Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Comprehensive analysis of a ransomware attack demonstrating advanced techniques for initial access and persistence.
- Identification of critical indicators of compromise (IOCs) including file paths, registry changes, and C2 infrastructure.
- Recommendations for detection strategies against complex ransomware behaviors and lateral movement techniques.
Executive Summary
During a recent incident response engagement, our team encountered a sophisticated ransomware attack that exhibited multiple tactics, techniques, and procedures (TTPs). The actor leveraged a well-crafted initial access vector that enabled unfettered access to the target’s environment. This blog post details our findings and the investigation’s progression, which encompassed initial access methodologies, execution and persistence mechanisms, command and control communication patterns, lateral movement activities, and the ultimate impact of the ransomware deployment.
Initial Access
The initial access was achieved using a targeted phishing campaign. Our analysis revealed that the actor sent a carefully crafted email that included a malicious attachment disguised as an invoice PDF. Upon execution, this attachment dropped a PowerShell script that executed a base64 encoded malicious payload, which we identified as a variant of the LockBit ransomware. The file path for the script was logged as C:\Users\Public\Documents\Invoice_Script.ps1.
Utilizing the T1192 – Spear Phishing Link technique, the attacker capitalized on social engineering to trick the user into executing the script, leading to further entitlement escalation on the workstation.
Execution & Persistence
Once the malicious payload was executed, the ransomware established persistence through a registry modification. We observed the creation of the registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, with its value pointing to an executable located at C:\ProgramData\System\MalwareRunner.exe. This maneuver utilized the T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder technique to ensure the ransomware was executed on system reboot.
Through various stages of our analysis, we noted that the ransomware employed obfuscation techniques to disguise its presence, using various methods to hide its strings and system calls to avoid detections by traditional antivirus solutions.
Command and Control
The payload initiated a command and control (C2) connection to an actor-controlled domain associated with the IDT (Internet Domain Technical) attack group. Our investigation into network traffic revealed outbound connections to malicious-domain.com on port 443, suggesting that the actor utilized HTTPS to evade detection. This aligns with the T1071.001 – Application Layer Protocol: Web Protocols technique, enabling encrypted communication that could bypass conventional network inspection tools.
The C2 communications enabled the actor to send commands, manage files, and eventually make encryption decisions post-exfiltration of data.
Lateral Movement & Discovery
Post-exploitation, the actor employed native Windows tools alongside their own malware to facilitate lateral movement within the network. Our analysis indicated the use of Mimikatz to harvest credentials and establish persistent access to other machines in the environment. This was evidenced by logs indicating the execution of commands such as Invoke-MimiKatz to dump password hashes from active memory.
Furthermore, leveraging the T1021.002 – Remote Services: SMB/Windows Admin Shares technique, the actor moved laterally through administrative shares, accessing systems based on the retrieved credentials. The rapid escalation of privileges made it challenging for defenders to track the actor once an initial foothold had been established.
Impact & Objectives
The ultimate objective of the ransomware deployment was to disrupt operations and extort a ransom from the victim organization. Upon completing the encryption process, which targeted sensitive files in the C:\Users\[Username]\Documents\ directory, the ransomware dropped a ransom note named README.txt, instructing victims on how to pay the ransom in cryptocurrency to regain access to their files.
The disruption caused significant operational downtime, with recovery efforts taking substantial time as the organization attempted to restore operations and analyze the extent of the breach.
MITRE ATT&CK Mapping
- T1192 – Spear Phishing Link: Phishing e-mail containing malicious attachments.
- T1547.001 – Boot or Logon Autostart Execution: Registry modifications for persistence.
- T1071.001 – Application Layer Protocol: C2 communication over HTTPS.
- T1021.002 – Remote Services: Lateral movement using SMB protocol.
Detection Opportunities
- Monitor email gateway logs for signs of phishing attempts, such as domain spoofing or attachment inspection.
- Implement detection rules for specific registry modifications indicative of persistence mechanisms.
- Establish network traffic analysis solutions to detect anomalous outbound connections to previously unknown or blacklisted domains.
Analyst Notes
This investigation highlighted the sophisticated techniques employed by the actors behind recent ransomware operations. It underscores the increasing necessity for organizations to adopt a defense-in-depth strategy to mitigate such threats and emphasize the importance of continual monitoring, threat hunting, and awareness training for all personnel. The progression of this attack not only affected digital assets but highlighted critical gaps in user education about email security.
Source: Original Report