With the news that ransomware attacks are on the decline, in favor of crypto-mining (aka “crypto-jacking”), it is tempting to now reshuffle your enterprise’s defensive priorities based on the adversary trends. But before you retask your Blue Team to focus on researching cryptocurrency miners, let’s take a moment and remember a few key fundamental facts about ransomware, and how it is still different, and more dangerous, from its money-mining “successor”.
It might be easy to forget, but unlike the new “crypto-mining” darling of the adversarial space, ransomware actually holds your company and staff at ransom. Even though the state of ransomware “authors” seems to be at an all time low, as some seem to have even given up on actually encrypting files before asking for ransom, the estimated cost to an organization can still be over $100,000. Remember, regardless of how popular ransomware is (or is not) to attackers, these malicious files have a way of creeping back.
Ransomware can generally now be categorized as one of the following “types”:
- File Encryption (such as, WannaCry, Locky)
- Screen Takeover (“FBI Ukash MoneyPak”)
- Disk/Boot Lockout (Petya)
- Scareware (i.e. phishing attack were nothing actually gets encrypted)
From a defender perspective, detecting and isolating the File Encryption category of ransomware tends to be key; and although industry standards such as MITRE ATT&CK outline strategies around detecting file deletion, Blue Teams should also evaluate the detection of earlier parts of a File Encrypting ransomware attack: the new file creation or encryption itself.
Let’s ask the practical question:
“Would you be able to detect the creation of large quantities of (encrypted) files on your corporate endpoints?”
The ability to answer the above question can be the cornerstone of a Blue Team that can respond to a wider variety of threats, rather than simply depending on new malware signature detection alone. Although the detection of malware based on signatures or file hashes is well established, it requires that someone has been bitten by a given attack before, and had correctly reported that information up to a anti-malware vendor. Using only signature detection forces you into a retroactive defense and ignores the possibility of your organization being targeted with a unique form to malware. Of course, the ease with which you can detect such events can also depend on the sophistication of both the malware itself and whether or not it is running as a for executable process, or being injected into memory. But setting aside the fact that exploitation and access are infinite problems (* we will address this in a future post), let’s see how we can use basic tools to catch an example of file encryption ransomware in the act.
Utilizing the (excellent and free) Process Monitor tool, and by generating a ransomware adversarial campaign via the SCYTHE platform, we can witness an executable read an existing file, then create an encrypted version.
Using the above example, we can further narrow our Process Monitor filters based on known applications, expected directories, quantities of expected “_CreateFile_” events, or even file extensions to monitor.
Of course, the setup, aggregation, and monitoring of these types of system logs can be done using a wide variety of solutions, but note that the primary concern is that you have both a means of monitoring your endpoints for such events, but also a means of validating those monitors are detecting even the most simple of ransomware attacks.
The news of your corporate power bill being more at risk than the loss of your data may seem like a welcome one, but the importance of validating your defenses and restoration systems against ransomware has not waivered. There is malware which is performing scans to determine whether or not it should act as ransomware or a crypto-miner, and this has been developed at a time where it has been suggested that cryptomining may even start to decline; giving way to other forms of attack, including ransomware. Even the least sophisticated ransomware can leave your assets and staff in disarray and with critical losses to business.
If you are interested in learning more about how to safely run breach and malware simulations against your production environment, click over to https://scythe.io/ to learn more.