Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Ransomware operators leveraged phishing emails to gain initial access.
- Deployment involved sophisticated lateral movement tactics to target critical infrastructure.
- Detection strategies must focus on monitoring network anomalies and process behavior associated with known ransomware tools.
Executive Summary
This report provides an in-depth technical analysis of a recent ransomware outbreak that has affected multiple sectors globally. Our analysis revealed that the attackers were able to exfiltrate sensitive data while simultaneously encrypting file systems, resulting in significant operational disruption. The investigation focused on identifying the techniques, tactics, and procedures (TTPs) employed by the adversaries, as well as their command and control (C2) infrastructure and lateral movement methodologies.
Initial Access
During the investigation, we observed that the attackers primarily utilized phishing emails laden with malicious attachments as their initial vector for access. The email payloads contained PDF files, which upon opening executed a macro-based script designed to drop the main payload onto the victim’s system. We tracked the file path of the dropped executable to C:\Users\Public\Documents\Report.exe. The actor used this initial access point to stage further operations, quickly exploiting the obvious human factor in their attack chain.
Execution & Persistence
Upon execution, the malware registered itself as a Windows service to maintain persistence. Our analysis indicated that the binary utilized the service name Microsoft Update Service, crafted to blend in with legitimate processes. The implant created a registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that pointed to the executable, ensuring execution every time the system booted. Furthermore, the malware was designed to disable local firewall protections, allowing uninterrupted communication with its C2 server.
Command and Control
The command and control infrastructure revealed a complex web of communication channels. Our investigation uncovered multiple C2 domains, including update-service.xyz, where the actor leveraged HTTPS for data exchange. The malware would beacon out every 30 seconds, using an HTTP GET request that contained a unique identification token corresponding to the infected host. This identification mechanism allowed for meticulous tracking of compromised assets while facilitating controlled data exfiltration without triggering typical alerts.
Lateral Movement & Discovery
In our analysis of lateral movement techniques, we identified the use of T1075 – Pass the Hash to propagate across the network. After initially compromising user credentials, the malware employed credential dumping techniques via T1003 – Credential Dumping, specifically targeting LSASS processes. Using stolen credentials, the actor accessed shared drives and critical network resources, expanding their foothold within the compromised organization. This strategic lateral movement effectively allowed them to locate high-value assets within the network.
Impact & Objectives
The ultimate objective of this ransomware campaign focused on data encryption and ransom demand, with the actor deploying encryption algorithms that rendered files virtually inaccessible unless a ransom was paid. Our investigation discovered ransom notes left in multiple directories, instructing users to contact the attackers via encrypted communication channels. Aside from financial impacts, organizations also faced operational downtime and reputational damage due to public exposure of sensitive data. Data exfiltration was confirmed via traffic analysis, suggesting that the attacker had plans for double extortion tactics.
MITRE ATT&CK Mapping
- T1566 – Phishing: Used to gain initial access through malicious emails.
- T1071 – Application Layer Protocol: Employed HTTP/S for command and control communication.
- T1021.002 – Remote Services: Remote Desktop Protocol: Used during lateral movement across the network.
Detection Opportunities
- Implement rules to detect suspicious PowerShell commands associated with known macro exploits.
- Monitor outbound HTTP/S requests for anomalies with headers indicative of C2 communications.
- User behavior analytics to detect unusual authentication patterns tied to lateral movement activities.
Analyst Notes
Reviewing the TTPs used in this incident provides vital insights into the actor’s operational methodology. Understanding the prevalent tactics employed during this outbreak may aid in developing detection and response strategies. Additionally, organizations should reinforce user training on recognizing phishing attempts and consider enhanced monitoring of critical assets to thwart similar future attacks.
Source: Original Report