-analysis features intended to hamper detection and reverse engineering. The main one is the use of a unique string encoding routine that is applied to a majority of the text strings that appear in the malicious code. This encoding technique is used in 277 different algorithms which corresponds to one per string. Approximately 230 of these algorithms are placed in dedicated subroutines resulting in an overly large volume of code to describe a relatively simple application. The most notable use for this obfuscation method is to conceal the various Windows API calls made by the malicious code. Whilst it is usually common for malware to lookup these API calls during execution, in Conti, these routines are decoded on-the-fly, resolved to the actual API, and then stored in variables for use later.
DarkSide ransomware operates under the Ransomware-as-a-Service (RaaS) business model. In a RaaS business model there is a ransomware developer and a ransomware affiliate, the developer creates the software and the affiliate uses it against identified targets. The affiliate is responsible for deploying the ransomware on a victim’s computer systems and for negotiating the ransom payment. The RaaS business model provides an opportunity to profit from this type of cybercrime for those without the technical ability to create ransomware. In a RaaS model, any ransom payment made by a victim is then split between the affiliate and the developer. With DarkSide ransomware, the developer reportedly takes 25% for ransoms less than $500,000, but then takes a reduced commission of 10% for ransoms greater than $5 million.
According to Sophos News, DarkSide ransomware gains initial access to a victim’s computer systems by using phished credentials in to compromise internet facing remote access services such as VPNs or RDP. However, other methods may be employed as it is up to the affiliate to gain entry to the victims systems by any means necessary. This can include purchasing the details of previously compromised VPN or RDP services on the Dark Web, brute forcing passwords to internet facing services or phishing for credentials.
Like many recent ransomware variants, DarkSide leverages double-extortion similar to ransomware operators such as REvil, Maze, and LockBit. In a double-extortion scenario, data is exfiltrated before the ransomware is deployed and the perpetrator threatens to publicly release the data if the victims don’t pay the ransom. In support of the assertion that DarkSide exfiltrates data, an analysis of a ransomware sample conducted by Fortinet showed the use of the command line tool Rclone to copy data. This is similar to the exfiltration technique used by Conti where Rclone is used to synchronise data between the compromised systems and a cloud storage location. In the DarkSide sample analysed by Fortinet, the attackers attempted to avoid the Rclone binary being detected by renaming it and placing it in the ‘C:\Users\Public\’ directory. In addition, the attackers were looking to exfiltrate very specific data types including files created in the last year which have the file extensions .xls, .xlsx, .doc, .docx, and .pdf. Research suggests that the DarkSide operators uploaded archives of stolen files to the cloud storage providers Mega or pCloud. In addition, the DarkSide operators maintain a Tor site in which they detail the networks their affiliates have compromised as well as threatening to launch DDoS attacks against companies unwilling to pay the ransom.
According to Fortinet research, the remote administration tool PsExec was observed running the primary malware payload (.exe). The ransomware payload (.dll) was located in a shared folder and was then copied to the compromised device’s C:\Users\Public directory using a batch script. DarkSide leverages Living-of-the-Land (LotL) techniques to run the ransomware and the payload is executed using rundll32. In addition, a service is created to maintain persistence. There were several encryption routines within the worker process, and the encryption routines were called directly to perform encryption and create ransomware artifacts.
Sophos researchers also observed the DarkSide malware terminating services related to enterprise backup software such as Commvault and Veeam, shutting down the mail server software, and killing SQL server database services. It also attempts to uninstall or tamper with antivirus programs present on the machine. Like other ransomware, DarkSide also deletes Volume Shadow Copies, which could help recover some of the encrypted data if left unmolested. To achieve this, the malware uses an encoded PowerShell command that uses the Windows Management Instrumentation (WMI) service and the PowerShell cmdlet Get-WmiObject to delete all the Volume Shadow copies.
Technical Characteristics of DarkSide Ransomware
According to analysis conducted by IBM X-Force threat intelligence the DarkSide ransomware has some key technical features. After dropping the ransom note and changing the victim’s desktop wallpaper accordingly, DarkSide encrypts all files using Salsa20 and RSA-1024 encryption. It can also encrypt files in connected network shares and other devices accessible via UNC paths or shortcut links. As it encrypts, DarkSide sends incremental progress updates to its command-and-control server.
In the sample analysed by Fortinet, the DarkSide ransomware included an Active Directory attack. In this attack the malware attempts to enumerate any domain controllers in the network and if found, tries to use them to connect to Active Directory. Since permissions are required to connect to Active Directory, the malware attempts to use LDAP to authenticate anonymously. Also noted by Fortinet is that DarkSide avoids encrypting shares named C$ and ADMIN$, and also checks that a share is writable before encrypting the files in it. It is possible that this is to avoid the generation of alerts if the malware is running with administrative privileges.
Zeppelin, known as Buran or Vegalocker, operates as a ransomware-as-a-service. The developers allow buyers to use it however they see fit, not maintaining ongoing relationships with all their users. It is sold for $2,300. Zeppelin is one of the few ransomware operations on the market that does not adopt the pure RaaS model and also one of the most popular of the bunch, enjoying recommendations from high-profile members of the cybercrime community.
A variant of the Zeppelin ransomware that was being used in 2020 was analysed by Juniper Threat Labs to determine the attack vector. This version of Zeppelin was using a previously unknown trojan downloader that came in the form of a malicious Word document. The Word document used familiar techniques to lure users into enabling VBA macros so that the malicious document could execute a Visual Basic script hidden within it.
Researchers suggest that the recent campaign of Zeppelin ransomware may differ as the core ransomware binaries are now up for sale to individual buyers. Threat prevention and loss avoidance company Advanced Intel (AdvIntel) suggests that these individual buyers may use other common initial attack vectors such as RDP, VPN vulnerabilities and phishing. In addition, AdvIntel notes that access to the Zeppelin ransomware code may allow other developers to appropriate the features for their own malware products. Consequently, this could make Zeppelin type attacks more unpredictable than those propagated using the typical ransomware-as-a-service (RaaS) models.
Unlike some of the more organised RaaS groups, the developers of the Zeppelin ransomware do not have a data leak site. Instead, Zeppelin focusses on encrypting the data to elicit the ransom payments rather than the practice of double extortion facilitated by data exfiltration.
To deploy the ransomware a macro in the malicious word document extracts the Visual Basic script hidden within and stores it in a local file. Then, a second macro is used to execute the Visual Basic script stored in the local file. This script then downloads the Zeppelin ransomware payload from a C2 server and stores the payload as a local file. The script then sleeps for 26 seconds to avoid dynamic malware analysis before executing the ransomware.
Technical Characteristics of Zeppelin Ransomware
An analysis by The BlackBerry Cylance Threat Research Team has uncovered key technical features of Zeppelin. Like other Russian based ransomware designed to check if the system is based in Russia or other ex-USSR countries and if so not execute the ransom attack. Zeppelin can be deployed in many different forms from an EXE, DLL or wrapped in a PowerShell loader giving the threat actor a range of deployment options. Attackers also have a large range of configuration options allowing the attacker to decide things like set persistence, delete backups, kill specific processes as well as other options. Zeppelin implements AES-256 bit symmetric key for file encryption and generates a pair of 512-Bit RSA keys for the victim. It then encrypts the private key from this pair with the attacker’s 2048-bit public RSA key that is hardcoded into the binary. The unique ID used to identify the victim is created using the first 11 bytes of the victim’s RSA public key modulus, replacing the third and seventh character with a dash.
This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Traffic Light Protocol = White