Ransomware Operators Can Circle Defenses: Proactive Defense Strategies

Posted on in Podcasts

Ransomware Operators have not only increased the ransoms they demand but are also using additional coercion techniques to perform multifaceted extortion attacks. Between us, we have worked on several ransomware incidents observing closely the challenges that organizations face while battling and remediating ransomware incidents. Based on the learnings from responding to such incidents, we will share our learnings and thoughts on the ransomware attack life cycle, practical security controls and enforcement measures to defend against and limit the impact of ransomware attacks.

Podcast Transcript

You're listening to the RSA Conference Podcast, Where The World Talks Security.

Kacy Zurkus:
Hello listeners, and welcome to this edition of our RSAC 365 podcast series. Thanks so much for tuning in. I'm your host, Kacy Zurkus, content strategist with RSA Conference, and today I am joined by two guests, Anurag Khanna and Thiru Natarajan, who are going to discuss potential remediations to ransomware attacks.
Before I get started, I want to remind our listeners that here at RSAC we host podcasts twice a month, and I encourage you to subscribe, rate, and review us on your preferred podcast app so that you can be notified when new tracks are posted. Now I'd like to ask Anurag and Thiru to take a moment to introduce themselves before we dive into today's topic. Anurag, over to you.

Anurag Khanna:
Hey everyone, my name is Anurag, and I work as a manager with the CrowdStrike IR team based in Melbourne, in Australia. I do incident response, so I lead a team of incident response consultants. We do a lot of incident response against nation threat detectors, e-crime protectors, which primarily is ransomware these days. I also teach for the SANS Institute, so I'm an instructor there teaching their course on Hacker Tools, Techniques, and Incident Handling. That's a SEC504 class. I'll hand it over to Thiru for his introduction.

Thirumalai Natarajan:
Thank you team. I'm really happy to be here with you all. My name is Thiru, I'm a senior manager in Mandiant Consulting, now part of Google Cloud. We predominantly support customers to respond and remediate to major security breaches that the customers face. That includes ransomware attacks, finance motivated attacks, APT incidents, cyber crimes, and insider threats. We do also proactively assess the security and defense posture of our customer's identity and cloud environment as well as enterprise security architectures. Prior joining Mandiant, I work for Symantec. I spent more than a decade in Symantec. I delivered and perform various security roles. One among them was building and managing security operation centers and security operation team. Thank you.

Kacy Zurkus:
Wonderful. Well, it's great to have you both here and I want to hop right in because clearly you each bring a wealth of experience to today's conversation which is super important for our listeners. So maybe the best place to start is with setting the groundwork. Could each of you explain what you would say are the trends of ransomware and how have ransomware operators' techniques evolved of late?

Thirumalai Natarajan:
Kacy, I can take this first. The term "ransomware" traditionally refers to the malware which is used to encrypt files or sometimes entire systems. In 2017, the WannaCry ransomware attack was a worldwide cyber attack. The ransomware was propagating automatically by exploiting SMB vulnerabilities, more like a worm. Whereas in today's landscape, there are always human operators behind all the stages of ransomware attacks, and these attacks have been intensified, resulting in a disruptive multi-billion dollar criminal industry.
Ransomware operators have evolved to perform multifaceted extortion. So this specific threat combines traditional ransomware and other extortion tactics to pressurize victims to comply with the threat actor's hefty demands. There is also a subscription based model called as "ransomware as a service", whereby malware developers will create and lease out ransomware and it's enfranchised to other affiliates. Later, the ransomware affiliates will use these malicious capabilities to target the organizations. So this subscription model lowered the entry bar for less sophisticated actors. Based off entrance report, so we have observed 21 days average on time experienced by victim organizations from ransomware attacks, and the median number of days between initial compromise and deployment of ransomware was seven days. Approximately a quarter of ransomware incidents occur within one day of initial attacker access. So this is a quick overview on the trends of ransomware and evolution of the operator's technique. Anurag, can you add your thoughts on this?

Anurag Khanna:
Sure, Thiru. Thanks for putting that introduction out. I actually want to take a step back and explain to the listeners how these attacks happen. Typically, there is a threat actor they're after money, they are e-crime threat actors. They perform reconnaissance, looking for an access to the environment. This access often happens through a virtual private network, a VPN, which has single factor authentication enabled on it. And we can talk more about that sometimes happen through open RDP and phishing attacks. And once the threat actor has gained access to the environment, they typically harvest credentials. They want to become a privileged account, they want to gain privileged access in the environment. Once they have gained that, they typically perform two things: they steal data with the purpose of performing extortion, and they also destroy backups. Now they destroy backups because they don't want organizations to be able to recover. These are typically the two key steps that happen once a ransomware threat operator has gained access to an organization environment.
Now once they have stolen the data, they have destroyed the backups, the next step they perform is deploy encryptors and run somewhere across the organization. Once they have done that, they ask for money to be paid often in the form of cryptocurrency and that's their payday. That's the business model these threat actors and threat operators are following. And we have seen in the last three years or so that this is a very, very successful business model and a lot of organizations do pay a lot of money to these threat actors. Putting that in context, you have to pick one trend of what these threat operators are doing these days and how their tactics are changing. One thing which we have picked up is they are targeting a lot of virtual machine servers. Now this could be VMware ESXI machines, which a lot of organizations use to host their infrastructure.
It could be HyperV service. And the specific reason why threat actors are targeting this is if they can get into these machines quickly and encrypt everything on these machines. The threat actors are encrypting all the VMD K machines, which are like hard disks for the VM virtual machines. Once they have done that, one, it is very quick, the encryption, so they can get on machine quickly, encrypt all the VMD K files. It is very impactful because a lot of these ESXI servers and HyperV servers host critical workload for organizations, and if these are encrypted, the entire data is lost and a lot of logs are also encrypted. So making it difficult for an organization to recover as well as to figure out what happened and how did the threat actor come in and deploy the ransomware. That's one trend which has gained a lot of traction recent times and when done successfully from a perspective of the trajector, it does have very, very high impact. So I would say those are a few things which we are looking at.

Kacy Zurkus:
So you mentioned some of the common techniques that you've seen, but when it comes to the ransomware operators and their targeting organizations, like let's get down into the nitty gritty, like what are they doing? What do they do to gain that initial access in the environment? What are the techniques that they're using?

Anurag Khanna:
Yeah, so I did talk about how threat actors gain access to the environment. Now if I have to pick one technique, I would say valid credentials or valid credentials still remains one of the most common ways of how threat actors gain access to environment. Users continue to use weak passwords or reuse passwords across websites and services, which leads to an attack which we commonly call as credential stuffing attack. This is where a threat actor gain access to dumped or compromised credentials that have been leaked because another company or another website got compromised and threat actor was able to gain access to the credentials that were being used in that website. As users reuse passwords, threat actors take those credentials and often try to use those credentials to access VPN services that organizations might be running or other services that may help them to gain exists into the environment remotely.
And I'm going to say it here and maybe we'll have a chat later in this discussion also about recommendations, but I'll definitely mention it here that MFA or multifactor authentication is one of the control which a lot of organizations still do not have. That's something which does make it harder for a threat actor to gain access with the environment. Now, credentials stuffing still remains one of the most common techniques these threat actors use to gain access. But there are some other techniques also, and if I talk around the same context of passwords, exposed services like some of the Windows servers may have RDP service running, which is a remote desktop protocol, remote desktop service, and threat actors try different passwords, often commonly used user accounts and passwords, and they try to gain access to these servers that might be exposed to the internet. I would say these are some of the common things which I've seen. There are some others. I'll let Thiru chip in with some of the other commonly used initial vectors.

Thirumalai Natarajan:
Definitely. So ransomware operators use various techniques to gain initial access to the organization's environment. Some of the common techniques that we observe while responding to incidents, especially with ransomware incidents, we have seen the operators exploiting vulnerabilities or misconfigurations that exist in external facing services. That includes exchange servers, especially VPN gateways, firewall devices, Citrix gateway devices, public facing RDP gateways. These are... threat actors, they exploit remote code execution vulnerabilities or authentication bypass vulnerabilities in these servers. So after exploitation, they can plant web shells in these servers which will gain them an access as well as they can maintain access to the service which can open door to the victim's organization environment. We have also observed ransomware operators performing real time fishing or tailored fishing campaigns against the target organizations. This will promote them to lure users to execute malware binaries to gain access to the system and their credentials. So these are some of the common techniques used by ransomware operators now to gain initial access to the environment.

Kacy Zurkus:
That's interesting. And so if we think about gaining the initial access and then where do they go from there, what are some of the techniques that ransomware operators are using for deploying that ransomware at a large scale?

Thirumalai Natarajan:
So we talked about threat actors gaining initial access. So once ransom operators gain initial access, they perform reconnaissance and enumerations in the environment, especially in the victim's environment, to understand the domain structure and the network infrastructure, to identify the crown jewel data and service, so they perform passive reconnaissance. So during passive reconnaissance, threat actors often gather information on high value targets by mining secondary or tertiary systems, which may contain valuable information. The common stores of data such as Git portals, Confluence, SharePoint, are often sources for passive reconnaissance. So threat use various tools like Rubeus, Mimikatz, ProTemp. So through this tool they can extract the credentials, our ticket from the compromise system. So with that credentials threat actors can laterally move and elevate their privileges. Very commonly we have seen threat actors exploiting misconfigurations in active directory environments or in PKI service through which they can escalate their privileges to domain administrators. So now with the elevated privileges, ransomware operators can deploy ransomware binaries in large scale by abusing the living of the land binaries in Windows operating systems such as wmic.exe or sc.exe. They can also leverage protocols such as SMB and Windows management to deploy ransomware. So these are some of the common techniques used by ransomware operators to deploy ransomware in large scale. So Anurag, can you share your observations on other attackers techniques used by operators for ransomware deployments?

Anurag Khanna:
Let me put it this way. Once a threat actor has gained access to the environment, they have escalated privileges. They are just limited by their imagination and how they can deploy encryptors across the environment. One common way how organizations manage their environments is by using enterprise deployment tools for softwares, the same deployment tools which the organizations uses or the IT teams use, they can be used against the organizations. So our threat actors have known to use those enterprise deployment tools to instead deploy encryptors. I'm looking at things like SCCM, which comes from Microsoft. Any endpoint security management solution, a lot of those are available. A lot of those are used by IT teams. They can be used to deploy ransomware. That's one way of doing it. There are multiple ways our threat actors do it. Another common way, which we have seen threat actors deploy encryptors, is using group policy objects and group policy objects are available in active directory domains.
They are used by system administrators and IT teams to manage the environment to make sure that the Windows environment is healthy and managed properly. The same group policy object can be used by a threat actor once they have gained access to a domain controller and they do have the requisite privileges to deploy encryptor. Now they can do it by running batch scripts. They are setting up scheduled tasks. There are multiple ways how that can be done once threat protector decides that GPO is what they're going to use. And that's a very, very commonly used method of deploying encryptors in the environment. I did say that they escalate privileges, as in, the threat actors, once they gain access to the environment, they escalate privileges. What often happens is defenders, we can get boxed with the idea that the threat actor needs to become a domain admin or an enterprise admin.
That is true in a lot of cases. That's commonly what happens. The threat actor becomes a domain admin and then it becomes easier for the threat actor to do mass deployment of encryptors. But also what sometimes happens is why the threat actor is not able to gain domain admin or they didn't have to gain domain admin. They were able to gain a local admin password or local admin privilege. And if that same local admin was being used on a wide number of systems, a lot of systems, essentially they have capabilities to deploy encryptors on all those machines. Now they can use SMB as, Thiru, you mentioned about WMIC and SMB. One tool, which is extensively used by threat actors to deploy ransomware is called PsExec. PsExec is a Microsoft signed utility provided by Sysinternals, used extensively by predictors as well as defenders. Now since defenders use this, it often becomes difficult to identify, is this a defender or an IT team using this particular tool or is it an attacker using this particular tool? So yeah, they can essentially use any tool that is available in the IT environment and used by the IT teams to deploy an encryptor across the environment.

Kacy Zurkus:
What about multifaceted extortion? Could you talk to our listeners a little bit about that?

Thirumalai Natarajan:
Yeah, so multifaceted extortion is the number one cybersecurity thread to organizations worldwide. These have taken the traditional ransomware upper notch. The impact may be significant as it combines business disruptions, data theft, public shaming, and other harmful extortion techniques. We have seen Hive ransomware operators use Hive leaks in not name and shame their victim organizations. So during this event, ransomware operators can destroy data backups in order to disrupt the recovery process of the organization. And this will increases the likelihood of organization, the victim organizations, paying ransom to ransomware operators. So to achieve this, they perform various activities and some of them are like destroying volume shadow copies, encrypting the backup data stores in on-premise as well as in cloud storage, abusing backup APIs in order to perform a large scale data disruption. As I referred earlier, so this thread combines traditional ransomware and other extortion tactics to cause victims to comply with hefty demands. Anurag, can you chip in and share your updates on multifaceted extortion?

Anurag Khanna:
Yeah, sure, Thiru. I think Thiru did a good job of talking about how threat actors target backups. So what I'm going to do is, I'm going to talk about exfiltration part of it because, as we talked about earlier, typically ransomware operators have two ways how they extort victims into paying. One is by destroying backups so that the victims cannot recover. The other thing which they do is exfiltration of data. Now exfiltration of data can happen using multiple ways. Once a threat actor is in the environment, they can use whatever techniques or whatever utilities are available to them. One common utility which threat actors use is called Rclone. So Rclone is a utility that can be used, it's open source tool, it's command line operated computer program. It can be used to manage and migrate content over the cloud, which works very well for the threat actors. And they can combine a tool like Rclone with a cloud based service provider like Mega.nz is one of the one which is very commonly used by threat actors.
So what they can do is use something like Rclone and use that to push data across the internet, into Mega, which is a cloud storage and that's how they can perform exfiltration. Now again, that's one way of doing it and that's a common way of doing it, but that doesn't mean there are other softwares which are purpose built for something like this. There is a software called Sender 2, which is used by some of the threat operators, which when executed on a machine, starts copying data out of their machine directly to the internet. So that's another way how threat actors can do this. Often threat directors stage the data which they're after. So they'll copy the data at a single place, stage it, archive it, zip it, and then push it out to the cloud. But again, as I said, there are utilities which can directly pick data up from a endpoint and push it out to a attacker managed system on the internet.
It again, depends on what that attacker want to do. They can use something as simple as a file transfer protocol or an FTP client to copy the data out into a system which they own and operate and manage in the cloud environment. There are few other ways how they can do this once they get access to the environment. Threat actors often used out of bad admin tools like AnyDesk and ScreenConnect and TeamViewer, a lot of these exist which are often legitimately used by IT organizations to manage their IT environment. But threat actors also deployed them because it's easy to use those and it's difficult to detect by a lot of IT teams that they have been used. Now, once a threat actor is using any of these tools which are talked about or any others, which they may have found out, they can use the same tool.
A lot of these tools do have capabilities to copy data over the channels which they run so they can use those to copy data. Another common thing, and this goes back to threat actors using single factor VPN access into the environment. Once they have VPN access they can just map SMB shares or file shares, or they can even copy data over a RDP session which they might be running because now they are part of the IT organization's environment, organization's IT environment, and they have RDP access to the servers which they are trying to copy data from. So some of these ways are commonly used by threat actors to copy data and push data out into a system which they own, ultimately with the intention of extorting the victim into paying up. Now I would like to mention here while we are talking about threat actors destroying backups and exfiltrating data, both these techniques, there are threat actors who are now focusing only on the exfiltration of data part, and they may not even destroy the backups. And once they have the data, they start extorting the victims to paying up because they now have access to data which they can leak in the public and that's how they are extorting victims.

Kacy Zurkus:
Thiru and Anurag, you have shared a lot of really valuable information with our listeners today, and I'm sure many are grateful that this is a recorded conversation so that we can go back and listen because there's just a lot here. Before we wrap up, I would love if you could talk about your recommendations for what organizations can do to protect against and defend against these kinds of attacks.

Anurag Khanna:
My number one control, which I recommend, and I'll put it out again because I don't think we can give enough air time to something like this, which is please, please do not use single factor authentication, deploy multifactor authentication on every service which is exposed to the internet for every account that might be getting used. I have worked in several cases over last years where the organization didn't have multifactor authentication on all the accounts and the threat actors were able to figure out which accounts do not have MFA and then use those accounts to get in. So every account for every exposed service on the internet needs to have multifactor authentication enforced. Thiru talked about different vulnerabilities that threat actors exploit. So one good resource of figuring out what vulnerabilities are getting exploited by the threat actors is the CSUN's database called Known Exploited Vulnerabilities Catalog. Organizations need to do a better job of patching their systems, especially external facing systems.
We are seeing a lot of threat actors exploiting vulnerabilities and using those vulnerabilities to gain initial access into the environment and then perform privilege escalation and destruction of backups and data exfiltration. One other control which I'll talk about is LAPS. LAPS is a solution from Microsoft. It's called local admin password solution. When I talked about local admin accounts or local privileged accounts being used by threat actors to move around and deploy ransomware, that often happens because the same credential is configured on a large number of workstations or servers. It is difficult to manage local admin accounts. It's difficult to rotate those passwords unless you're using something like LAPS. LAPS automatically rotates passwords. It makes sure that the passwords are changed regularly and IT teams know what the passwords are because if you talk about it, the local admin password should never be needed unless maintenance is need to be done or the system drops off.
And so please, LAPS is your friend. Please use that. And before I hand it over back to Thiru for some of his recommendations, it is very essential to have a good endpoint security solution which has monitoring capabilities. And over those monitoring capabilities are response capabilities built. So keep monitoring the environment because I always say this, we as defenders lose when threat actors deploy ransomware not when they have gained initial access to the environment, not when they have profound privilege escalation. When they are doing all these activities, there are a lot of opportunities for defenders to detect threat actor activity and respond to that activity and remove the threat actor access from the environment. That can only be done if there is enough monitoring and response capability that has been built in in the infrastructure. Thiru, do you want to talk about some of your favorite recommendations here?

Thirumalai Natarajan:
Definitely. So we talked about different attack techniques in last 15 minutes. So to limit these attack activities, we strongly recommend to hire a new environment to some of these control and my favorite controls. So enforce login restrictions and minimize the exposure of privileged accounts. So this can be achieved by implementing tiered model in active directory in [inaudible 00:26:02]. So have a process to regularly review and reduce the scope of highly privileged user accounts, especially that exist in your active [inaudible 00:26:11]. So we have observed high number of privileged accounts in various organizations without a need or a requirement. So try to follow the principle of least privilege. Allocate a dedicated work station for administrators to perform privileged activities and limit the standard user activities such as browsing and accessing emails in the administrator's workstation. So through this control you can reduce the exposure of privileged accounts.
So now we talked about reducing the privileged accounts exposure. The next control that we can focus on is to adapt privileged IT management solution, which provides time-based and up-role based role activation and also implement privileged access management solution to rotate the passwords periodically in an automated fashion. Enforce strong password policies across the organization. So as we referred earlier, threat actors target backup solutions, they destroy the backup to disrupt the recovery process. So in order data such activities create a robust backup standards that includes implement immutable backup like write once and read many.
This will prevent unauthorized modification and deletion. Follow the three-two-one backup strategy, which means that storing three copies of data on two devices and one in offsite. So maintain at least one copy of offline storage. So this can boost your recovery process during the time of incident. Enforce and perform multifactor authentication for backup deletion. So these are some of the controls that are around the backup standards. Now when it comes to network, adapt a network segmentation approach by compartmentalizing subnetworks, and then you can enforce security controls on these subnets to [inaudible 00:27:56] lateral moments. So these are some of the different strategies that you can adapt to restrict threat actor activities in your environment.

Kacy Zurkus:
Thiru and Anurag, this has been so great. Thank you so much. I really appreciate your taking the time to share all of your expertise and insight with our listeners. Listeners, thank you so much for tuning in. To find products and solutions related to risk management and ransomware, we invite you to visit RSAconference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels using the hashtag RSAC. And be sure to visit RSAconference.com for new content posted year round. Thank you all so much.

Anurag Khanna

Manager, CrowdStrike Services

Thirumalai Natarajan

Senior Manager, Mandiant Consulting

Risk Management & Governance

anti-malware business continuity & disaster recovery data security incident response malware network security phishing

Share With Your Community