Every day it becomes more apparent that nobody is immune to ransomware
From mom and pop shops to the largest US refined products pipeline system, that supplies gas to most of the east coast. Last week the Colonial pipeline was infected with ransomware that caused the company to entirely shut down operations.
The gang Darkside is a ransomware as a service attacker that treats the operation like a business. Darkside has a victim hotline, a press center, an email mailing list, and a code of conduct that reads like a mission statement stating how they are reliable business partners. The code also states that they do not attack hospitals, hospices, schools, universities, non-profit organizations, and government agencies.
How does it work?
We are seeing many ransomware attacks happening due to systems that have older vulnerabilities on them. The attackers are scanning large sections of the internet and executing attacks based on anything they can find. The attackers may also use previously compromised accounts or phishing/social engineering attacks in order to gain access. You may have heard of the ‘shotgun’ method. Well, they’re really using the ‘nuke from orbit’ approach.
Once the attackers have a foothold in the network, we often see them install backdoor methods of persistence in order to regain access. Attackers will send all traffic that’s talking to the backdoor of the compromised device as well as any exfiltrated data through web traffic in order to make it indistinguishable from legitimate traffic, primarily through port 443.
The goal will initially be lateral movement through the network, until a second method of persistence is added. Cobalt Strike is the primary method that we are running into. Cobalt Strike can pivot through a network using PowerShell and other seemingly innocuous methods in order to add all of the hosts on the network as a beacon.
After they’re embedded in the network, the next steps are scanning/mapping the network, dumping credentials with mimikatz (a hacking tool used to pull windows credentials), pulling AD users and creds from NTDS.DIT and seemingly anywhere else they can. Once credentials are obtained, next is usually data exfiltration. From here, encrypting the files to initiate the ransomware attack is trivial for an attacker with pre-built software.
What can we do to protect ourselves?
Ensure everything is patched and up to date. Not just your external services – internal too. This will help shut down attackers or at least drastically slow them down should they get any footholds in the environment.
Run a quality anti-malware service, such as SentinelOne, that hooks volume shadow copy in order to prevent attacks. It also helps the admin and/or incident response team threat hunt and find where the event started.
Enforce good security policies. Require complex passwords that can’t be reused and regular password changes. Multi-factor authentication would stop many attackers in their tracks.
Security hygiene isn’t the most exciting thing, but it’s more important than ever. One lax policy or blind spot could lead to an event like this.