A couple of weeks back, I was delivering a presentation. During this session I mentioned that if you are working in the technology industry these days and haven't heard about a ransomware attack affecting a large organization, you have probably been living under a rock!
For those unfamiliar with the basics of ransomware, I would highly recommend reading the following blog post by Darren Mccutchen, from the NetWitness Threat Research Team. The blog post is a great starting point for everything one needs to know about Ransomware and how it functions.
Ransomware operations have increased significantly over the past few years. As we have seen with recently publicized large scale attacks, ransomware groups are adding a great deal of sophistication to their tactics.
These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver their mission-critical services.
There is no indication of bad actors stopping anytime soon and new variants of the malware are created and deployed almost every day.
Per our research, we identified that impairing defenses to achieve evasion, tampering with system recovery mechanisms, disabling security tooling are couple of common techniques that are employed by threat actors during the various stages of typical ransomware operations.
Understanding the importance of detecting these exploitation methods used by threat actors, we have come up with endpoint-based application rules that aid in identifying not just malicious ransomware activity, but other adversaries as well that might employ similar techniques.
- deletes shadow volume copies*
Update to the existing rule to cover additional avenues which can be detected through the parameter attribute. Ransomware operators often attempt to delete shadow copies so that victims are not able to restore file access by reverting to the shadow copies.
Generated Meta Keys: boc = deletes shadow volume copies
- deletes backup catalog*
Update to the existing rule to cover additional avenues which can be detected through the parameter attribute. Deleting backup catalog can be an indication of someone trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
Generated Meta Keys: boc = deletes backup catalog
- disables windows defender using powershell*
Update to the existing rule to cover additional avenues which can be detected through the parameter attribute. Such a behavior can be indicative of someone trying to compromise the integrity of the security solution, causing events to go unreported.
Generated Meta Keys: boc = disables windows defender using powershell
- deletes shadow volume copies using powershell
Ransomware operators often attempt to delete shadow copies so that victims are not able to restore file access by reverting to the shadow copies.
Generated Meta Keys: boc = deletes shadow volume copies using powershell
- tampers with windows defender registry
The rule triggers when the windows defender registry is tampered with to disable the antispyware service. Such a behavior can be indicative of someone trying to compromise the integrity of the security solution, causing events to go unreported.
Generated Meta Keys: boc = tampers with windows defender registry
- removes windows defender definitions
The rule triggers when the definition files are removed from windows defender. This technique essentially would make the security solution unable to pick up on the latest threats as it lacks the latest signatures.
Generated Meta Keys: boc = removes windows defender definitions
- evades scanning within windows defender
The rule detects evasive technique to modify windows defender to exclude scanning from stated paths, for stated processes & extensions. Using the technique bad actors can make defender not take any actions against malicious files that are used during malware operations.
Generated Meta Keys: boc = evades scanning within windows defender
- disables windows audit policy
The rule detects windows audit policy being disabled to prevent host-based information being written into the event logs. Attackers can exploit the technique to prevent the collection of additional audit logs and evidence trail which makes forensic analysis and incident response difficult due to lack of sufficient data to determine incident occurred.
Generated Meta Keys: boc = disables windows audit policy
- clears application event log
New rule added to complement the existing rules (clears security event log, clears system event log) for better detection coverage. Indicator removal on host makes forensic analysis and incident response difficult due to lack of sufficient data to determine incident occurred.
Generated Meta Keys: boc = clears application event log
- clears setup event log
New rule added to complement the existing rules (clears security event log, clears system event log) for better detection coverage.
Generated Meta Keys: boc = clears setup event log
- clears event logs using powershell
New rule added to complement the existing rules and cover the additional avenues of tampering with event logs.
Generated Meta Keys: boc = clears event logs using powershell
- disables event logging service
The rule detects when the logging service is blocked in windows. This would result in the service not being enabled during system boot and thus event logs would not be captured.
Generated Meta Keys: boc = disables event logging service
- enables safe mode
The rule detects when safe mode or safe boot is enabled in windows through the command line. Causing windows to reboot in safe mode would allow malware operators to make changes that may otherwise not be possible in normal running mode.
Generated Meta Keys: boc = enables safe mode
- disables safe mode
Disabling safe mode can be indicative of an adversary trying to cover its tracks after it has evaded detection or compromised the security software, as most of them do not function in safe mode environment.
Generated Meta Keys: boc = disables safe mode
*These rules exist on NW Live already, and have been updated now. Please make sure that latest version of the content is deployed.
*Please note that the application rules listed above may generate false positives. As each environment is unique, the filtering/whitelisting should be done on an individual basis.
- NetWitness Platform 11.x and higher
- NetWitness Endpoint Server
Now is the time for targeted threat detection against ransomware activity. Resources mentioned in this blog post will be helpful to effectively monitor, detect & further respond using the NetWitness Platform.
- Ransomware: A Beginner’s Guide to Threat Detection
- NetWitness Ransomware Defense Cloud Services
- Managing Risk Amid Spike in Ransomware Attacks on Critical Infrastructure
- Using RSA NetWitness to Detect Ransomware Attacks
- It’s all fun and games until ransomware deletes the shadow copies
- The Kaseya VSA REvil Ransomware Supply Chain Attack: How It Happened, How It Could Have Been Avoided
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.