Incident Response Techniques for Ransomware Attacks E-Book

Incident Response Techniques for Ransomware Attacks

Understand modern ransomware attacks and build an incident response strategy to work through them

Oleg Skulkin

BIRMINGHAM—MUMBAI

Incident Response Techniques for Ransomware Attacks

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Shrilekha Inani

Senior Editor: Sangeeta Purkayastha

Content Development Editor: Nihar Kapadia

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Alishon Mendonca

Marketing Coordinator: Hemangi Lotlikar

First published: March 2022

Production reference: 2020123

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-044-2

www.packt.com

Contributors

About the author

Oleg Skulkin is the head of the Digital Forensics and Incident Response Team at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for over a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and coauthored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications. You can contact him on Twitter at oskulkin.

I would like to thank my team at Group-IB, as well as other colleagues from various cyber security companies, who always inspire me with their outstanding research. Also, I would like to thank the Packt team for this opportunity and their help, as well as Ricoh Danielson, who provided very valuable feedback as the technical reviewer.

About the reviewer

Ricoh Danielson has elaborate experience in handling cyber incident response, cyber security, information security, privacy, and compliance. Ricoh has helped major retail, financial, and health care organizations mitigate threats and risks. Ricoh is a digital forensics expert for criminal and civil cases.

Ricoh has handled cyber incidents for major, world-renowned health care, financial, and retail firms. Ricoh is a graduate of Thomas Jefferson School of Law, a graduate of UCLA, a graduate of Arizona, and a US Army combat veteran.

Table of Contents

Preface

Section 1: Getting Started with a Modern Ransomware Attack

Chapter 1: The History of Human-Operated Ransomware Attacks

2016 – SamSam ransomware

Who was behind the SamSam ransomware

2017 – BitPaymer ransomware

The mastermind behind the BitPaymer ransomware

2018 – Ryuk ransomware

Who was behind the Ryuk ransomware?

2019-present – ransomware-as-a-service

Who was behind ransomware-as-a-service programs?

Summary

Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack

Initial attack vectors

RDP compromise

Spear phishing

Software vulnerabilities

Post-exploitation

Data exfiltration

Ransomware deployment

Summary

Chapter 3: The Incident Response Process

Preparation for an incident

The team

The infrastructure

Threat detection and analysis

Containment, eradication, and recovery

Post-incident activity

Summary

Section 2: Know Your Adversary: How Ransomware Gangs Operate

Chapter 4: Cyber Threat Intelligence and Ransomware

Strategic cyber threat intelligence

Operational cyber threat intelligence

Tactical cyber threat intelligence

Summary

Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures

Gaining initial access

External remote services (T1133)

Exploiting public-facing applications (T1190)

Phishing (T1566)

Supply chain compromise (T1195)

Executing malicious code

User execution (T1204)

Command and scripting interpreters (T1059)

Exploitation for client execution (T1203)

Windows Management Instrumentation (T1047)

Obtaining persistent access

Valid accounts (T1078)

Create account (T1136)

Boot or logon autostart execution (T1547)

Scheduled task/job (T1053)

Server software component (T1505)

Escalating privileges

Exploiting for privilege escalation (T1068)

Creating or modifying system process (T1543)

Process injection (T1055)

Abuse elevation control mechanism (T1548)

Bypassing defenses

Exploiting for defense evasion (T1211)

Deobfuscating/decoding files or information (T1140)

File and directory permissions modification (T1222)

Impairing defenses (T1562)

Indicator removal on host (T1070)

Signed binary proxy execution (T1218)

Accessing credentials

Brute force (T1110)

OS credential dumping (T1003)

Steal or forge Kerberos tickets (T1558)

Moving laterally

Exploiting remote services (T1210)

Remote services (T1021)

Using alternate authentication material (T1550)

Collecting and exfiltrating data

Data from local system (T1005)

Data from network shared drives (T1039)

Email collection (T1114)

Archive collected data (T1560)

Exfiltration over web service (T1567)

Automated exfiltration (T1020)

Ransomware deployment

Inhibit system recovery (T1490)

Data encrypted for impact (T1490)

Summary

Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence

Threat research reports

Community

Threat actors

Summary

Section 3: Practical Incident Response

Chapter 7: Digital Forensic Artifacts and Their Main Sources

Volatile memory collection and analysis

Non-volatile data collection

Master file table

Prefetch files

LNK files

Jump lists

SRUM

Web browsers

Windows Registry

Windows event logs

Other log sources

Summary

Chapter 8: Investigating Initial Access Techniques

Collecting data sources for an external remote service abuse investigation

Investigating an RDP brute-force attack

Collecting data sources for a phishing attack investigation

Investigating a phishing attack

Summary

Chapter 9: Investigating Post-Exploitation Techniques

Investigating credential access techniques

Credential dumping with hacking tools

Credential dumping with built-in tools

Kerberoasting

Investigating reconnaissance techniques

Network scanning

Active Directory reconnaissance

Investigating lateral movement techniques

Administrative shares

PsExec

RDP

Summary

Chapter 10: Investigating Data Exfiltration Techniques

Investigating web browser abuse for data exfiltration

Investigating cloud service client application abuse for data exfiltration

Investigating third-party cloud synchronization tool abuse for data exfiltration

Investigating the use of custom data exfiltration tools

Summary

Chapter 11: Investigating Ransomware Deployment Techniques

Investigation of abusing RDP for ransomware deployment

Crylock ransomware overview

Investigation of Administrative shares for ransomware deployment

REvil ransomware overview

Investigation of Group Policy for ransomware deployment

LockBit ransomware overview

Summary

Chapter 12: The Unified Ransomware Kill Chain

Cyber Kill Chain®

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control (C2)

Actions on Objectives

MITRE ATT&CK®

Reconnaissance

Resource development

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Command and control

Exfiltration

Impact

The Unified Kill Chain

Initial Foothold

Network Propagation

Actions on Objectives

The Unified Ransomware Kill Chain

Gain Access to the Network

Establish Foothold

Network Discovery

Key Assets Discovery

Network Propagation

Data Exfiltration

Deployment Preparation

Ransomware Deployment

Extortion

Summary

Other Books You May Enjoy

Preface

Human-operated ransomware attacks have changed the modern threat landscape dramatically and become the primary threat for many organizations. This fact has resulted in organizations of all sizes increasing their incident response readiness and capabilities.

This book will guide you in the world of modern ransomware attacks, focusing on an intelligence-driven and proactive approach to defending you from, and responding to, related incidents.

Who this book is for

This book is suitable for a variety of technical audiences, from system and network administrators in small and medium enterprises to cybersecurity students and even incident responders and cyber threat intelligence analysts who want to learn more about human-operated ransomware attacks.

What this book covers

Chapter 1, The History of Human-Operated Ransomware Attacks, provides you with an introduction to the world of human-operated ransomware attacks, focusing on the historical aspects.

Chapter 2, The Life Cycle of a Human-Operated Ransomware Attack, briefly describes how modern threat actors operate during a ransomware attack life cycle.

Chapter 3, The Incident Response Process, provides an overview of the incident response process from the perspective of a human-operated ransomware attack.

Chapter 4, Cyber Threat Intelligence and Ransomware, provides an introduction to cyber threat intelligence, focusing on human-operated ransomware attacks.

Chapter 5, Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures , details the techniques, procedures, methods, and tools commonly used by various ransomware affiliates in their operations.

Chapter 6, Collecting Ransomware-Related Cyber Threat Intelligence, provides an overview of the various collection methods and sources of cyber threat intelligence related to modern ransomware attacks.

Chapter 7, Digital Forensic Artifacts and Their Main Sources, provides an overview of the various sources of forensic artifacts that can be used during an incident response engagement to reconstruct the attack life cycle.

Chapter 8, Investigating Initial Access Techniques, offers a practical investigation into the various initial access techniques used by the threat actors.

Chapter 9, Investigating Post-Exploitation Techniques, looks at the various post-exploitation techniques employed by the threat actors.

Chapter 10, Investigating Data Exfiltration Techniques, covers the various data exfiltration techniques used by the threat actors.

Chapter 11, Investigating Ransomware Deployment Techniques, investigates the various ransomware deployment techniques used by the threat actors.

Chapter 12, The Unified Ransomware Kill Chain, describes the concept of the kill chain with a view to introducing the Unified Ransomware Kill Chain.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803240442_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in the text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "There's a new object created with GUID {E97EFF8F-1C38-433C-9715-4F53424B4887}. What's more, a somewhat suspicious file, 586A97.exe, is residing in the C:\Windows\SYSVOL\domain\scripts folder."

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "Usually, you'll look for events with the IDs 21 (Session logon succeeded) and 25 (Session reconnection succeeded)."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information provided in this book is only for demonstration and will need to be adjusted based on their specific use case. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Share Your Thoughts

Once you've read Incident Response Techniques for Ransomware Attacks, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Getting Started with a Modern Ransomware Attack

The first part of this book will help you to build a solid understanding of the modern ransomware threat landscape and how to properly plan your incident response activities.

This section comprises the following chapters:

Chapter 1: The History of Human-Operated Ransomware Attacks

Just like COVID-19, human-operated ransomware attacks became the second pandemic in 2020. Unfortunately, this trend keeps evolving nowadays. Despite the fact some threat actors announce their retirement, their places in the cybercrime business are quickly occupied by the younger generation.

Such attacks are discussed a lot nowadays; however, they emerged even before well-known ransomware outbreaks, such as WannaCry and NotPetya. Unlike those uncontrolled ransomware outbreaks, this time it's under the full control of various ransomware operators and their affiliates. Careful reconnaissance of compromised infrastructure, preparing it for final ransomware deployment, can potentially bring them millions of dollars in cryptocurrency.

Of course, there are multiple notable examples of ransomware strains used in human-operated attacks. In this chapter, we'll focus on the most important examples from a historic point of view, finishing on what's most common for today's threat landscape – ransomware-as-a-service programs.

We'll look at the following examples:

2016 – SamSam ransomware

These ransomware operators emerged in early 2016 and changed the ransomware threat landscape drastically. They didn't focus on regular users and single devices; instead, they attacked various companies, focusing on a human-operated approach, moving laterally and encrypting as many devices as possible, including those with the most important data.

The targets were very different and included the healthcare industry, the education sector, and even whole cities. A notable example was the city of Atlanta, Georgia, which took place in March 2018. As the result, the city had to pay approximately $2.7 million to contractors to recover its infrastructure.

The group commonly exploited vulnerabilities in public-facing applications, for example, JBOSS systems, or just brute-forced RDP-servers to gain the initial foothold to the target network.

To elevate privileges, the threat actors used a number of common hacking tools and exploits, including the notorious Mimikatz, so they could obtain domain administrator credentials.

Having elevated credentials, SamSam operators just scanned the network to obtain information about available hosts, then copied a piece of ransomware to each of them and ran it with help of another very common dual-use tool – PsExec.

The attackers had a payment website in the dark web. A victim could find all the necessary information on file decryption in the ransom note generated by the ransomware, as shown in Figure 1.1:

Figure 1.1 – SamSam ransom note example

Being active from 2016 to 2018, the group earned approximately $6 million, according to Sophos (source: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf).

Who was behind the SamSam ransomware

On November 28, 2018, the FBI unsealed an indictment charging Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with deploying SamSam ransomware internationally:

Figure 1.2 – An excerpt from an FBI Wanted poster

Both subjects are from Iran. After the indictment was unsealed, the threat actors managed to finish their malicious activities, at least under the name SamSam.

These threat actors showed others that enterprise ransomware attacks may be very profitable, so more and more groups emerged. One example is the BitPaymer ransomware.

2017 – BitPaymer ransomware

The BitPaymer ransomware is associated with Evil Corp – a cybercrime group believed to be of Russian origin. This ransomware strain introduced another trend in human-operated attacks – Big Game Hunting.

Everything started in August 2017, when BitPaymer operators successfully attacked a few hospitals from the NHS Lanarkshire board, demanding the astronomical ransom payment of $230,000 or 53 BTC.

To obtain the initial access to the target network, the group leveraged their long-standing tool – the Dridex trojan. The trojan allowed them to load PowerShell Empire – a popular post-exploitation framework – so the threat actor could move laterally through the network, and obtain elevated credentials, including with the use of Mimikatz, just like the SamSam operators.

To deploy the ransomware enterprise-wide, the threat actors leveraged a Group Policy modification, which allowed them to push a script on each host to run a piece of ransomware.

As the means of communication, the threat actors offered both emails and online chats; both could be found in the ransom note:

Figure 1.3 – BitPaymer ransom note example

In June 2019, a new ransomware was born from BitPaymer, called DoppelPaymer. It is believed that this specific ransomware was operated by a spin-off group from Evil Corp (source: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).

The mastermind behind the BitPaymer ransomware

On November 13, 2019, the FBI released an indictment charging Maksim Viktorovich Yakubets and Igor Olegovich Turashev with managing Dridex trojan operations:

Figure 1.4 – Excerpts from FBI Wanted posters

Maksim Viktorovich Yakubets is currently wanted for multiple counts of cybercriminal activity. According to various sources, it is stated that there is a $5 million reward for the apprehension of Maksim. Of course, Dridex was not the only trojan used in human-operated ransomware attacks. Another notable example is Trickbot, which is tightly connected to the Ryuk ransomware.

2018 – Ryuk ransomware

The Ryuk ransomware took Big Game Hunting to new heights. Associated with the Trickbot group, also known as Wizard Spider, this ransomware strain is still active today.

Throughout its history, the group has attacked various organizations and made at least $150 million, according to AdvIntel (source: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders).

For quite some time, it was called triple threat, as typically such infections started from the Emotet trojan, which loaded Trickbot, which was used for downloading post-exploitation tools and final ransomware deployment. Usually, Trickbot was used to download a PowerShell Empire agent or a Cobalt Strike Beacon – another extremely popular post-exploitation framework.

Recently, the group changed the toolset and started to use a new trojan called Bazar. Interestingly enough, they started to use vishing (voice phishing) in their distribution scheme. The phishing emails don't contain any malicious files or links, just some information about a fake paid subscription and a phone number to call to cancel it. If a victim calls the number, the operator guides him or her to download a weaponized Microsoft Office file, open it, and enable the macros, so the computer is infected with Bazar. Just like with Trickbot, the trojan is used to download and execute a post-exploitation framework – most commonly, Cobalt Strike.

To deploy Ryuk, the threat actors leveraged multiple techniques, including the previously mentioned PsExec and Group Policy modification.

First, they provided emails to allow the victims to contact them, but soon started to use Tor onion services:

Figure 1.5 – Instructions embedded into the ransom note

Ryuk ransomware operators are still active, and, according to AdvIntel and HYAS, have earned more than $150 million (source: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders).

Who was behind the Ryuk ransomware?

On June 4, 2021, the FBI released an indictment charging Alla Witte, aka Max, for being involved in a transnational organization responsible for creating and deploying the Trickbot trojan and ransomware.

Some other Ryuk-related threat actors were the Emotet botnet operators. They were arrested in January 2021 as the result of a collaborative operation between law enforcement in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. As a result, the authorities took full control of the botnet's infrastructure.

One of the most notable things was what exactly the Emotet operators' workplace looked like:

Figure 1.6 – Emotet operators' workplace

More insights are available in the following video: https://www.youtube.com/watch?v=_BLOmClsSpc.

Despite the fact that threat actors are being arrested, more and more cybercriminals want to join the big game. So, another phenomenon has emerged – ransomware-as-a-service.

2019-present – ransomware-as-a-service

2019 was the year of the rise of ransomware-as-a-service programs, and it is still the main trend today. Multiple ransomware developers started to offer their products to various threat actors in exchange for a percentage of the ransom received.

REvil, LockBit, Ragnar Locker, Nefilim – these are just some of the ransomware families distributed under the ransomware-as-a-service model. Although multiple threat actors may use the same ransomware strain, their tactics, techniques, and procedures may be very diverse.

At the same time, nowadays most ransomware-as-a-service programs affiliates share the same approach – they exfiltrate data before actual ransomware deployment. The trendsetters for this technique were the Maze ransomware affiliates back in 2019, but nowadays almost all threat actors involved in such attacks have their own Data Leak Site (DLS).

Here is an example of a DLS used by DoppelPaymer ransomware affiliates:

Figure 1.7 – DoppelPaymer's DLS

Usually, affiliates do not perform the whole attack life cycle, but rather use other threat actors' services. For example, threat actors may cooperate with initial access brokers, who provide them with access to compromised corporate networks. In some cases, they may pay additional pentesters for privilege escalation or defense evasion, so they can deploy ransomware enterprise-wide and nothing can stop them.

Depending on the role, the threat actors involved in the project may receive various percentages from the obtained ransom payment. Usually, ransomware developers, who run the program, receive around 20%, affiliates receive around 50%, initial access brokers 10%, and the rest goes to additionally hired threat actors, for example pentesters or negotiators.

Ransomware-as-a-service is extremely common nowadays. According to Group-IB's report Ransomware Uncovered 2020/2021 (https://www.group-ib.com/resources/threat-research/ransomware-2021.html), 64% of all ransomware attacks were performed in 2020 by RaaS affiliates.

Who was behind ransomware-as-a-service programs?

One of the NetWalker ransomware affiliates, Sebastien Vachon-Desjardins, who is a Canadian national, was charged in January 2021, and is alleged to have raked in more than $27.6 million overall from his ransomware activities.

Another example is a couple of Egregor ransomware affiliates, who were arrested in Ukraine with help of French authorities, who traced ransom payments to them.

Another example is the Cl0p ransomware affiliates, who helped threat actors with money laundering, and were also arrested in Ukraine in June 2021. There's a video available from this operation at https://youtu.be/PqGaZgepNTE.

As you can see, ransomware-as-a-service programs allowed many cybercriminals to join the big game with ease, even if they lacked skills and capabilities. Of course, this fact played an important role in making human-operated ransomware attacks the cyberpandemic.

Summary

In this chapter, you've walked through the history of modern human-operated ransomware attacks and learned a bit about threat actors' tactics, techniques, and procedures, their business model, and even some people who were behind such attacks.

In the next chapter, we will dive into the modern human-operated ransomware threat landscape, focusing on the attack life cycle, from obtaining the initial access to actual ransomware deployment.

Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack

Human-operated ransomware attacks may be very complex, especially if we are talking about Big Game Hunting – attacks on huge enterprises. So, before diving into the technical details, it's very important to understand the life cycle of a typical attack. Understanding the attack life cycle helps security professionals to both perform proper reconstruction of an incident and make adequate decisions at various stages of the incident response life cycle.

As you already know from Chapter 1, The History of Human-Operated Ransomware Attacks