Disrupting an Active Ransomware Attack Over the Course of Hours

Recently, eSentire’s Security Operations Center responded to a ransomware attack in progress. The attack was identified, triaged, and quickly escalated to our Tier 3 SOC team who engaged the Threat Response Unit (TRU) to assist.

Over the course of several hours, SOC and TRU worked to disrupt the attack by blocking the adversary’s tools, containing the impacted systems, and reversing the encryption process.

Overview of the Ransomware Attack

The cyberattack began with the use of compromised, privileged domain accounts from a compromised system where our endpoint agent wasn’t installed. We assess the adversary had remote access to this system and used it as a beachhead for attacks throughout the network. Due to lack of visibility into this host, we only detected the attack in its later stages once it affected assets where we had telemetry.

Using a combination of remote desktop (RDP), Windows Management Instrumentation (WMI) and PsExec, the adversary’s goal was the following on workstations and servers:

1. Enable and configure Windows BitLocker to disable backup and recovery features.
2. Use BitLocker to encrypt attached drives using a randomized password for each host.
3. On file servers, copy Jetico’s BestCrypt Volume Encryption Manager software from the staging host and encrypt attached drives.
4. Drop a ransom note (“readme.txt”) on the system.
5. Disable all administrator accounts.

BitLocker Installation, Configuration and Encryption

Using compromised privileged accounts, the adversary copied and attempted to execute “test.bat” across over 250 workstations and servers (Figure 1).

The batch file performs the following actions:

1. It deletes the existing registry subkey or entry without prompting for confirmation for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE (clears Group Policy settings for BitLocker).
2. It modifies the BitLocker policy via several registry changes:
   1. Configures the BitLocker policy to require additional authentication at startup.
   2. Allows BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
   3. Disables backup to AD DS.
   4. Disables startup with TMP PIN.
   5. Uses a custom recovery message. In this case the message translates to “Effective core slanting, slanting, evil, slack, slack, core, threat, evil, writing evil salary, threatening, unloading, slack, slack”.
3. It restarts the system in 120 minutes.
4. Lastly, it registers cscript.exe as the default script host for running scripts and saves the current command-prompt options for the current user.

On a smaller subset of systems, PowerShell was used to install BitLocker and forcibly reboot the system:

Powershell -command install-windowsfeature bitlocker -restart
shutdown -r -t 0 -f

This was performed using a batch file named “copys.bat” or manually using the command prompt. Both “test.bat” and “copys.bat” were written to the c:\windows\ directory (Figure 2).

To initiate the BitLocker encryption, BitLocker’s Drive Encryption command-line tool manage-bde was used to encrypt volumes with a unique recovery password (replaced with xxxxxx… in the example) on each host:

manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -UsedSpaceOnly -sk C:\ -s

On workstations, this was done in an automated fashion using a script that attempts the command on all drive volumes. For servers, it appears the adversary manually executed a slightly different command which also removed volume shadow copies:

manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -sk C:\ -s -used -RemoveVolumeShadowCopies

BestCrypt Encryption

Jetico’s BestCrypt (MD5 hash: 8DFEAAF7351F695024ED3604A4985E98) software was only observed on a subset of Windows servers that appeared to be configured as file servers. On each host, a staging directory was created under c:\crypt\ then populated with the BestCrypt executable and drivers. The files were copied from the staging host over SMB (Figure 3).

BestCrypt was executed via an RDP session and configured using the graphical interface. The success rate for this encryption method wasn’t immediately clear. The team identified BestCrypt rescue files on only a few hosts, possibly indicating successful encryption, although files on attached drives were still accessible via our endpoint agent.

In keeping with typical data extortion attacks, a ransom note titled “readme.txt” was left in several directories on a subset of impacted systems (Figure 4). The note simply provides a contact email and demands an unspecified amount from the victim to restore their files.

Similarities to Known Ransomware Activity

The Tactics, Techniques and Procedures (TTPs) observed in this case generally align with several public observations that identify this threat as DeepBlueMagic, “UNRANSOMWARE” or KalajaTomorr. These include:

• Use of living-off-the-land utilities.
• Use of the BitLocker command-line utility in combination with unique recovery passwords for each host.
• Use of Jetico’s BestCrypt utility copied to “c:/crypt” staging directory and executed via RDP sessions.
• Use of RDP, WMI and PsExec for lateral movement.
• Use of batch scripts such as “test.bat” or “copys.bat” located in the user’s c:\windows directory.
• Preference for BitLocker as an encryption method for workstations and BestCrypt for servers.

How did we find it?

The activity was first identified by MDR for Endpoint using detection content created by eSentire’s Threat Response Unit (TRU).

What did we do?

Our team of 24/7 SOC Cyber Analysts first identified the attack when detection content authored by our Threat Response Unit (TRU) identified unusual movement of encryption tools across several assets. Since tools such as BitLocker or BestCrypt can both be used legitimately to protect data, some analysis was needed to contextualize the signals and determine intent.

The encryption software was copied in a manner matching public mentions of ransomware activity, notably the use of the “c:\crypt\” folder for staging files (see Figure 3).

A critical alert was sent to the customer, along with a list of hosts where the activity was being observed. The incident was escalated to Tier 3 analysts and TRU was brought on to assist.

Working in coordination, team members quickly scoped the intrusion and identified the adversary’s activity across more than 250 workstations and servers. The team blocked the BestCrypt executable across all endpoints, and isolated impacted systems (where customer documentation permitted) from the rest of the network.

The team identified the adversary’s “test.bat” batch file, which was deployed to over 250 systems, then reduced that to a smaller number of systems where the batch file executed successfully. Fortunately, the batch file was configured to delay shutdown by 2 hours while BitLocker encryption was in progress, providing a window for the team to reverse the process. Using Live Response on endpoint agents, team members first executed commands on impacted hosts to abort the shutdown.

To reverse the BitLocker encryption action, team members used the manage-bde –off command to decrypt affected volumes and turn off BitLocker. While the recovery passwords were captured in our endpoint telemetry, it wasn’t required to decrypt the drives, likely given the system reboot had been aborted.

While BitLocker encryption was deployed using a combination of automated scripts and manual actions by the adversary, the BestCrypt software was deployed exclusively to a small subset of Windows servers manually using RDP and encrypted using the BestCrypt GUI utility. Of these assets, we assess only a handful were encrypted successfully.

Finally, the team joined a war-room with the customer to brief them on the scope of the intrusion, including compromised accounts and assets and actions taken by the team.

What can you learn from this TRU Positive?

• This ransomware attack was initiated during off-hours by a hands-on-keyboard adversary using compromised, privileged accounts and legitimate administrator tools.
  • Outright blocking the Windows utilities used in this attack is likely not feasible given they are not uncommon in many environments.
  • In certain instances, detecting and shutting down these living-off-the-land techniques requires human validation to prevent interrupting legitimate behavior.
• Where BitLocker was used, a system reboot was set on a 120-minute delay. This allowed SOC and TRU to manually intervene to revert the encryption within this window.
  • Even if the system reboot setting had expired, the recovery passwords were captured in MDR for Endpoint telemetry, however greater effort would have been required to unlock systems.
• Ransomware deployment typically occurs in the final stages of attack once a privileged foothold is achieved in the target network. Stopping this from occurring requires a combination of preventative security controls and detection and response capabilities to identify and contain the threat as quickly as possible.
  • Importantly, ensure coverage extends to the entire network to prevent unmonitored hosts or network segments being used as a beachhead.

Recommendations from our Threat Response Unit (TRU) Team:

Ransomware deployment typically occurs in the final stages of attack once a privileged foothold is achieved in the target network. Stopping this from occurring requires a combination of preventative security controls and detection and response capabilities to identify and contain the threat as quickly as possible. Therefore, we recommend:

• Enabling cybersecurity practices that aim to disrupt ransomware initial access methods:
  • Harden your organization’s external facing systems by patching vulnerabilities and limiting access to trusted hosts/networks.
  • Use strong authentication methods such as multifactor authentication (MFA) for remote access services (e.g., VPN or RDP). Ensure remote access sessions are monitored for unusual activity.
  • Raise employee awareness of malware masquerading as legitimate applications, and include in your Phishing and Security Awareness Training (PSAT) program.
    • Remember – an effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.
  • Protect your endpoints against malware.
    • Ensure antivirus signatures are up-to-date.
    • Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
• Implementing 24/7 threat detection and response capabilities to prevent ransomware attacks from progressing along the attack workflow and limit business disruption:
  • Ensure your security tools/services have complete coverage of network assets.
    • Critical servers such as Domain Controllers should not be excluded from endpoint detection and response tooling.
  • Identify suspicious/malicious activity:
    • Remote access services (VPN, RDP).
    • Living-off-the-land techniques and abuse of legitimate tools such as PowerShell, PsExec, BitLocker and others mentioned above.
    • Privileged account abuse.
• Have an Incident Response plan in place and test it at a regular cadence. For an example template, see CISA’s Ransomware Guide.
  • Engage a Digital Forensics and Incident Response provider for an IR retainer, preferably one who can help your team collect, and preserve, evidence of the attack, file cyber insurance claims, and transition findings to law enforcement to help you get back to business hours faster.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.