Ransomware Threat Hunting: Commonly Overlooked Areas for Stopping Ransomware Intruders - Allan Liska

thank you all for coming today i appreciate it and thank you for attending the 10th anniversary of b-sides pittsburgh that's pretty cool so there's an awful lot to talk about stopping ransomware and threat hunting is part of it and what i wanted to do today was talk a little bit about some of the some of the threat hunting things that people kind of miss when it comes to ransomware this actually started as a thread on twitter so actually twitter can be useful sometimes who knew but it turned out to be really good with a lot of really good advice and inputs from a lot of people that do dfir for a living so uh really appreciate it um if

you're wondering about the title i am the ransomware smallier which means that i do help you pair the right ransomware with the flaws in your network so you know if you don't have mfa enabled i'll give you a nice lock bit um you know whereas if you have mfa enabled but maybe you're not monitoring your endpoint solutions i'll get you a copy of alpha v or black cat so um before we get into this let's talk about the state of ransomware uh so far this year we've seen it's actually more like 1700 victims posted to ransomware extortion sites um and ransomware extortion sites for reference are becoming a less effective measure of uh the number of ransomware attacks

in the world than they were in than it was in like 2020 and early 2021 a lot of ransomware groups while some are relying even more heavily on their extortion sites others are others are using less using their assortment sites less we've also seen 28 law enforcement actions taken against ransomware groups in the last year which is more than we saw in the previous uh five years combined um so and when we're we're talking about even russia getting involved with uh uh with arresting um some members of rival and then of course a few months later letting them go so that they can go work for the russian government so you know that's great um but we aren't just seeing um

indictments and sanctions we're actually seeing uh ransomware actors being extradited to the u.s and you know standing trial which is again great we'd love to see that but of course as you all know right now it's not slowing down ransomware attacks uh if anything other than a break in june because even ransomware actors have to go on vacation we've pretty much seen an acceleration in ransomware attacks this year so we're still talking about lots of whack-a-mole but the reason that i'm excited about all the law enforcement activity that we're seeing worldwide is that um you know whack-a-mole's a sport like any other so if you go out to coney island or kennywood i guess since we're in

pittsburgh if you got to kennywood twice a year and play whack-a-mole you're going to get okay at it but you're never going to be really good at it if you want to be a professional whack-a-mole player you got to go out to kennywood like you know every week and and practice your whack-a-mole skills and that's where i think we're doing we're early on in that process and so the sanctions the the you know intergovernmental cooperation and all that are having an impact it's not as fast as we'd like but law enforcement never moves as fast as we'd like so i think it's good that we're seeing that and i know we're all cynical and infosec but i do think it's good and

i think eventually we'll see good returns from this activity one of the other things that's kind of concerning this year is in the last six months we've seen 60 new ransomware variants launched so 60 new groups none of them using new code a lot of them are using stolen chaos code stolen county code stolen rival code but what we're seeing is a lot of these new groups don't want to be part of a larger raz organization they saw what happened with conti and the collapse of conti earlier this year now karakoot mostly um and so what they're doing is stealing the code and starting their own ransomware service uh generally not offering raz they're generally just hey it's us five guys and

uh and we're still gonna buy from initial access brokers and so on um and we're gonna go out and we're gonna run our own ransomware operations so that may make things harder to track going forward i mean every day on twitter i now see or in some of my like private slack channels and other places i see people saying hey have you heard of this variant have you heard of this variant or have you heard of this variant because we're just seeing so many new ones pop up that it's really difficult to keep track of so we're also seeing ransomware go global we're seeing ransomware out of iran out of china um uk and brazil with lapses and and you

can argue with me about whether or not lapses is ransomware but you know essentially extortion type groups uh mandiant has a really fancy word for it because mancy mandian has to have fancy words for everything i forget the phrase they use but it's like you know extortion groups or whatever and then we just saw the report about maui operating out of uh north korea um but of course north korea has been using other types of ransomware for years uh so again extortion is super important to these ransomware groups now um more and more companies are doing better with their backups shockingly it only took us 10 years of yelling about that to actually get them to implement

backups so it's great that we're actually seeing those backups be implemented and implemented correctly so not backups oh we saved everything on the file server that got encrypted we're actually seeing more offline backups where we're seeing uh more backups that are immutable we're seeing companies going back to tape which is awesome tape actually works really well ransomware actors haven't figured out how to encrypt tape yet i like that um so that it's you know so that extortion becomes more important and again as i said we're seeing groups like lapses that are extortion only they don't actually encrypt anything they only steal files and then demand uh demand encryption am i moving too much for you i know you're trying to stream

this i just want to make sure i'm not like i'm good okay um so if you can extort ransom demand from uh traditional means uh that blackmail becomes more important and so we're seeing this explosion in the uh extortion ecosystem not just the sensitive files anymore but uh we've seen things like uh false media amplification so we saw this in the nra ransomware attack last year where grief paid for false amplification of mentions of the nra attack to try and drive um to try to try and drive attention to it and then force the nra to pay we're seeing some personal attacks i know some researchers have been personally threatened by uh by uh ransomware groups fortunately for

me i'm not important enough to uh be threatened and i like that we're also seeing ransomware actors reach out to clients so especially in schools this has become a big problem they'll encrypt data for schools they'll steal the data for schools and then they'll email the parents and say hey we're going gonna publish your kids sensitive data to our extortion site unless you tell the school to pay so um so we're seeing a lot of these kind of activities ddos attacks and so on are really um are really growing in popularity and so that's what gets to the heart of this um this the the the extortion um means that threat actors have to spend more time in the network and

because they have to spend more time in the network that means more hands-on hands on keyboard activity and more hands-on keyboard activity means there's actually more opportunity for you as a defender to catch them and i won't sugarcoat this good threat hunting is hard it takes planning it takes knowing and understanding your network so it's easy for me to come up here and say oh yeah yeah you got to do threat hunting blah blah blah get to it i know it's a lot harder than that but it is worth it if you can put together a threat hunting program um we do need to talk about dwell time though so dwell time for those of you

who don't know is the time that they keep the the attackers spend inside the network you will see over and over again this quote of 43 days for dwell time please don't take that as gospel it is a lot sooner than that it's not quite as soon as i know i've seen like dfi report has uh has published you know from you know initial intrusion to ransomware in five hours it's not quite that bad but generally at least in the cases i've been involved in it's you know maybe a few days to a week is what we're seeing that's still plenty of time and your mileage may vary that's one of the other challenges with ransomware is

everybody has a different view into ransomware attacks and so what i see may not be what you see may not be what mandiant sees may not be what palo alto sees etc but from what i'm seeing you generally have a few days to a week from initial access to uh to when the ransomware is deployed um so and part of that is that distinction in terms of activity from the initial access broker to the actual ransomware actor so generally there's two parts to an attack the initial access broker gets the access and they'll generally do that you know we see this through phishing campaigns uh credential reuse credential stuffing attacks which are really really big right now

straight up exploitation for commonly exposed items and then of course coming in through third parties those are really the big things that we see in terms of uh in in terms of how that initial access happens so that initial access is that first part of that attack um and depending on how the initial access broker works you then have a few days to maybe a week or two before the ransomware actor takes over so some initial access brokers work directly for ransomware groups conti famously pioneered this activity where they basically employ employed contracted their initial access brokers so that the initial access brokers only worked for them but a lot of other especially smaller ransomware groups don't have their own

initial access brokers so they have to buy on underground forms etc we are seeing the number of ads for for networks for sale on open forums slow down um and that's because most of this activity are moving to private telegram and talks channels um just because uh all of the initial access brokers know that jackasses like me are watching for all of these and trying to alert people to let them know that hey your stuff's for sale you should probably fix this so so we are seeing more of this move to private telegram channels and talks but there's still an awful lot of initial access broker activity which is really interesting um complete side note and aggression here

but just in case you're not scared enough after coming to this event i was talking to crain household who's head of intelligence at abnormal security at rsa and he's saying that he was telling me that they're starting to see business email compromise actors out of africa reaching out to those same initial access brokers to try and buy that access because then they can send their business email compromise emails directly from the email server which is going to be so much more difficult to detect and uh find so something to look out for going forward that there may not just be ransomware groups uh using the initial access brokers we may start seeing business email compromise groups also using initial

access brokers um you know again in case you wanted to didn't want to sleep ever again um so let's talk about threat hunting unless anybody has any questions about everything i've covered so far or thinks i'm full of with anything i've said no okay uh so this is basically what a modern ransomware attack looks like um as i already talked about initial access generally phishing credential stuffing credential reuse third party third party is really big right now we see so many ransomware groups uh or initial access brokers that will get that initial access and they will um they'll get that initial access and they'll realize oh hey this this company would be better to get access to their

customers than it would be to uh you know than it would be to actually ransom them so they use them to jump to a whole bunch of other clients exploitation uh recorded future tracked 52 different vulnerabilities used for initial access by ransomware groups last year almost none of which were zero day they're common you know pretty much well-known vulnerabilities with proof-of-concept code so they're not necessarily using zero days although you'll hear about that because every time they do use one it makes the news most of them are just the everyday stuff just people don't patch things that are exposed to the internet so please do that insider threat is really interesting because both lock bit lapses and yeah

both lock bit and lapses are very interested in insider threat lock bit in their note includes hey if you're interested in having us help us hack your company send us an email and we'll give you some money to do that the good news is right now they suck at it we haven't seen any successful confirmed case of insider threat we've seen some rumors that there may have been some but nothing that's been publicly reported in the one publicly reported case was tesla last year where you know the russian that tried to do it got detained at the airport and the fbi got involved but the fact that they're very interested in it means that this will

probably be more of a threat going forward ransomware actors tend to suck at things when they first start doing them and then they get a lot better at them because they do it a lot uh so from there you'll see cobalt strike we see some more sliver now or ps exec as they move through the network that's all the tools they use ransomware actors don't like the command line some of them do for the most part they don't so we see a whole lot of remote control through rdp teamviewer any desk you know all of those down at the bottom and then you know they'll get access to all the servers they need they'll steal

all the files they love mega dot io mega dot i i o in any of its sub domains that's where they love to send all of their data because then they don't have to build additional command and control infrastructure they can just send it all up to there and they can pay for their mega dot io accounts uh with bitcoin uh then they'll run a couple of tests so test a couple of boxes make sure that the encryption works um and then they'll you know encrypt your whole network as much as they can um try and delete logs and clean up uh and then you'll have the extortion site which can happen days later or

months later depending on the ransomware group or it might never happen and just because some just because a victim never appears on an extortion site does not necessarily mean they paid most of these guys english isn't their first or second or third language and so they have a list of keywords they look for and i've seen a number of times where they just pulled out crap data so they don't even bother to throw it up on the extortion site you know we had one we had one client that i was helping that they pulled up a bunch of old old log data from systems that hadn't been used since like uh 2005 and i asked them why they even kept

the logs but it turned out it was a great honeypot because the ransomware actor stole all that data and they didn't care um so they had a good laugh it's not very often you get to have a good laugh when you're in the negotiation chat with the ransomware actors but they did have a good laugh about that um so when we talk about threat hunting what are we talking about we're talking about taking intelligence that you get from some place so whether it's a talk like this if you follow florian roth on twitter and if you're on twitter you should definitely follow florian roth because his sigma roles are amazing but you know if you follow the dfir

report website they have incredible intelligence that they deliver from their attacks there are all kinds of great places where you can get your threat intelligence you can also buy a subscription to record a future where you have to have a booth right outside the door but i'm not here to plug recorded future you get your intelligence from wherever you get it from you want to build your threat hunting packages that look for the expected badness and figure that the intelligence that you're getting is not necessarily going to work exactly for your network so you're probably going to have to refine your searches because you're going to get some false positives you're going to get some

um you know there are going to be some mistakes they're going to be some you know differences in the way every network's a little bit different so there'll be some vagaries in i got this state this intelligence but my network doesn't quite respond to this and so um we're going to uh uh you know we're going to make changes and then always provide feedback that feedback loop is so important to wherever you're getting your data from hey you know you did this i just want you to know that in our network because we have this this didn't work and that allows it to improve so that the next person that gets that that pulls that intelligence down will

have a more refined and better solution this is especially true with like yara and sigma rules so again good thread hunting only works when you have good network hygiene in place if you don't know what assets you have it's really hard to hunt for them and asset management's one of those things i'm old i've been doing this for a really long time and i've been talking about the need for good asset management basically since i've been in infosec and we're still talking about it so it still isn't to solve problem unfortunately despite all the companies that will tell you that they've solved the problem and so but you need to have good asset management because if you're only threat

hunting part of the network you're missing a lot of stuff and and it's always hard to tell people this because asset management and you know good vulnerability management isn't sexy nobody's going to invite you to give a talk at rsa or black hat because you've managed to uh do good asset management even though i feel like they should because that is actually pretty impressive um but you know you know whereas like when i get to come up and talk about threat hunting everybody's like oh threat hunting is sexy i mean as sexy as something an infosec can be um especially when delivered by an old white guy like me um but um you know um but but without the basics

the the cool fun stuff doesn't work and it's just going to actually make you less secure um and so what you want to understand is how the how ransomware attacks work the kind of tools that ransomware actors are using and especially as those tools change and then what detections work so this is an example and and i like to think of this you know kind of like a a threat hunting is kind of like a boxing match right you don't necessarily have to get a knockout in the first round it's you know if you go to the second or third round all those different stages that we talked about before if you go to the second or third round

as long as you get the tko in the end that's what matters so wherever you happen to detect them depending on your capability and depending on what you have in uh you know in your network and and that's the other thing i like to tell people one of the things i think we've done as an industry that's kind of a disservice is every time we are trying to solve a problem we solve the problem by selling you a box or an agent right um you know so you know and this has been going on for 30 years right oh hey people are getting into your network here's the firewall firewalls don't detect everything well great here's an ids well

ids's don't detect everything well here here's some endpoints protection well that's not detecting everything well here's a web application firewall here's a proxy and then you wind up with 30 different things in your security tech stack none of which talk to each other so here now you have a sim that you can send all the logs too oh but they don't correlate very well things get missed so when you're doing your threat hunting i always recommend people take the tools that you have already and start repurposing those for threat hunting don't go buy new tools if you can't do everything we're talking about here today so like if you don't have edr so you don't have a way to shove your rules

or sigma rules look at some of the other things that that we're going to talk about you want to start with the basics get really good with those and then move forward to the other things so that being said this is a great yara rule from dfir report on detecting quackbot a lot of ransomware actors have moved especially with trickbot being all weird have moved to ice id and moved to quackbot for that initial delivery mechanism through their phishing emails um so you know so being able to detect that initial entry is really important you can stop the attack before they get started same thing with stock ghoulish so stock ghoulers also delivered as part of

phishing attacks generally you're downloading a javascript compressed file but this is another yara rule for detecting um for detecting stock ghoulish this looks for the specific javascript hashes that were used and uh yeah so this looks for the specific uh uh java uh uh hashes that were associated with this and this was wasted locker delivering um the uh delivering javascript through stock ghoulish early on there are other really good yara rules sigma rules for detecting stock ghoulish as well power shell we're going to be a little interactive here for a second so hopefully you all don't mind raising your hands too many organizations i walk into don't don't have powershell logging turned on please do that doesn't cost you anything

i mean i know it costs you because splunk charges an arm and a leg for every you know extra line of log that you collect but um remember when splunk was like the cool vendor that gave out t-shirts at conferences and now they're like yo oh wow i can't afford my splunk bill anymore please no offense to anybody from splunk that works here you still make a great product you're just super expensive but ransomware groups rely heavily on powershell scripts so if you can turn on powershell logging and collect those powershell logging it's a great threat hunting tool some of the simple things um if any of you ever take chris sanders uh powershell hunting course which i highly

recommend or a threat hunting course which i highly recommend he does a great section on powershell but one of the simple things to do is and again this involves knowing your network um uh you know this this involves knowing your network know what powershell scripts are supposed to be running in your network start with that okay these are the knowns this is what's supposed to be there and then look for powershell scripts that aren't supposed to be running in your network that are only running on one or two machines so that's a simple threat hunting thing that is only required your only required knowledge is what is supposed to happen your network look for anything that's either

disabling or creating new admin accounts ransomware actors love to make new admin accounts look for um again look for new scripts look for scripts running at odd times ransomware actors love to work friday evening and saturday evening because they know the socks are are less staffed and then what else so for those of you that are doing powershell logging and threat hunting what else do you look for as part of this yes sir i'm sorry yep that's very good anything else network connections that's another really good one yes so anybody else okay at least we got two i'm happy that we've got some level of participation here it means i'm not putting you all to

sleep right after lunch um but you know really think about the ways that you can use powershell logging and what you know about your network to find other things i will say one other thing that a lot of people don't catch and this even isn't with powershell the first thing that a lot of ransomware actors do when they get in is they shut down your security toll so they shut down your antivirus they shut down your edr or whatever most organizations don't set that as a high alert so if another process is shutting down your security process so not part of closing the normal part of you know shutting down the computer but another process

shutting it off that should be a high alert because generally the only people who are doing that are bad guys and employees that are trying to do bad things so um and and you know i know some analysts will tell me no no no i have to do it because i have to um you know because i have to do malware analysis or whatever you should have a separate machine for doing that you shouldn't be doing it on your work machine connected to the work network um so be looking for a av av system shutting down or security uh shell shutting down again we mentioned the guise earlier if you're not using these guise in your

network if you're not using screen connect any desk splashtop or other remote gui topics get those file hashes look for those so you can feed those into your edr and you can be looking for that because all the ransomware actors do is they download the executable from wherever they keep their tools and then they execute it back to wherever they are in russia and and keep working so look for those tools and that should be a high alert because again if you have an employee that's using one of these guise they're probably not doing anything you want them to do anyway they may not be doing something bad but they may not be doing something that you want

uh cobalt strike cobalt strike cobalt strike um we use we see so much cobalt strike from the ransomware groups we're starting to see a little more sliver than um than we are uh uh than we used to so sliver is another one and i'm gonna put together a couple of slides on that um and you know there was just a report that some ransomware groups are using um brute retell as well the creator of brute retell denies that um so but it still can't hurt because that the worst that happens is if you find any brute retell in your network the worst that happens is you catch a red team doing red team things and congratulations so

um so look for any of these tools that are being used by uh that are being used by these ransomware groups these red teaming tools that that the ransomware groups like to use um so this is an example of uh of looking for cobalt strike loader um but then this is a great one from kyle kuchi i love this because this you don't have to have any kind of yara sigma capability this looks for this looks for the name d pipes so by default and interestingly most ransomware groups keep the default settings in their cobalt strike because they don't necessarily know how to use it well they just know how to use it and the tool

itself works really well but looking for these default pipes that are formatted as msse dash four digits dash server look for event id pipe created and 18 pipe connected for these alerts you do have to turn on sysmon in order in order to to catch this level of logging and again i know making you have more logs and collect more logs is easy for me to say but hard on your budget it is worth it and the type of data that you can collect with sysmon and using the system journals tools can be very beneficial ad find is another one that ransomware actors really like we see a lot of ad find and bloodhound so again going back

to the other slide where we walk through any of those tools basically you want to look for them and you want to look for them in all of the different various forms uh whether it's leo i mean uh uh you know some of these you can inject into memory some of these you just operate as an executable on the ground etc some of them have been converted to scripts to script formats so whatever those forms are you want to look for those but add find is one that goes unnoticed by a lot but i do see it in a lot of ransomware attacks then data transfer if you are not using mega dot io for

anything legitimate just block it and all of its domains um the ransomware actors love mega dot io again because they can pay in bitcoin it's cheap and they can upload unlimited amounts of data from your network and so any of the mega dot i o mega dot nz and there's like 10 other domains that are associated with them find all those domains and just block them that's an easy thing understand ransomware actors will figure out a way around that they can set up their own command control server and exfil the data that way but at least you've made it a little more difficult for them um and most of the organizations that i talk to and

that i've worked with don't actually use mega dot io for internal file transfers even though they do have business accounts most of them are using um you know some you know using other services but along with that look for the tools that the ransomware actors like to use to compress and and exfil the data rclone 7-zip mega sync and other file transfer tools like that there's quite a list of them that the ransomware actors use um so look for those and again look for those on your network get the file hashes because they're using the legitimate versions of these tools so the file hashes are publicly available and they don't change very often which is nice

and again that only works if you know the tools aren't being used by your internal admin staff obviously you don't want to um you know falsely flag anything in your uh that your it staff or your security staff may be using shadow copy deletion i almost hate to include this because this is kind of like you know this is kind of like your last ditch effort but you know i'll throw it out there just because you have it um every ransomware group that i know of delete shadow copies right before they start the encryption process so deleting shadow copies is absolutely a sign that you are about to be hit with ransomware the problem is

that it's a sign you're being hit with ransomware now so for most organizations if you have an alert like this set up it's going to travel through the logs it's going to go through yours it's going to go to your sim it's going to bubble through the sim process 15 minutes later you you know if you're lucky 15 minutes later you're going to get an alert that says hey shadow copies have been deleted on the server by then it's too late they're already halfway through encrypting the machine and probably other machines as well so i hate to include this as a threat hunting detection but if you can maybe stop you know to limit the damage especially if you have good

network segmentation which most networks i walk into don't unfortunately but if you have good network segmentation this does help limit the damage there are some tools out there again florian roth makes one that will automatically delete any process that tries to delete shadow copies um and and there are ways to configure your edr if you're using edr that hey if something deletes shadow copies kill that process and send the alert and then isolate the machine from the rest of the network so you can automate that and if you have those automation capabilities i highly recommend taking advantage of that and that's all i have i know we're a little bit early so i'm happy to take any questions

um if anybody has any but otherwise i really really appreciate everybody's time and attention especially right after lunch so i appreciate everybody who managed to stay awake with a full stomach thank you

no questions awesome

yeah yeah no that's a that's a really good question um i like to have a conversation so i'm part of the the csr team at recorded future and we we have to do this all the time where i like to have this conversation with hey this is a known bad tool but i know that our developers also use it so i mean generally what i do is we we have these are the developer machines and these machines are authorized to have 7-zip installed everything else isn't it's not a perfect solution but that way i know if our edr catches anything outside of the developer solution then um you know then you know outside the developer network then that we

should investigate and you know and what i count on is we implement a bunch of these protections uh so that if we miss 7-zip we've hopefully caught something else but that's a really good question and it's definitely a problem yes

i'm sorry hold on i want everybody to hear that because i think that was a really good point do you mind thank you since earlier this spring zoom actually extracts with 7-zip now oh i had no i did not know that which creates a massive problem for the monitoring of exfiltration yeah so something for everyone to think about how do you how do you monitor for that now box zoom but you know in a covered no no i mean that that's a really good point and thank you again that's something i didn't know so it's good to have that additional information and monitor for that so thank you any other questions all right well again thank you all very

much and i hope you enjoy the rest of the conference