Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Sunshine Ransomware employs sophisticated obfuscation techniques to evade detection.
- Initial access was achieved via targeted phishing emails with malicious attachments.
- The malware uses advanced lateral movement strategies to propagate across the network.
Executive Summary
During our investigation into the Sunshine Ransomware attack, we uncovered a well-orchestrated campaign targeting corporate environments. The analysis of the malware sample revealed that the initial access point was a phishing email containing a malicious Excel document. This document, once opened, executed macros that triggered the download of the ransomware payload, allowing the actor to gain a foothold.
Initial Access
The initial entry vector involved the use of a highly personalized phishing email sent to employees of the targeted organization. Our analysis observed that this email was crafted to appear as a legitimate request from the HR department. The attachment, a benign-looking Excel file named Employee_Annual_Review.xlsx, carried embedded macros designed to execute PowerShell commands. Once the user enabled macros, the corresponding code executed, utilizing the T1090 – Connection Proxy technique to download the actual ransomware payload from a remote server.
Execution & Persistence
Upon successful execution, the Sunshine Ransomware leveraged a PowerShell script to obtain persistence. It created a scheduled task at C:\Windows\Tasks\Sunshine_Ransomware_Task which ensured that the malware would execute on system boot. Additionally, the sample we examined showed manipulation of the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key, creating an autostart entry that pointed to the ransomware binary. This allowed the actor to maintain access even after system reboots.
Command and Control
Our investigation of the command and control (C2) communication revealed a structured communication methodology. The ransomware utilized encrypted HTTP requests to a domain that was dynamically generated with each execution, complicating detection efforts. The initial C2 callback was found to occur shortly after the payload was executed, indicating that the actor was eager to confirm the ransom note deployment. Under the hood, we identified the use of T1071.001 – Application Layer Protocol: Web Protocols as the primary method for C2 communication, making it less suspicious in network traffic.
Lateral Movement & Discovery
Following execution, Sunshine Ransomware implemented several lateral movement techniques. Utilizing T1210 – Exploitation of Remote Services, the malware attempted to exploit SMB vulnerabilities on neighboring workstations. Our analysis revealed multiple connection attempts to shared administrative shares using stolen credentials harvested during the initial execution phase. Furthermore, we noted the creation of Windows Management Instrumentation (WMI) events to enumerate network services and open connections, allowing the actor to gather information for further lateral movement.
Impact & Objectives
The overarching goal of the Sunshine Ransomware campaign was financial gain through extortion. Once the ransomware executed, it began encrypting critical files across the network, including databases and shared drives, rendering essential business operations impossible. The ransom note, which was dropped in every affected directory, demanded payment in cryptocurrency to recover the encrypted data. The actor succeeded in causing significant disruption, leading to financial losses and reputational damage for the targeted organization.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Ransomware used encrypted HTTP for command and control communications.
- T1090 – Connection Proxy: Utilized PowerShell to establish a connection to the remote C2 server.
- T1210 – Exploitation of Remote Services: Attempted to exploit SMB vulnerabilities for lateral movement.
Detection Opportunities
- Monitor for unusual outbound HTTP/HTTPS traffic corresponding to known C2 domains.
- Implement behavior-based detection for suspicious PowerShell command execution patterns.
- Watch for changes to scheduled tasks and registry keys associated with persistence mechanisms.
Analyst Notes
Our analysis of the Sunshine Ransomware underscores the importance of user training and awareness when dealing with unsolicited emails. Additionally, organizations must implement stringent monitoring and anomaly detection mechanisms, particularly focusing on traffic patterns that deviate from the norm. Given the evolving nature of ransomware threats, staying informed on the latest TTPs and adjustments to defensive strategies is crucial for cybersecurity resilience.
Source: Original Report