Tactics, Techniques, Procedures and Recommendations of How to Triage
Perspective on the increase in ransomware attacks
Ransomware continues to make the headlines as researchers warn of a seven-fold increase compared to 2019. Healthcare is a very lucrative target, with attacks increasing by 350% in Q4 of 2019 (compared to Q4 2018) and continuing to rise through 2020. The pandemic provided a significant opportunity for any threat actor looking to target healthcare providers, as the focus shifted from a holistic look at patient care, health outcomes, experience, revenue, and security to health outcomes. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.
Ransomware as a viable threat to healthcare organizations has led to sophisticated attackers with complex and targeted campaigns. The recent wave of ransomware campaigns looks more like a hands-on hack than an autonomous piece of malware propagating across the network. The operators facilitating the recent ransomware attacks are heavily incentivized to make sure their malware is extremely effective at propagating diverse networks. We have seen simple pieces of malware like trojan droppers install remote control functionality and backdoors which allow these ransomware operators to then get on to the healthcare network and then run tools like Cobalt Strike to privilege escalate themselves to admin. Once admin privileges have been granted, these ransomware operators begin turning off the malware detection and incident response programs on the infected devices. We’ve seen these operators use tools like Mimikatz to dump memory and gather local admin passwords or common user passwords on systems. Once common passwords have been gathered, the network is theirs for the taking. In organizations that use Remote Desktop Protocol (RDP) on workstations and servers, we’ve seen these compromised local administrator accounts used to install and distribute the ransomware. We’ve also seen these attackers run PsExec and PowerShell scripts remotely by mounting remote shares (like IPC$ and C$) using the compromised credentials. If local or commonly utilized credentials cannot be gathered from initially infected host we’ve seen them pivot to other hosts, or use common exploits kits to propagate throughout the network. These operators are skilled and unfortunately most healthcare providers and healthcare delivery organizations are trivial to compromise once these ransomware operators are inside.
Healthcare organizations that have vulnerable services on the edge of their network get compromised easily by autonomous scripts that are constantly scanning the internet. Once compromised, the script drops a payload that includes all of the tools the operators need for privilege escalation, exploitation, and lateral movement. Many healthcare organizations have flat networks, and utilize common local administrator accounts on largely unpatched systems. It is common to find legacy and largely unsupported operating systems like Windows XP running on both workstations and critical medical devices which cannot be patched and are running vulnerable services like SMBv1 that are available to the entire network. Simply put, once the initial compromise happens, it is largely trivial for these ransomware operators to infect an entire healthcare organization within a few hours.
Let’s discuss the 3 most common ransomware campaigns that are targeting healthcare providers and healthcare delivery organizations and what their TTPs are:
The Zeppelin ransomware is believed to be operated by a Russian cybercrime group however very little is known about the operators. The initial infection code checks to make sure it will not infect machines located in Belorussia, Kazakhstan, Russian Federation, or Ukraine. The Zeppelin ransomware code is largely is based on a purchasable ransomware variant known as VegaLocker which is available on multiple hacking and ransomware as a service websites and forums. The initial infections of Zeppelin began in the beginning of 2019.
What does a Zeppelin Compromise typically look like (TTPs):
- Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
- Some initial infections appear to be Vidar Spyware or the CobaltStrike penetration tester toolkit.
- Recently the Zeppelin operators appear to be exploiting vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet.
- Once connected to the infected system the operators will install PowerShell scripts and PsExec.
- In some Zeppelin instances a legitimate remote desktop application called ScreenConnect is initially installed (if it doesn’t already exist). The Zeppelin operators will connect to the ScreenConnect service and install the PowerShell scripts, privilege escalation tools, and PsExec.
- The Zeppelin operators will run a set of PowerShell Anti-Anti-Virus scripts and turn off logging to prevent detection and subsequently dump memory looking for local accounts that can be used to either propagate throughout the network or compromise the domain controller.
- Typically, the Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network.
- The domain admin account that is typically created is called “SQLSvc”.
- If the domain controller is difficult to compromise, they attempt to distribute the Zeppelin ransomware using compromised credentials dumped from memory of infected systems and propagate through file deployment and execution by PsExec.
- Once on the Domain Controller, they deploy a command to all connected devices to download Anti-Anti-Virus and Anti-Backup scripts along with the Zeppelin ransomware.
- The Zeppelin operators utilize the certutil command on Windows to download and infect machines with the scripts and ransomware.
- Finally, the scripts and Zeppelin ransomware is executed on all connected devices via PsExec.
The Ryuk (aka Conti) ransomware is known to be operated by Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes which was possibly created by a North Korean hacking group and is purchasable from multiple hacking and ransomware as a service websites and forums. The Russian cybercrime group started targeting healthcare organizations in late 2018.
What does a Ryuk Compromise typically look like (TTPs):
- A spam or phishing email is received by an organization that includes an infected document that drops a trojan downloader/bot that includes several tools for remote access, privilege escalation, and lateral movement.
- The Ryuk operators gain access to the Emotet/TrickBot compromised machine typically through a PowerShell script that launches a reverse shell that connects to the Ryuk operators.
- Once on the infected system the Ryuk operators turn off all PowerShell logging and run Anti-Anti-Virus scripts to prevent detection.
- Common lateral movement, privilege escalation, and exploit kits are downloaded onto the infected machine.
- It is common for the Ryuk operators to utilize the PowerShell Empire post exploitation kit.
- The Ryuk operators dump the infected machines memory looking for local accounts that are used on Workstations and Servers throughout the network.
- If local credentials are not found, the operators will use common exploit kits.
- Lateral movement and infection happen either via RDP or through PsExec.
- Typically, the domain controller is initially targeted and if compromised the domain controllers will typically be used to distribute the scripts and Ryuk ransomware to all connected users/computers.
- Anti-Anti-Virus and Anti-Backup/Recovery scripts are run on soon to be infected machines in order to prevent both detection and recovery from the Ryuk ransomware.
- The Ryuk ransomware is deployed to all machines using PsExec and a local service is created and started to run the Ryuk binary.
- The Ryuk operators sometimes oversee the infection to ensure that it is successful and once infected they start emailing employees informing them of the infection and to reach out to them via an anonymous email where payments are later discussed. The payment amounts typically vary depending on the size and the revenue of the organization that is infected.
Sodinokibi (aka Sodin, REvil) is another ransomware-as-a-service operation which started in April of 2019 and is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. In early 2019 the Sodinokibi group is believed to have hired affiliate hackers with a guaranteed payment of $50,000 USD and between 60% to 70% cut of the revenue after payments were secured from victims. The developers of this ransomware regularly post updates and new functionality to their code. Once installed, Sodinokibi ransomware initially looks for the computers language settings and will not infect if the set language is used in most former Soviet Union or Middle Eastern countries. The Sodinokibi ransomware has been seen using several TTP’s including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords.
What does a Sodinokibi Compromise typically look like (TTPs):
- It is difficult to describe the typical attack method used to deploy the Sodinokibi ransomware as there are several which leads some security professionals to believe that Sodinokibi is being operated by multiple cybercrime organizations.
- The Sodinokibi operators also appear to be exploiting vulnerable WebLogic and RDP servers available on the internet.
- After the initial infection the Sodinokibi operators drop various exploit and privilege escalations kits to laterally move throughout the network.
- Similar to Zeppelin the Sodinokibi operators typically use the certutil command on Windows to download their scripts, exploit kits, and ransomware payload to infected machines.
- Once infected with the Sodinokibi ransomware, the malicious binary deletes all file shadow copies on the infected system and disables recovery mode in order to ensure that the encrypted files could not be restored from a local backup.
- The Sodinokibi ransomware includes several persistence and Anti-Anti-Virus and Anti-Backup/Restore functionality making the installation easy. This functionality makes it more autonomous for the operators which is why we sometimes see Sodinokibi installed in simple drive by attacks on vulnerable internet facing servers and services.
One concerning tactic that most ransomware as a service operators are starting to employ is to exfiltrate several important files from an infected organization and threaten to both publicly disclose the breach and publish the important documents on their blogs typically hosted on the Dark Web. We’ve seen many ransomware operators publicly announce and release sensitive material for companies that did not pay the ransom.
Recommendations on using Ordr to Protect Against Ransomware
- Discover and identify your weak points
- Identify devices running legacy versions of Windows that are running SMBv1 (such as Windows XP and Windows 7) The Ordr IoT Discovery Program allows you to quickly identify these devices. In Ordr’s Rise of The Machines Report, we identified that 15-19 percent of our deployments had IoT devices running on legacy operating systems Windows 7 (or older).
- Identify devices with known vulnerabilities as attackers will try to exploit them them. Use Ordr’s built-in scanner or take advantage of our integration with vulnerability management solutions like Rapid7 and Tenable.
- Identify high-risk and vulnerable devices that cannot be patched. Using Ordr integration with winRM, you can identify device operating systems and status of patches.
- Enable proactive segmentation
- Using Ordr, systems that cannot be patched need to be isolated. Ordr allows you to easily create segmentation policies that restrict devices to only sanctioned communications required for their functions.
- Work with Ordr and our firewall and networking infrastructure partners to enforce these segmentation policies in your existing infrastructure.
- Monitor for Ransomware Indicators
- Identify anomalous communication using the Ordr Flow Genome. This can include discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
- Alert on common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
- Alert on common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites, the Ordr product will alert on them.
- Track user logon/logoff activities using Ordr. Our platform provides a mechanism to pull user logon and log off activities from Active Directory and also track locally created users. This allows you to ensure the right users have access to vulnerable machines and identify any anomalous user accounts created within the network by threat actors
If you’ve already been attacked by ransomware, here are recommendations on how to deal with it, as described previously in my blog here. Note that with ransomware examples in this blog, there are no decryptors available at this time.
If you have questions about ransomware protection, please contact us at firstname.lastname@example.org. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.
Jeff Horne is currently the CSO at Ordr where he is responsible for security direction both within Ordr products and internal security. Prior to Ordr Jeff was the VP of Information Security for Optiv where he was responsible for all Security Operations, Governance Risk and Compliance, Endpoint, Internal Incident Response, Physical Security, and Employee Security Awareness groups. Before Optiv Jeff was the Senior Director of Information Security for SpaceX where he was responsible for the overall security strategy of SpaceX and managing the Information Security, Compliance (ITAR), Security Operations, and Physical Security groups. Previous to SpaceX Jeff was the Vice President of R&D and Chief Architect for Accuvant LABS where he managed teams of researchers and consultants specializing in reverse engineering, malicious code, incident response, breach analysis, and vulnerability assessment. Prior to Accuvant Jeff was the Director of Threat Research at Webroot Software where he led several teams of malware researchers, reverse engineers, and a development organization specializing in creating anti-malware functionality and detection signatures for all Webroot products. Jeff began his career as a Vulnerability Researcher at Internet Security Systems where he was responsible for vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware. Jeff is well known for his insight in interviews for numerous news channels and publications, speaking roles at various security conferences, as well as authoring several vulnerability disclosures and patents.
Follow by Author