IBM Security QRadar

 View Only

Anatomy of a ransomware attack

By Gladys Koskas posted Mon June 21, 2021 11:38 AM

  

Estimated reading time: 4 minutes

New ransomware, creation or evolution ?

With new ransomware going out everyday, it sometimes feels impossible to maintain the rhythm and monitor them all.

But even though they are numerous and complex, many ransomware share common blocks of code and behavior.

As an example, Revil (also known as Sodinokibi or Sodin), started to hit just when the end of all GandCrab activites was announced. It appeared after analysis that the code of the two ransomware was oddly similar.

A funny story is related to Petya, the ransomware hitting in 2016. A year after it's first appearance, a twin was found, everybody first believed it was Petya but Kaspersky started to refer to it as NotPetya to underline the fact that they were very similar yet different enough to call it a new malware (story available on Kaspersky website).

More recently, end of 2020, Maze's end has been announced, at the same time two new ransomware known as Egregor and Sekhmet have been observed with odd similarities, indicating that Maze's users might have been only transitioning from one ransomware to the other (theory explained on Malwarebytes website as an example).


The six phases of an attack

In this blog, we'll decompose a ransomware attack into 6 major phases and see how the IBM QRadar Endpoint Content Extension can help you detect ransomware.

For each phase we are going to describe the most common steps taken by ransomware (each attack might use one or multiple techniques), and the list of rules that will help you detect them.

Distribution phase

This is the only phase that is not included in the endpoint content pack as the delivery of the exploit kit to enter the network happens mostly via phishing as well as vulnerability exploitation, and there is a dedicated content extension for it.

 Refer to the QRadar Configuration paragraph to find all the links to the App Exchange.

Infection phase

This is the moment of the call back home. The "real executable" is downloaded, the dropper is deleted and the ransomware is executed.

The extension contains several rules matching IOCs in threat feeds, but also some dedicated ones for particular ransomware, with the goal of making their identification easier for SOC analysts.

Apply Ransomware: Maze IOC in Events on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.File Created
and when the event matches Filename (custom) is not N/A
and when the event matches LOWER("Filename") MATCHES '(sss\.exe|2\.txt|ad\.7z|(2|windows|xab3x|xaa3x|2adfind|start)\.bat)' AQL filter query

Depending on the case, rules can apply to Windows, Linux, Flows or multiple of them.

 

Staging phase

The ransomware is now making itself a comfy home! This is the phase where the ransomware is scanning the machine to analyze the administrative rights it could obtain, make itself run at boot, disable recovery mode and delete shadow copies, etc.

These rules can be helpful to detect ransomware and also many more threats.

Apply Attempt to Delete Shadow Copies on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches Process CommandLine (custom) is not N/A
and when the event matches LOWER("Process Name") MATCHES '(wmic|vssadmin)\.exe' AQL filter query
and when the event matches LOWER("Process CommandLine") MATCHES '(.*shadowcopy\s+delete.*|.*delete\s+shadows.*)' AQL filter query

 

Reconnaissance phase

Now that the ransomware is ready to own the machine, it will start a phase of reconnaissance of the network (attack paths), folders and files with predefined extensions, etc.
The reconnaissance rules have been detailed a little more in the previous Endpoint monitoring essentials for QRadar blog (covering Cobalt Strike, SharpHound, PingCastle, Advanced IP Scanner, AdFind, Everything and Masscan tools).

This set of rules is double-win for a SOC. You can implement monitoring for typical ransomware behaviour, but also to detect some common penetration testing tools used by red teams.

Apply Cobalt Strike Behaviour Detected on events or flows which are detected by the Local system
and when a flow or an event matches any of the following BB:BehaviorDefinition: Cobalt Strike Inbound Traffic, BB:BehaviorDefinition: Cobalt Strike Outbound Traffic, BB:BehaviorDefinition: Cobalt Strike Process Address, BB:BehaviorDefinition: Cobalt Strike Port Usage

 

Encryption

This is the phase where the real damage is being done. The typical path is: create a copy of each file, encrypt the copies, place the new files at the original location.
The original files might be exfiltrated and deleted from the system, allowing the attackers to extort the victim with threats of making their breach public of even to leak stolen documents. For more information about data exfiltration monitoring, refer to the dedicated Need help to monitor data exfiltration ? blog entry.
Most of the time, a full report is created and uploaded home.

The thresholds of these rules need to be adjusted to the size of the company and typical behaviour of the users.
The rule Ransomware Encrypted File Extension is disabled by default as it is configured to match more than 200 file extensions by default and should be limited to critical environments.

Apply Suspicious Amount of Files Renamed/Moved on the Same Machine (Unix) on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches Process Name (custom) is any of mv
and when at least 750 events are seen with the same Machine ID (custom) in 5 minutes

 

Ransom notification

At the end of the process, the user receives a notification and is given instructions to pay the ransom to obtain the decryption key.
At this point there is not a lot more to detect, except for the decryption instruction file creation.

The rule Ransomware Decryption Instructions Created matches typical words used by ransomware such as decrypt, recover, instructions, how to, etc.
This rule is split in 3 parts, looking for particular file extensions, regexes in filenames, and filename + extension.
You can tune it to adapt to a particular ransomware.

Apply Ransomware Decryption Instructions Created on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.File Created
and when the event matches Filename (custom) is not N/A
and when the event matches LOWER("File Extension") MATCHES '.*?(where_my_files|how_to_(recover_data|decrypt)|contact_here_to_recover_your_files)' OR LOWER("Filename") MATCHES '(decrypt-files|[a-z0-9]{5,12}-readme|readme_for_decrypt)\.txt' OR (LOWER("Filename") MATCHES '.*?decrypt.*' AND LOWER("File Extension") IN ('txt','html')) AQL filter query

 

QRadar configuration

Many of the rules enumerated in this blog are related to file monitoring, this means that additional configuration is required to send relevant logs to QRadar.

Install the DSM

Download and install the DSM relevant to your environment via Auto-Updates or Fix Central. The Endpoint content extension has been optimized to work with Windows and Linux environments, but can be adapted to any operating system. The Phishing and Email content extension has been optimized for Microsoft Exchange, Cisco Ironport, Postfix, Proofpoint and Office 365, but can be adapted to any mail server type.

Configure the devices


Refer to the DSM Guide for the basic configuration.

Additional steps must be taken to configure Sysmon on Windows and Auditd on Linux to match all the rules included in the content pack.

Sysmon configuration on IBM Knowledge Center

Auditd configuration on IBM Knowledge Center

 

Install the Content Extensions


Rules

The IBM QRadar Endpoint Content Extension and the IBM QRadar Phishing and Email Content Extension are available on the App Exchange.

Properties

The pack contains Custom property definition placeholders. This means that you can copy the Custom Properties provided and adapt them to your environment by adding expressions under that definition. You can also download our sets of Custom Properties.

  • List of Predefined Properties available on the App Exchange
In conclusion, even if ransomware are constantly evolving, there are common behaviour that you can watch, and the App Exchange content extensions can give you a good starting point. If you have any recommendation for content to implement, don't hesitate to let us know.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
0 comments
149 views

Permalink