A recent client incident response engagement relating to a ransomware attack has led us here at 7 Elements to explore trends in attack vectors and malware strains.
As part of the response, we took a deep dive into the Emotet and TrickBot malware strains used to support a Ryuk ransomware attack. This included identification of the initial attack vectors used to compromise the environment. How the malicious actors gained a foothold, the methods used to leverage this initial access to maintain command and control over the asset and use this to map the internal network. Resulting in lateral movement, exfiltrate data for nefarious purposes, and finally encryption of data for extortion.
This blog post takes a high level look at what we found.
The Ryuk ransomware family was first identified in September 2018, being traced to the WIZARD SPIDER criminal organisation. Their operations have focused primarily on cybercrime. The Ryuk strain of ransomware has been used to predominantly target large enterprise environments as reported by CrowdStrike, with the objective of forcing the organisations who are affected to pay a significant ransom to regain access to their encrypted resources and assets.
This type of attack vector is often referred to as ‘Big Game Hunting’. It relies on large-scale enterprise compromise to increase the necessity of an organisation needing to regain control of their environment by paying the ransom demanded, as local recovery would not be possible (due to removal of restoring from backup). The Ryuk ransomware strain bears a resemblance to previously identified malware, such as the BitPaymer ransomware.
Under the Hood
This particular ransomware attack has a number of moving parts, designed to perform tasks including but not limited to encryption and deletion of sensitive, valuable data as well as deletion of backups. Privilege escalation to a high privileged account such as a Domain Admin account and network mapping leading to lateral movement to navigate through the environment and further propagate the malware to affect as much of the environment as possible. This typically increases the likelihood of a successful attack resulting in the ransom demands being met.
The organised crime gang uses both TrickBot and the Emotet trojans in tandem with the Ryuk malware to accomplish this aim.
TrickBot and Emotet are employed by the malicious actor to leverage initial access into full compromise of one host. Research by the Malwarebytes lab team identified that this is often accomplished via performing a phishing attack against users within the organisation. The phishing email is likely to contain a malicious script, or document containing a macro that when executed, triggers a PowerShell command to download the Emotet trojan from an attacker controlled remote host onto the victim host.
Once Emotet is downloaded and installed on the vulnerable host, it uses its built-in download functionality to retrieve and execute the TrickBot trojan payload(s) on the host.
TrickBot contains a number of modules that are designed to perform malicious activities on infected hosts. Malware analysis has previously revealed that this included malicious .dlls that contain code designed to perform system and network enumeration, retrieve sensitive information and code used to propagate the malware and attack other systems.
From our recent investigation we identified a number of malicious files, including:
The systeminfo64 and networkDll64 files contain malicious code with the objective of extracting information from the systems registry hive, performing WMI queries and producing network/domain topology. This information is submitted back to the attacker via the use of a Command and Control (C2) server allowing them to identify useful targets and produce an accurate map of the infrastructure and active directory implementation.
The psfin64, injectDll644 and pwgrab64 malicious DLL files are used to attempt to identify locations that may store sensitive data such as user credentials or financial resources. They then attempt to extract that sensitive information or compromise those resources. Attack vectors included extraction of user credentials or tokens from system memory, or the compromise of network connected credit card payment machines and other devices used for financial transactions.
The wormDll64, shareDll64 and other related .dll files contain malicious code which is employed to assist in the process of lateral movement through the environment, as well as establishing methods of persistence for the attackers to access the environment at a later time. The process begins by using SMB and LDAP querying to identify access to other hosts and enumerate information from those hosts, such as domain enrolment. In some instances, it also attempts to exploit known vulnerabilities in the SMB implementation, most commonly the ETERNALBLUE vulnerability to achieve unauthorised access to other hosts. It then attempts to verify remote access via the Remote Desktop Protocol (RDP) or other means such as third-party tools.
One of the most common attack patterns, as observed by CrowdStrike, and in keeping with what we found during our incident response, appeared to be a multi-stage process, leading to a compromise of the wider environment. This starts the TrickBot trojan executing an obfuscated PowerShell script that establishes a connection to a remote server hosted by the attackers. A reverse shell would then be downloaded to the victim host and executed, connecting back to an attacker-controlled host. The TrickBot trojan then looks to perform a number of actions on the victim host(s). First, it runs some PowerShell anti-logging scripts to mask its activity, followed by disabling any anti-virus software in operation on the host, before performing system and network wide reconnaissance using built-in windows functionality as well as a number of the modules mentioned previously. TrickBot attempts to identify user accounts with higher privileges that may be stored in memory and extract their credentials, with the aim being to achieve enterprise or domain admin access. It will also look to harvest any useful sensitive information, such as financial data or a user’s web browser password vault contents.
Using any credentials identified, including those belonging to the initial exploited user, lateral movement is attempted to identify accessible users and repeat the process. One of the TrickBot modules attempts to create service user accounts on any host it is able to get a foothold, before downloading and installing a C2 server as a service. Lateral movement through the network to access new hosts will continue, attempting to access critical resources such as domain controllers.
Coup de Grâce
Once the initial compromise is successful, the attacker will then upload the Ryuk malware via a Remote Desktop Protocol (RDP) connection and execute it to infect the system. This will begin the process of encrypting files whilst also creating a ransom note in every folder where it has encrypted those files.
The PSEXEC utility is then used to propagate the Ryuk binary and execute it on each host that has been compromised. Ensuring that the malware performs the file encryption and deletion process on the hosts. Upon completion of the activity, scripts are executed to terminate processes or services used as part of the attack, and remove any and all data backups identified, before finally removing the Ryuk binary from each host.
However, this final tidy up is not always noted, in our latest incident, multiple copies of the Ryuk binary were left on affected hosts. We also identified the use of scheduled tasks to coordinate timed delivery of the ransomeware payload.
Magic (otherwise known as Crypto)
The actual file encryption, as reviewed by Checkpoint, was determined to use a combination of symmetric and asymmetric encryption using encryption keys unique to the victim to encode and lock the files. Specifically using RSA-2048/RSA-4096 and AES-256 keys and keypairs. The first keypair is the global keypair held by the attackers, the private key of this pair is kept separate from the victim throughout infection. The second key pair is the victim specific keypair. This is embedded within the Ryuk malware binary and is unique to each victim organisation. This is used to perform the initial encryption of the files on the victim hosts as well as any network shares the victim may have access to.
As a result, only the appropriate private key for that organisation will allow for data to be decrypted. The private key used is pre-encrypted using the global keypair, which would mean that the only way to retrieve the unique private key used to encrypt the files is to decrypt it using the private key from the global keypair. All of this is encrypted using the AES-256 keys that have been generated specific to the victim using the Win32API ‘CryptGenKey’ and ‘CryptExportKey’ functions. This allows the malicious actor to obfuscate the process further and prevent analysis and attempts to combat the malware.
Recent threat intelligence disclosed by security firm Emsisoft, noted that the Ryuk Ransomware has recently been modified. It appears that the newer version no longer encrypts files larger than 54.4 megabytes. This appears to be with the intention of speeding up the encryption process. Instead, these files are only partially encrypted, which will likely make decryption and retrieval of the data impossible.
Ryuk in Practice
During our recent client engagement, we examined the initial breach that led to a significant compromise of the client’s internal network, as well as the actions undertaken after the initial compromise. This included the actions taken against any hosts, services or users that may have been compromised, as well as any data exfiltration activities undertaken.
While it is common to prioritise an emphasis on loss of resources caused by a ransomware attack, the broader understanding of the full attack process end-to-end often gets overlooked during the incident response activity. This Is typically due to the IT and business teams focusing on the immediate issue of loss of data or resources. Unfortunately, this can often lead to the cause of the initial attack or post breach attack vectors persisting. Which in the worst case could expose the organisation to repeat attack.
Side-note – Data Exfiltration
Serious consideration of possible GDPR reporting requirements should be given. To enable a full appreciation of this, the organisation should look to identify evidence of data exfiltration and where possible assessment of that data to understand if any data falls within the need to report to external agencies such as the ICO.
Our CEO, Dave Stubley providing Information Security Media Group (ISMG) with insight on ransomware tactics.
Even without a blatant threat to expose or sell data, we are seeing other ransomware families exfiltrate ‘useful’ data and in some cases, using the data obtained to deliver targeted phishing against supply chain partners.
Taking a broader look at the incident at hand, we determined that the organisation was compromised by the malicious actors sending a large number of emails. Those emails had malicious word documents attached, containing macros designed to download the Emotet malware (using PowerShell).
The Emotet malware then downloaded, installed and executed a number of TrickBot malware executables designed to identify and extract sensitive data, enumerate the wider network and active directory instance. This included querying for information relating to hosts, services and user accounts.
User credentials stored in system memory and session cookies stored within the user’s browser were also extracted, and all information was transmitted to an external server via a Command and Control service.
While the antivirus solution employed by the client, as well as other systems designed to mitigate attacks led to a loss of data that would have been useful to the investigation, 7 Elements were able to prove that client data was exfiltrated, with the intention of recycling this information to target related third parties in similar attacks. However, of interest, only information stored within the initial compromised host was exfiltrated.
The attackers used the credentials harvested to pivot further through the network using RDP.
Once the malicious actors had completed their compromise of the estate and exfiltrated data of interest, they then uploaded and ran the ransomware binary to begin encrypting data and deleting copies and backups to prevent or limit data restoration activities.
While the ransomware proved to be at the core of the attack, we placed a significant emphasis on trying to identify how the environment was initially compromised, and then how the malware was propagated throughout the environment. Looking to answer questions such as:
Did they attackers leave any further backdoors into the environment?
Did they steal any sensitive information relating to the organisation, or third parties such as clients or customers?
This is critical in ensuring that any weaknesses exploited as part of the attack can be identified and resolved, and more importantly to reduce the odds of a successful follow-up attack, or exposure to GDPR related sanctions.
One area that we can all agree, would be in the need for verbose incident response and disaster recovery plans. While it is still possible to respond without such plans in place, the potential consequences of a breach are reduced and restoration of the environment can be as efficient and comprehensive as possible, if plans exist. While this may increase the cost of security within the organisation, it will be greatly appreciated if and when a breach should occur.