Detecting Ransomware Precursors | by Andrew Skatoff

Detecting Ransomware Precursors

by Andrew Skatoff


The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of maximum impact. At this point the attack often looks like any other infiltration. However, several observable techniques are often observed just prior to ransomware execution. In this post I’ll provide examples of these detectable behaviors which you can use to build SIEM alerts and threat hunting logic. Detecting these patterns (in near real time) will give you an advantage in understanding what kind of threat you are facing and which devices have been impacted when the inevitable emergency phone calls start coming in.

Caveat 1: Alerting on this activity is a LAST line of defense. Truthfully, if you catch a real bad guy with these, you’re likely going to have a terrible couple of weeks. If you don’t already have a robust set of other detection rules for the 1st and 2nd stages, PLEASE don’t start here. This is the last chance to alert and will most likely be only of forensic value, since these often occur minutes before ransomware is deployed. If you’re lucky, you’ll have a chance to identify and isolate the impacted devices before the attack spreads further.

Caveat 2: The commands below assume two things:
1. you are monitoring process execution and associated command lines,
2. the commands are in plain text and not encoded via powershell or otherwise obscured (e.g. passed via API). If they are, and you have a robust EDR Solution, or script block logging enabled, you may still be able to see the decoded/hidden commands. Note, some of these techniques are detectable via other means (e.g. registry monitoring) and where that is the case I’ve mentioned it in the “notes” column below. Always test your rules with adversary emulation techniques!

Goal 1: Profile and Disable Protections
These actions aim to evade/disable prevention/detection tools. This could be disabling AntiVirus processes or making changes to system settings.

SubGoal Notional Command Logic Examples Notes
Recon for security tools via WMI select * AntivirusProduct

OR

select * AntispywareProduct

OR

select * FirewallProduct

wmic select * antivirus
wmic select * antispyware
‘*’ in these commands is literal. In every other example which follows, it is NOT literal.

wmic.exe is commonly used, but a few alternative processes are worth including:
srccons.exe | cmd.exe |
winrm.exe | winrs.exe |
wmiprvse.exe | cscript.exe|
wscript.exe | powershell.exe.

Disable security tools via service stop/delete/config net stop *

OR

sc stop *

OR

sc delete *

OR

sc config * disabled

Examples for MS Firewall service, MS Defender, and Windows Update Service:

sc config MpsSvc start= disabled
sc config WinDefend start= disabled
sc config wuauserv start= disabled
net stop MpsSvc
net stop WinDefend
net stop wuauservsc stop MpsSvc
sc stop WinDefend
sc stop wuauserv

sc delete MpsSvc
sc delete WinDefend
sc delete wuauserv

Design your search logic with your own relevant tools and processes unique to your environment.

https://www.zscaler.com/blogs/security-research/recent-bulehero-botnet-payload

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)

Disable windows firewall via netsh netsh firewall set opmode mode=disable

OR

netsh Advfirewall set allprofiles state off

netsh ipsec static set policy name=Bastards assign=y
cmd /c net stop SharedAccess
cmd /c netsh firewall set opmode mode=disable
cmd /c netsh Advfirewall set allprofiles state off
Disabling firewalls may assists with lateral movement and C2.

https://www.zscaler.com/blogs/security-research/recent-bulehero-botnet-payload

Disable MS Defender AV via powershell powershell Set-MpPreference -Disable*

OR

powershell Add-MpPreference -Exclusion*

powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Set-MpPreference -DisableBehaviorMonitoring $true

powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Add-MpPreference -ExclusionPath C:

Add-MpPreference -ExclusionExtension ".exe"

These commands disable elements of MS Defender or set exclusion parameters to evade detection.

Event ID 5001 may be monitored to detect Defender AV Real-Time being disabled.

Event ID 5007 may be monitored to detect Defender configuration changes.

Monitoring this registry key will also help with detection:
HKLMSOFTWAREMicrosoftWindows DefenderExclusions

https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

Relax filesystem ACLs icacls* *grant* C:Windowssystem32icacls.exe C:Windowssystem32Id.exe /reset

CACLS "D:WpSystem" /grant Administratoren:F /T

"icacls ""C:*"" /grant Everyone:F /T /C /Q"

"icacls ""D:*"" /grant Everyone:F /T /C /Q"

Relaxing filesystem ACLs allows the malware to access all files.

https://redcanary.com/blog/ryuk-ransomware-attack/

Take ownership of files with takeown.exe takeown.exe * /F * TAKEOWN /S system /U user /P password /F Myshare* Taking ownership of files allows the malware to access all files.

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

Clear event logs to cover tracks. wevtutil* cl * wevtutil.exe cl Application

wevtutil.exe cl Security

wevtutil.exe cl System

FOR /F “delims=” %%I IN (‘WEVTUTIL EL’) DO (WEVTUTIL CL “%%I”)

Erasing events in the event logs is an anti-forensic technique.

https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf

Additional detection possibilities:
– Security EventID 1102; EventLog cleared
– System EventID 104; Any eventlog was cleared.

Delete USN Journal fsutil usn deletejournal wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

fsutil usn deletejournal /D C:"

USN Journal keeps a log of all filesystem changes in NTFS volumes. deleting the journal is an anti-forensic technique.

https://medium.com/cert-advisory/what-you-should-absolutely-know-about-petya-and-misha-ransomware-attack-goldeneye-ransomware-8c3f8883fb8

Goal 2: Impair Recovery
These actions aim to limit the victim’s options for stopping the malware and recovering from the loss of data. ATT&CK: Inhibit System Recovery (T1490).

SubGoal Notional Command Logic Examples Notes
Prevent system from booting into safemode bcdedit /set {default} bootstatuspolicy ignoreallfailures

OR

bcdedit /set {default} recoveryenabled no

bcdedit /set {default} bootstatuspolicy
ignoreallfailures
bcdedit /set {default} recoveryenabled no
Prevents startup in repair mode and safemode.

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

Enforce use of safemode reg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\* reg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan Upon execution of Snatch ransomware, it will install itself as a Windows service named “SuperBackupMan” and create the following registry key to ensure it will start up during bootup into Safe Mode.

https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365

Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.

Disable Task Manager reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System * DisableTaskMgr * reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f Limits ability of user to profile and kill tasks.

https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/>

Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.

Delete shadow copies wmic shadowcopy delete *

OR

vssadmin delete shadows *

OR

vssadmin resize shadowstorage *

OR

powershell Get-WmiObject Win32_ShadowCopy *
Vssadmin.exe Delete Shadows /All /Quiet

vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

powershell Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }

powershellGet-WmiObject Win32_ShadowCopy | Remove-WmiObject

This is one of THE most prevalent techniques seen in all ransomware families.

https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies/

https://resources.infosecinstitute.com/topic/ransomware-deletion-methods-and-the-canary-in-the-coal-mine/

For vssadmin techniques, we now have a preventative option we well.

Goal 3: Unlock files in use
These actions aim to ensure the most damage by allowing the ransomware to encrypt even files which may be in use. Killing tasks which have files locked open is key to ensuring they are editable by the ransomware.

SubGoal Notional Command Logic Examples Notes
Kill processes with taskkill taskkill* /IM * taskkill.exe"" /IM sqlbrowser.exe /F"

taskkill.exe"" /IM sqlceip.exe /F"

taskkill.exe"" /IM sqlservr.exe /F"

taskkill.exe"" /IM sqlwriter.exe /F"

This is similar to the disabling of security tools, but will often be much noisier attempting to kill dozens of processes in short succession. Look for spikes in this command. The report linked below shows several examples.

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

Additional detection options may exist (e.g. Security Log EventID 4689 Process Terminated)

Kill processes with netstop net stop *
OR
net delete *
net.exe"" stop ""samss"" /y"

net.exe"" stop ""veeamcatalogsvc"" /y"

net.exe"" stop ""veeamcloudsvc"" /y"

net.exe"" stop ""veeamdeploysvc"" /y"

Ryuk samples have been observed attempting to stop over 50 predefined processes. Look for spikes in these commands.

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)

Kill processes with sc sc stop *
OR
sc delete *
OR
sc config * disabled
sc stop RabbitMQ

sc config SQLTELEMETRY start= disabled

sc config SQLTELEMETRY$ECWDB2 start= disabled

sc config SQLWriter start= disabled

sc config SstpSvc start= disabled

These (like ‘net stop’ and ‘taskkill’) are often seen in a simple batch file. Look for spikes in these commands.

https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)

Kill processes with wmic wmic process * delete Look for spikes in these commands.
Delete backup files del /s /f /q * del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk Ryuk ransomware also used this rudimentary approach to find and delete any files matching patterns signifying backups.

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Delete backups via wbadmin wbadmin delete * wbadmin delete catalog -quiet
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
Delete computer restore point delete-ComputerRestorePoint Get-ComputerRestorePoint | delete-ComputerRestorePoint https://thedfirreport.com/wp-content/uploads/2020/11/fullpysa.png

Goal: Destroy/Ransom Data
This is the final stage where files are encrypted, often renamed and a ransom note is presented or dropped on the filesystem. The detection value of alerting at this stage is limited, since we are going to hope and believe that our users are going to call the emergency hotline at this point and, God forbid, not attempt to pay the attackers.

Conclusion
I hope this will help you in your fight against ransomware. Drop me a comment and let me know what other detection logic you have have found helpful.


About the Author:

Andrew Skatoff


The article originally published at: https://dfirtnt.wordpress.com/2020/11/25/detecting-ransomware-precursors/

May 17, 2021
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
JennaHarrison
16 days ago

It was interesting to read. 
Thanks to the author.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013