BG - Ransomware Emulation Done Right

all right hello everyone welcome back to the last set of talks for b-sides las vegas 2022. uh this is breaking ground uh one quick announcement though if you are looking for the exclave experience relocated to almost canada by t profit you are in the wrong room it is the move to the passwords con and the tuscany ballroom um and those are you online too make sure you're clicking on the right room it's the tuscany ballroom now with passwords con um the website has the most up-to-date link so just refer to that one but welcome this is uh again this is breaking ground we have uh shreyas and sean here they're the title of their talk is ransomware emulation done right uh a couple round monitors before we begin as always thank you so much to our diamond and gold sponsors without their assistance as well as all the volunteers staff and anyone who's involved with besides las vegas 2022 this event certainly would have been possible and i think i share the sentiment with a lot of you guys and a lot of other people here that i'm glad that this in-person event did indeed happen and hopefully it'll happen for you know the countless number of years down the road but out of respect for um the people on the livestream as well as for these speakers please do make sure that you're that your cell phones are at least silenced or ideally all the way turned off and a reminder of the photo policy you are not allowed to take photos without explicit permission of everyone in frame so if it's okay with them you can but wouldn't run that risk now one tiny change to how we've been doing things before during the q a session unfortunately now that we've we've run into a little bit of an issue with wireless mic problems um so if by the end you have a question you are probably going to have to shout it so for those of you in the back of the room i'm not saying you have to move forward but i would recommend it if you think you might have a question um and you guys by the end if like you guys could just repeat the question yeah that would be great for all those online um so without further ado here's dress and sean thank you hello thank you for coming i know it's the end of the day so let's get into it uh we're going to be talking about ransomware emulation and uh as always want to start off uh best defense is a good offense and it's worth knowing that like internal security using your red team and stuff has massive benefits so hopefully we could kind of like show you that with this talk um so my name is sean jones i'm a director at ebay we're both from ebay and i do a lot of kind of like more programs and projects stuff like ransomware program um and sure yes all right hey guys uh my name is shri ashrami i'm a senior detection engineer at ebay mostly on the blue team but i do a bunch of focal teaming as well with sean so with that let's kick this off all right so we know that ransomware is a problem it's a huge problem google released a report that it analyzed around 80 million ransomware samples let's look at five months in last let's look at five months in 2021 there are several companies that were hit by ransomware and they paid tens and millions of dollars in ransomware um just look at colonial pipeline they they even made national news and that was huge so uh ebay like much like all the companies are kind of worried about this and we don't want to get impacted because you know lots of revenue and stuff like that we do get here and customer day are so whenever we kind of look at the program we just started with the idea of asking ourselves couple questions the first being are our employees susceptible do our controls and tools actually work and do we actually respond in the best way uh you don't want to be responding in the wrong way to ransomware so with that in mind we kind of started off with kind of like free tracks so track one is education with this we do a lot of tabletops with different teams and to secure awareness you know the phishing emails everyone gets and stuff like that and the annual training we're not really going to talk about track one because it's not the interesting stuff but track two was around controls and our visibility around our logs and alerting so with that we kind of do purple team exercises which is going to be kind of focused and red team exercises red tmi exercises also help us with track free but that which is response but they're less uh less to the same extent as our ransomware simulation because we only do a couple of boxes not an entire uh load of employees with this stuff so um ransomware simulation by the way is just where we kind of like simulate a ransomware attack within the organization um to see kind of what happens so staff we're going to talk about purple teaming um and i'm guessing everyone might know about it so we can rush through it uh this is basically blue team red team get together they plan on exercise they agree on ttps what fractals we're concerned about um and what kind of where we're gonna do it what's our focus of it um because we have so many different environments so we kind of tailor it to that next red team goes ahead and does the actual activities um hack some stuff break some stuff and then with that the blue team can then come along and examine our tooling on our telemetry like our logs and stuff see if ultimately giving us a proper understanding of how resilient we are to an attack and we do this um through kind of just checking out this continuous process so we'll red team might have to replay some stuff and blue team comes back to it so to start off with this what we did was uh a load of research on it um we did a lot of blogs read a lot of uh reports around stuff uh we even looked at twitter and telegram um as you can see this is uh scythe's uh github and honestly for any emulation stuff they actually have pretty good list of ttps for not just ransomware actors but like other threats as well so if you are doing kind of like emulation it's a good place there to go the next thing that we did was we acquired a large number of samples of ransomware uh we predominantly got them from like virustotal but there's a number of places you can get them the idea with this was we did some reverse engineering to actually kind of see how they work to figure out what exactly happens when these execute but you might not have like the capabilities to do like reverse engineering and malware you might not have like the team possible to do that so one thing you can also do is if you know hashes or specific kind of ones that you want to look at you can go to like any run or joke sandbox just google the hash typically you'll end up finding it and that way you get the dynamic analysis part done for you without the need in the kind of internal skills to help it out so like with any of this stuff we we set up our test environment just to be safe our test environment was basically a windows vm in my house at the time we actually moved it to azure announce uh to a standalone account so it's a bit more safer um basically with that what we did was install our edr tool and a load of other standard kind of build tools that we had along with our logging and telemetry kind of agents as well to pull that stuff back uh we did include our vpn uh this only allows us to do on off network testing so we might want to test like a laptop being off network because everyone's off the network now anyway uh we've covered or we might want to test like within our network to see if our actual our proxies and other controls actually work and detect stuff the other reason we did a vm is snapshots basically we can do a large amount of like adding additional tooling so for us we were doing a massive drive to push sysmon across the organization and we use this as a way of basically selling that that drive that we were going for and it worked quite well which we'll talk about later with that we've done all our research we went ahead and we started building around somewhere this is like the fun part so um i went ahead and i wrote basically a piece around c sharp uh included several ttps we added in some functionality like the ability to rotate ransomware noise and rotate the fire extensions uh when we actually ran this to make it be easier because we want to see what would happen for specific ones but not run actual ransomware at a time following that we actually wrote one and go because go was kind of getting a lot bigger back then and we hadn't done any of that in our exercises so um i'm not going it was like my first dive at writing guys so what i did was i used bad gopher by andy j smith on github and i basically modified the code to make it match what we wanted to do and for the ttps uh say another you might not you don't need to write your own ransomware there's a lot of tools out there that you can use for this um i haven't used these so i can't say if they're safe or not but you should probably test them or read them before you run them but there's there's a lot of options out there so you don't need to spend the time doing your development so let's get into it so round one what was uh what was one of the things we found sure so the first thing that we did was we went through uh the default ddbs that came with the adr tool and as you can see like there were almost 2 million results this is something that's not feasible to go through all of them so we basically wanted a purple team exercise and to identify a good high fidelity alerting around this so we went ahead and ran the binary which sean had just created which was customized and the edr system which was current black eventually detected after some time so that was awesome uh so the test was complete right sean uh yeah nice sadly it wasn't complete but as we know uh if anyone looked at the connie leagues a lot of these actors were actually purchasing valid edr tools and using them which means they could figure out potentially what is getting flagged on and why it's getting caught so we did a similar thing and we started looking into this and it turns out what was catching us was the canary files now these files lots of edr products do it's not just uh com back but lots of products do this and they basically have some files on the file system if they start getting modified and renamed they'll get flagged and they'll cause the basically the parent process that's doing that to get killed because they suspect this ransomware or some kind of malware so with that in mind we went and looked and uh what we realized was it actually did we we did we're able to encrypt a lot of files on the file system it was just when we hit a certain part this uh canary files got hit and then much like sad pikachu i ended up no longer being happy because my ransomware didn't work so so i guess 60 percent of the time canary files work every time right so following this we hit the we went back we made some modifications to our basically our payloads our ransomware and we come up with some canary file bypasses so the first one is really easy it's basically six lines of code you could probably put it in less lines of code if you wanted and this was basically if the file name starts with dollar sign or a hash symbol just skip the file don't encrypt it and this worked pretty well we were able to bypass the canary files um which was kind of fun the second bypass we found that was if we went into kind of a trusted process um so notepad.xe is kind of we we basically spawn notepad directly inject our ransomware into it and then we could basically even encrypt the canary files and for some reason that didn't get flagged and our ransomware worked was pretty cool uh we did report it so round three now this is something that we've been doing more and more of now and it isn't just for ransomware but it works pretty well and this is just sandboxing so what we do is we go to virustotal we get our ransomware samples or other malware we then run that in this in that test environment vm that i was talking about and then we basically get the idea to see if our controls uh block or detect these samples and if not we can then figure out what is doing it so the reason i love this is it's pretty safe because it's up in azure not connected to us i don't need to do any work which i love and our blue team do this all themselves so it allows us to do this continuously say like some intel comes in they go grab the sample they can go run it and write rules very quick around detection which is great sorry with detection dress this uh all right so with all the tdps that we emulated earlier and which sean talked about we are able to utilize a handful of them to build high fidelity detection rules so i'm going to go over a few of them to and which i can talk to you about so the first one is disabling of windows defenders so this is one of the most common uh techniques that the ransomware uses and has been used by many malware families so it's not a it's very basic and it it's a common behavior uh if you see it in your network then it certainly warrants an investigation uh it's worth building an alert even if you don't use uh windows defender as as i said like many malware families use this so uh the next one was to detect any process injection and uh this is another common technique used by uh malware families uh and as sean mentioned like you know we used notepad to inject another process and use that to emulate like you know some ransomware behaviors over there so in the screenshot over here what you see over there is the displayswitch.exe which was essentially to use the affected machines to change the ransom change it to the ransomware message on the users affected users the third one that we worked on was to detect malicious circuitry usage certutal is a standard binary that's available on windows os which is known to be maliciously used by various transfer actors during the test we did a couple of things firstly we renamed the original binary so that we can even detection and that's something that's very uncommon and you should be looking into that if that happens secondly we use the renamed binary to then decode another code uh which was then executed for uh malicious purpose on these systems [Music] and uh lastly uh this was something that we experimented with uh we wanted to see if we can use known ransomware extension threat intel that was available and build an alert around it so eventually um we are not using it but like at the start what we did was um we tested and it worked pretty fine there wasn't much uh noise around it and very low false positives but as we increased our logging coverage to different zones in that environment we started receiving a lot of benign and false positive activities so alone i wouldn't 100 recommend but by using it with another signal in your environment you might be able to use that scenario to identify ransomware behaviors finally we were able to uh use 21 we were able to uh emulate like 21 different attack techniques and six tactics some of the notable ones as you can see are like shadow file deletion and process injections all right and along with that we were even able to identify some logging gaps in our existing windows security logs like for example the four six eight and even code which is for process creations we we initially didn't have process command lines that were being locked and if you know windows logs this is very important to uh log as you can see a lot of malicious activity within the command lines over there so this was something that we had to go back and change the policies around the logging on this security logs and we were able to get everyone in line to approve it and you know get forward with it so that was pretty huge and secondly we were able to add a showcase value from the sysmon logs and as as it actually complemented the window security locks so this exercise was like a leverage for us to push forward the additional logging that we are requesting and overall it's a huge win for the team on the blue team over there all right yes i'm sean yeah um so we're going to talk about simulation now now simulation is something that basically i had this idea and i really wanted to do it and if you just go ask if you can kind of go ransomware the company uh you're probably gonna get told no so uh what i did was i go with the latest stakeovers at stakeholders so yeah um and this included like the head of it someone from legal and communications as well and what we did was we got together we planned it out we made sure we had a whole list of concerns which i'm going to talk about in a second and once we had that we kind of presented it to the cso and the cto around getting permission to do this they ended up having to go ask the ceo for the commission and so he approved it as well and basically once we got approvals it was a case of just executing the ransomware on our victims the whole point of this was to basically understand how as a company we would respond to a ransomware attack which is something that you is quite hard to emulate and as you will find out we learnt a lot from this so the concerns a couple of big concerns on this was uh someone taking a picture and tweeting it or something put on facebook uh again leaked the media that ebay got ransomware um that could have quite big effect on us so we didn't want that happening uh with that we kind of got some pre-planned communications written by our kind of marketing pr team the mental health of the victims people don't want to feel responsible for stuff especially ransomware and depending on who you targeted it could be quite bad so we made the decision to basically only target uh directors and above within the company um which quite high level people in there typically used to kind of stress and know to understand the situation uh the other thing we worried about was like disruption of work uh our leadership accepted that as a case they were like disruption of work we'll just do it for like four hours was the max we were allowed to block users basically and the fear of it kind of spreading around and infecting other people within our network as well as a concern so what i said there here's the message and i know a common question that i always get asked is did i actually get bitcoin i didn't sadly no one paid but um on a wednesday at like 905 this is what people saw on their screens on their desk and these are these are pictures taken that were sent to our kind of c cert team with people reporting it uh we had a lot of emails a lot of panic people around this it was kind of it was a high octane thing and i was on pto that day so no one could uh ask me if i was doing something which is fine so with that his kind of high level timeline of what this whole process looked like because you might want to do this in your own organization uh it started off with a lot of planning as already said uh we then went and did a slide deck to the cto and the cso asking permission uh this was originally we only asked to do it to around five to ten people and they were like let's do it to like 60 people well it's like more than 60 people across the organization uh which we were like oh okay this might get bad so with that we we agreed on like conditions like said like a four hour window and our targets and we ended up uh basically having to do the hard part after that and that was building the actual ransomware so for this i read in c sharp because i just like c sharp uh we decided to impersonate reeval because at the time they were very in the media very public and stuff so it was like a good thing to do uh to stop the kind of idea of it infecting other users and stuff what we did was we took the username the hostname we basically generated a hash from that and then we hard coded hash values into the payload the reason we did it like trying to copy it and we didn't just the username hostname was we wanted to see if our blue t