Comprehensive Analysis of the Ransomware Attack Utilizing ‘AstraLocker’: Unraveling the Intricacies of Initial Access to Impact

Daniel Osei — SOC Lead & Malware Analyst

Key Takeaways

• AstraLocker leverages phishing emails and RDP brute-forcing for initial access.
• Persistence mechanisms exploited include scheduled tasks and registry modifications.
• The malware employs a sophisticated C2 infrastructure for data exfiltration and encryption commands.

Executive Summary

During our investigation of a recent ransomware incident attributed to the malware known as AstraLocker, we observed a carefully orchestrated attack chain that ranged from initial access to the aftermath of encryption. The tactics and techniques employed underscored a methodical approach to infection, lateral movement, and ultimately, data exfiltration following successful encryption of critical systems.

Initial Access

Our analysis revealed that the initial access vector was twofold: the actors deployed phishing emails containing malicious attachments designed to entice the target. These attachments were frequently disguised as legitimate documents, leading to the execution of the malware upon opening. Additionally, the attackers employed T1078 – Valid Accounts through brute-force attacks against Remote Desktop Protocol (RDP) services exposed to the internet, allowing unauthorized access to various endpoints within the environment.

Execution & Persistence

Once access was gained, the sample we examined used T1203 – Exploitation for Client Execution to facilitate execution. The malware was configured to establish persistence through various means. Significant among these were the creation of scheduled tasks via C: asks askname and modifications to the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. This registry key ensured that the malware would execute upon user logon.

Command and Control

The command and control (C2) infrastructure observed during this incident was notably complex. The actors utilized domains with fast-flux techniques, employing a mix of dynamic IP addresses to evade detection. Our investigation uncovered a pattern of beacons communicating with these domains at regular intervals, indicative of the use of T1071.001 – Application Layer Protocol: Web Protocols to hide command and control traffic within legitimate services. Specifically, HTTP traffic was observed on ports 80 and 443, leveraging encrypted connections to obfuscate malicious intent.

Lateral Movement & Discovery

During lateral movement, AstraLocker exploited existing tools such as Mimikatz to harvest credentials from compromised systems. Subsequently, the attackers gained unauthorized access to additional machines using T1021.001 – Remote Services: Remote Desktop Protocol. This method allowed them to navigate through the network, seeking high-value targets primarily within the finance and personal data sectors. Notably, file shares were accessed to identify sensitive data, leveraging tools that facilitated enumeration of network resources.

Impact & Objectives

The ultimate goal of the AstraLocker actors was to encrypt valuable data and demand a ransom from the organization, effectively causing operational disruption. After successfully deploying the ransomware component, we noted that the attackers typically left a ransom note (commonly found in C:
ansom
eadme.txt) providing payment instructions. The encryption algorithm employed was aggressive, impacting diverse file types crucial to business operations and further amplifying the urgency of recovery actions.

MITRE ATT&CK Mapping

• T1078 – Valid Accounts: Use of compromised accounts for unauthorized access.
• T1203 – Exploitation for Client Execution: Exploitation via phishing emails and malicious attachments.
• T1071.001 – Application Layer Protocol: Web Protocols: Utilizing web protocols for C2 communication.
• T1021.001 – Remote Services: Remote Desktop Protocol: Use of RDP for lateral movement.

Detection Opportunities

• Monitor for unusual login attempts on RDP, particularly from external IPs.
• Implement endpoint detection rules that flag known malicious file hashes associated with AstraLocker.
• Analyze scheduled tasks and registry modifications for signs of persistence mechanisms.

Analyst Notes

This comprehensive investigation of the AstraLocker ransomware highlights the importance of vigilance in monitoring for both initial access patterns and subsequent lateral movement tactics. By leveraging threat intelligence data and enhancing detection capabilities, organizations can fortify their defenses against similar future attacks.

Source: Original Report