Ransomware: The ones that didn't get away (with it)

We're talking bad guys here, not the victims


Paid feature Well-known ransomware families like Ryuk or REvil make the news every day. Security teams track their development and document the criminal groups behind them. But there are other ransomware groups and tools, constantly evolving as they grapple for a foothold on your systems.

Some of these groups are so small and nimble that the security community hasn't even named them. As technical functionality and human ingenuity combine to thwart security controls, how can you ensure that they don't break through and wreak havoc on your systems?

There are at least 130 ransomware families in the wild, according to malware-tracking non-profit VirusTotal. That sounds bad enough, but it doesn't take strains into account. A malware strain slightly alters some aspect of the code, rendering it different to its peers. Crooks regularly test these strains against the major anti-malware and anti-ransomware tools to ensure they pass unnoticed, in a constant game of cat and mouse.

VirusTotal's first ransomware activity report, released in October, revealed that it had registered 80 million potential ransomware-related strains dating back to just January 2020. Typically, ransomware crooks will craft a new strain for each of their campaigns.

The difficulty of detecting ransomware

How can companies detect these novel ransomware strains before they wreak havoc? Anti-malware companies have traditionally relied on signature detection to find destructive software in their organisation, but if your software hasn't seen a specific strain before, then it won't know about the digital toxin's footprint.

Some software relies on heuristic analysis, but it's an inexact science. In some cases, it tries to decompile code and spot suspicious instructions, but code obfuscation makes that difficult. Others run it in a sandbox to analyse its behaviour, but some software detects that, and it's prone to false positives. Optimising traditional heuristic analysis to spot ransomware without triggering false positives takes careful tuning, and as attack patterns evolve, accuracy can drift.

Why not just whitelist your software? Authorities like the Australian Signals Directorate (the Aussie NSA) have long suggested only allowing certain software to run on your systems. That's troublesome to implement for some organisations, especially those with busy R&D operations that need to run lots of new code, says Toby Lewis, global head of threat analysis at Darktrace.

The other problem for whitelisting approaches is software patching. Updating software might cause a whitelisting program not to recognise it.

"There's a management overhead involved in maintaining those controls," Lewis warns, adding that threat actors can also subvert those protections using things like scripting languages.

Human operators make things more difficult

Ransomware operations have evolved from poorly-written encryption malware to more sophisticated versions that would automatically move beyond victims' desktops, searching for network drives to encrypt. In the past couple of years, ransomware operations have evolved again, warns Lewis. Now, they're more manual than they used to be, and therefore harder to detect.

Defenders face another problem as ransomware business models evolve: the use of manual exploration and exfiltration techniques.

Ransomware attackers have a rich pipeline of vulnerable targets

The initial exploits are typically opportunistic. Ransomware thieves, many of whom are now affiliates of ransomware-as-a-service organisations, operate at scale. They will establish their first foothold in a target system by exploiting channels including web-facing services like exposed Remote Desktop Protocol (RDP) ports. They will also look for VPN gateways. These systems can give them access to unpatched services reachable from the outside.

Ransomware is a numbers game for attackers, who have a rich pipeline of vulnerable targets to hit. They automate as much as possible as they try to gain access, often using automated credential stuffing tools to try cracking open accounts that could give them a way in.

Once inside, though, they can really get creative. This is where the ransomware attack chain has evolved, Lewis explains. It has become less automated and more manual, with human operators picking their way carefully around the system.

"Threat actors are willing to spend time getting to understand the network. They move laterally, often spending days if not weeks getting the lay of the land before actually deploying the ransomware."

Ransomware groups often use post-compromise tools to seek out valuable assets. These include red-teaming tools like Mimikatz, which lets attackers harvest access credentials from memory, or Bloodhound, which enumerates an Active Directory infrastructure to find likely attack paths.

Used properly, these tools make it difficult for defenders to spot suspicious activity. They're part of a movement towards stealth tactics that include living off the land, exploiting baked-in system tooling like PowerShell and Windows Management Instrumentation to gradually pick your way through an infrastructure, turning over valuable assets.

"The more foreign code you introduce into an environment increases likelihood of detection," points out Lewis. Using what's already there keeps an attacker's footprint to a minimum. "Attackers using techniques like this can sit undetected in a victim's environment for a while," he warns.

The rise of double extortion, beginning in early 2020, has no doubt contributed to this focus on human activity. As attackers concentrate on stealing information rather than just encrypting it, they're making more effort to find the juicy records that might embarrass a business. We're seeing some cases now where attackers are actually not even bothering with encryption," Lewis says. "They're just going straight for the theft of data and looking to impact a target's reputation."

Detecting stealth operators and new strains with AI

This move to more painstaking manual operation might be a recent trend in malware groups but it isn't new to cybersecurity in general. You only need read The Cuckoo's Egg to realise that advanced persistent threat (APT) groups are a new term for a threat that predates the web.

The combination of this hacker tradecraft with systematic data encryption and exfiltration exacerbates the problem. It motivates more groups to participate, and the barriers to entry have dropped dramatically. Three decades ago, you'd often need a mentor to get started as a black hat. Today, you can learn what you need online and pay for the rest.

With proliferating strains and wily hackers making detection increasingly difficult, it's time to change defence techniques, Lewis says. This is where Darktrace comes in. Instead of matching file signatures or trying to decompile carefully obfuscated software, its self-learning AI technology assumes nothing, and just looks for behaviour that doesn't normally happen. Its fingerprint is a constantly evolving picture of normal activity across the whole infrastructure.

The AI collects multiple data points from around the infrastructure to build a picture of normality. It uses an appliance, housed either in the customer's on-premises infrastructure or in the cloud, to learn that unique environment's activity patterns from scratch.

This approach helps catch abnormal behaviour from new ransomware strains, says Lewis. It also helps spot bad actors using software that regular admins run every day. "The ability to mimic 100 per cent of the environment they're in is almost impossible," he says. "Real users don't deploy encryption tools. Real users don't try to access services that they've never tried to access before. The attacker is never going to know that."

Darktrace often spots attacks using ransomware variants known for their low-profile tactics. WastedLocker, a form of stealth ransomware, provides a conduit for human operators to live off the land. The company's product detected an attack on a US agricultural client in December 2020 that landed the software on its customer's system via a fraudulent browser update.

A virtual desktop began connecting to unusual external destinations as soon as the infection happened, followed 11 minutes later by lateral movement using targeted port scans. The ransomware used tools already in the target infrastructure to spread to other devices. Darktrace spotted all this, along with the malware's use of an existing credential to authenticate against a domain controller and its subsequent use of a temporary administrative account as it moved to another.

Darktrace investigated the incidents automatically using a feature called Cyber AI Analyst. This feature compiles data about the event and then delivers a report and series of recommendations to human analysts who were able to take the affected systems offline. However, the customer also had the option to switch on Antigena, which is Darktrace's automated response technology.

Had that feature been operating, Darktrace says that it would have taken a proportional response to the attack, blocking malicious activity on the affected ports while allowing the business to continue. This stands in stark contrast to the business-crippling knee jerk responses forced upon some ransomware victims. For example, Colonial Pipeline shut down its operational technology voluntarily during its ransomware attack in May, spiking gasoline prices across the eastern seaboard.

Big-ticket attacks like those capture the public's attention, which helps to raise awareness. For every attack like that, though, there are thousands that never make the headlines, using ransomware strains and techniques that administrators could never hope to stop manually.

Those unsung incidents often cause considerable financial damage. But there's another kind of ransomware attack that never hits the headlines, concludes Lewis. It's the best kind; the one caught so early by AI that it never detonates in the first place.

Sponsored by Darktrace.


Biting the hand that feeds IT © 1998–2021