Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The ransomware identified employs sophisticated lateral movement techniques to spread within a network.
- Indicators of compromise (IOCs) include specific file hashes and communication patterns indicative of Command and Control (C2) infrastructure.
- Vulnerability exploitation is a key initial access vector, targeting outdated software installations within the environment.
Executive Summary
During our investigation of the recent ransomware attack, we observed a multifaceted approach characterized by initial access, lateral movement, and targeted encryption of critical files. The malware demonstrated adaptability by leveraging common vulnerabilities, allowing it to infiltrate the network unnoticed. This post delves into the specifics of the attack methods utilized, the infrastructure of the threat actor, and the implications for organizational cybersecurity posture.
Initial Access
Our analysis revealed that the initial access vector was tied to the exploitation of a known vulnerability in a widely used software platform. The threat actor deployed a custom exploit that targeted CVE-2023-XXXXX, which allowed for remote code execution on unpatched systems. Reconnaissance efforts were evident through log analysis showing multiple attempts to access the https://vulnerable.service/api endpoint over a span of several nights, culminating in a successful breach. The employed payload, identified as SomeRansomware v1.2, was observed being delivered through a malicious Word document that incorporated exploit methods.
Execution & Persistence
Post-exploitation, the malware initiated a series of commands to establish persistence. The implant created registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, specifically adding an entry for SomeRansomware Loader. It also wrote a DLL to C:\Users\Public\Documents\malicious.dll, scheduled to load every time the user logged in. We observed the implant communicating with its C2 server, confirming its connectivity shortly after execution.
Command and Control
The Command and Control (C2) infrastructure utilized by the actor was intricate. Traffic analysis revealed that the malware beaconed to http://malicious-c2-server.com/api/v1, employing HTTPS for encryption to obfuscate the nature of the communication. Reverse DNS lookups returned dynamic IP addresses rented from various ISPs to avoid detection. Our findings indicated that these C2 servers were operational for roughly three weeks before being taken offline, illustrating a typical tactic where the operators shift infrastructure to evade cybersecurity efforts.
Lateral Movement & Discovery
Once established, the malware employed T1075 – Pass the Hash techniques to facilitate lateral movement within the network. Credential dumping tools associated with the payload extracted Windows credentials from memory, allowing access to additional systems which had comparable vulnerabilities. We tracked lateral movement indicators, including repeated login attempts to \TargetMachine\C$ shares, and observed that the actor utilized native Windows utilities like PsExec to execute the ransomware across multiple endpoints simultaneously. The attack escalated privileges through T1068 – Exploitation for Elevation of Privilege on several machines.
Impact & Objectives
Ultimately, the primary objective of the ransomware was to encrypt critical organizational data, demanding ransom payments in cryptocurrencies such as Bitcoin. Our investigation indicated that the malware targeted files on shared drives and critical databases, with encryption routines observed that utilized a hybrid RSA/AES mechanism, rendering files irretrievable without the proper decryption keys. The impact extended beyond immediate data loss; operational disruptions affected multiple departments, resulting in significant financial repercussions and reputational damage.
MITRE ATT&CK Mapping
- T1071 – Application Layer Protocol: Generated traffic over common protocols to evade detection.
- T1110 – Brute Force: Authenticated multiple times against various accounts using harvested credentials.
- T1486 – Data Encrypted for Impact: Encrypted files to demand ransom from the organization.
Detection Opportunities
- Monitoring for abnormal outbound connections to known malicious domains could help identify initial C2 communication.
- Implementing behavioral analytics to track unusual registry changes related to startup programs can reveal persistence mechanisms.
- Utilizing endpoint detection and response (EDR) solutions to analyze execution patterns of known malicious processes like SomeRansomware.
Analyst Notes
The emergence of this sophisticated ransomware underscores the necessity for organizations to regularly conduct vulnerability assessments and patching cycles. The utilization of known exploits emphasizes the criticality of maintaining an updated inventory of software deployments. Additionally, user education regarding phishing vectors remains paramount in mitigating initial access challenges. Future investigations would benefit from thorough log analysis to identify signs of lateral movement earlier in the attack chain.
Source: Original Report