As a SIEM Engineer, I am honored to be a guest writer for Secure Cloud Innovations, and today I want to share some insights on dealing with the potential threat of ransomware. Before we start, I want you to ask yourself:
Is my company prepared for a ransomware attack?
Ransomware is a malicious software that encrypts data and extorts victims for a ransom. These attacks can be financially costly and cause disruptions to business operations. To prevent them, it’s crucial to implement proactive security measures tailored to your needs, educate employees on cybersecurity, and regularly back up your data. Remember, it’s not a matter of if, but when.
In this article, we’ll walk you through a simulated ransomware attack scenario and outline the technical steps involved in threat hunting. Our goal is to identify the extent of the attack and take measures to contain and remediate any potential damage caused by the ransomware.
The Situation
Recently, we discovered that there may be ransomware on our employee James’ device. Let’s dive into it to see what is going on.
Malware Analysis
Upon initial analysis, we discovered that a file named ab.bin with a hash value of 0b486fe0503524cfe4726a4022fa6a68 was executed on one of our employee’s endpoints. The first step that we will take is to run this hash through VirusTotal, an online malware scanning tool; after running it, it confirms that the machine does indeed have some nasty ransomware.
After confirming that the system has been compromised by ransomware, our priority is to contain James’ machine immediately to prevent any further or potential lateral movement by the attacker. This can be achieved through an EDR tool like Crowdstrike Falcon. Here’s an example of how quickly and efficiently this can be done using such a tool.
By looking at the command tree in VirusTotal we can get an inside look at the binary that is being executed when this executable is being run:
Now that we know that this was malware, and what the binary executable command looks like, let’s check our machines command history to see if we see the same commands being run from the executable:
Upon analyzing the situation, we discovered that the ransomware immediately deleted a SHADOWCOPY using WIMC.exe and the system backup. It then ran a command using Vssadmin, <Delete Shadows /All /Quiet>, to delete the volume shadow copies. The boot status policy was also edited using bcedit.exe, <bcedit.exe /set {default} recoveryenabled No>, disabling the System Image Recovery feature in the Windows RE. These actions are common indicators of a ransomware attack.
For those who may be unfamiliar, Shadow Copies are snapshots of a computer’s files taken at a specific moment in time. Windows creates them automatically, allowing users to recover an earlier version of a file if it has been accidentally deleted or modified.
Based on our analysis, it appears that James’ machine has been affected by ransomware. To confirm this, we will replicate the process by running the malicious file in a sandbox environment using a tool called Any Run. This will allow us to execute the file without risking any harm to our work or personal computers, which is never recommended.
By rerunning the ab.bin ransomware file, we can observe that it is behaving similarly to James’ command history. It is deleting the Shadow copies, changing the boot status to remove the system recovery feature, and deleting the volume shadow copies using the vssadmin.exe command. This confirms that the system has indeed been infected with ransomware and is a true positive case.
To confirm the findings, we will use two security tools – Joesandbox and Hybrid Analysis, to perform further analysis on the ab.bin file. Joesandbox is an advanced automated malware analysis engine, while Hybrid Analysis is a malware analysis service owned by Crowdstrike that allows cybersecurity professionals to upload and analyze suspicious files for any signs of malicious behavior, similar to VirusTotal.
Here it is being run through JoeSandbox:
We can also see that ab.bin is incredibly malicious and triggers multiple malware signatures in the process:
This detailed analysis provides us with a clearer understanding of the malicious behavior of the ransomware. As expected, it deletes all Shadow Copies, a common tactic used by ransomware to prevent victims from recovering their data without paying the ransom. The deletion is carried out using Vsadmin.exe, which is also evident from James’ command history. To further validate our findings, we will perform a final check using Hybrid Analysis.
We can confirm that it is also flagging it as malware. If we scroll down further on the page, we can see 3 different reports about our file ab.bin:
In the report, we can see all of the processes that are being run on our victim’s machine, which continues to point toward malicious ransomware:
Looking even further, we can see even more of the contents extracted from the ab.bin file:
After analyzing the ab.bin file with advanced malware analysis tools like Any Run and Joe Sandbox, we confirmed that the file was highly malicious, triggering multiple malware signatures and deleting all Shadow Copies, as seen on James’ machine. Hybrid Analysis also identified the malware as ransomware and provided further information such as the MD5, SHA256, and SHA1 values of the file, as well as the website where the ransomware was posted. These findings allowed us to identify several Indicators of Compromise (IOCs), such as the website address “avaddongun7rngel.onion” and the file’s hash values, which can be used to detect and block similar attacks in the future.
If we were investigating this in a SOC setting, the next step would be to close out the incident. First, we would ensure that the victim’s machine is contained and cleaned of the ransomware, then investigate logs on our SIEM to ensure there was no lateral movement within the network. We would also block any IPs that may have been connected to the malicious file and gather our IOCs to include in our SOC report.
Wrap Up
To protect your network from ransomware, it’s crucial to implement proactive security measures that are tailored to your specific needs. This includes installing the latest security updates and patches, using antivirus software and firewalls, restricting user access and privileges, and regularly monitoring network traffic for suspicious activity.
It is also important to educate employees on the importance of cybersecurity and safe online behavior to prevent them from inadvertently introducing vulnerabilities into the network. In addition, backing up your data regularly to a local drivers , not just to the cloud, can help you recover in case of a ransomware attack.
Combating ransomware demands a holistic strategy encompassing advanced security tools, proactive measures, and most importantly, employee education. By adopting these measures, you can considerably minimize the likelihood of being targeted by ransomware and related digital hazards. Remember, it is important to remember that with malware, it is not a matter of if but when. So, whenever reviewing your organization’s security posture, ask yourself, “Are we ready for a ransomware attack?”
David Elgut
David Elgut is a SIEM Engineer at Graylog. His experience focuses on SIEM tools, SIEM pipeline creation, log analysis, log categorization, incident response, and network and systems security. A passion of his outside of work is spending time giving back to the cyber community and mentoring others trying to break into tech and cybersecurity.
