Quantcast
Channel: Dark Web – Dark Lab
Viewing all articles
Browse latest Browse all 18

Ransomware’s Uneven Playing Field: Re-Thinking Protection and Detection from Small and Medium Enterprises

$
0
0

Recently, Dark Lab attended a conference to present the lessons learnt from ransomware incidents impacting small and medium enterprises (“SMEs”), and how these lessons learnt can help us find effective measures against ransomware threats.

Apart from our experience dealing with ransomware, it has been reported by the industry, that 85% of ransomware attack victims are small businesses.[1] These businesses present as lucrative targets for opportunistic ransomware actors, given their limited access to resources to implement robust security solutions.

In the past year, we have responded to numerous ransomware incidents involving small to medium enterprises (“SMEs”) that lack of the resources to invest in advanced security tools such as Endpoint Detection and Response (“EDR”) or Security Information and Event Management (“SIEM”) systems. Despite the absence of these tools, our incident response efforts have revealed simple controls that can effectively serve as containment, preventive, or damage-control measures.

Our presentation covered several ransomware incidents involving both well-known operators and newcomers to the field. We provided our insights into the threat intelligence associated with these actors, analyse the Tactics, Techniques, and Procedures (“TTPs”) used compared to large-scale ransomware, and share lessons learned from handling these incidents, including mistakes made by the threat actors. We further note the potential applications of these strategies in larger enterprises as a means to strengthen their own posture.

This blog will deep dive into the threat intelligence associated with the current ransomware landscape, the Tactics, Techniques and Procedures (“TTPs”) behind ransomware attacks, and our lessons learnt along with the insights from previous incident experience.

The Current Ransomware Landscape

Figure 1: Overview of changes in the ransomware landscape

In 2024, we observe an increasingly unpredictable and diverse ransomware landscape following multiple disruptive events that have reshaped how the ransomware ecosystem operates today.

Figure 2: Timeline of 2024’s “major disruptors” in the ransomware and wider cybercriminal landscape

Significant catalysts for these shifts include the persistence of law enforcement disruptions against larger Ransomware-as-a-Service (RaaS) operators, as exemplified in the ongoing #OpCronos against LockBit. Not to mention BlackCat’s alleged exit scam following allegations of failure to payout their affiliate for their attack on UnitedHealth.

These two instances alone incited heightened scepticism and distrust within the cybercriminal community, leading to a shift away from these “market leaders”. Quickly, we observed smaller and new players seize this opportunity to establish their presence within the ransomware ecosystem. Not only applying the lessons learnt from the downfalls of bigger players, and factoring in the changes to the ways in which victims respond to ransomware attacks, we observe these new joiners seeking to distinguish themselves and increase their chances of success through alternative means of approaching ransomware attacks. For example;

Figure 3: Latest trends observed amongst newer ransomware groups

A Focus on SMEs

Contrary to the misconception that SMEs are not a priority for ransomware groups due to the lower payout opportunity, we observe the majority of ransomware attacks are targeted against SMEs. This is as larger enterprises are now well-equipped with security solutions designed to prevent and detect against impending threats, thus posing SMEs as enticing targets for a higher likelihood of success.

We attribute this to a number of factors; limited funds to invest in cybersecurity professionals and technologies, lack of preparedness to respond to an attack, and the impact that operational disruptions may have on the viability of the business. Statistically, 75% of SMEs could not continue operating beyond seven (7) days if hit by ransomware [2], whilst 20% of SMEs that fell victim to a ransomware attack paid the ransom.[3] Furthermore, learning from the cases of LockBit and BlackCats’ notoriety, newer players seek to evade attention from media and law enforcement; conducting lower-profile attacks to maintain their presence and longevity.

Who’s targeting SMEs?

Figure 4: Snapshot of ransomware operators known to target SMEs

As seen in the image above, we observe both established RaaS operators who we track and know well, and newer players, experimental in the approaches to ransomware attacks, targeting SMEs. We note that this list is not exhaustive given the opportunistic nature of ransomware actors, and is further applicable in the context of larger enterprises.

With newer groups diversifying their attack methods and creating an increasingly ‘unpredictable’ ransomware threat, how can we stay focused?

Focusing on the “critical path”

Despite the abundance of new players on the market – bringing new approaches and techniques used to facilitate their attacks – we still observe overarching commonalities in their Tactics, Techniques, and Procedures (“TTPs”).

Figure 5: MITRE ATT&CK Heatmap – highlighting the most frequently leveraged TTPs*

The above MITRE ATT&CK heatmap compiles the TTPs used by various aforementioned threat actors. By focusing on the most frequently used TTPs (highlighted in red and orange), we can prioritise our efforts to strengthen defences against these techniques, creating a ‘critical path’ for us to focus our efforts in devising protection and detection.

This critical path provides a holistic view of RaaS operators, not just applicable to SMEs but all types of victims. In the case of SMEs, given the limited access to resources, this critical path provides a realistic baseline to focus resources on preventing and detecting against ransomware threats.

Our experience responding to ransomware attacks against SMEs

To consider how this “critical path” translates into real life, we referenced some historic cases we have battled, and the lessons learnt. Specifically, we deep dived into three (3) case studies, attributed to RansomHouse, SEXi (a.k.a. APT Inc.), and LockBit, respectively.

Each case study shared commonality in that initial access was obtained via breaching perimeter devices e.g., SSLVPN. However, the case studies provided a useful comparison on the degree of impact incurred within an SME environment depending on the presence (or lack thereof) sufficient security controls.

Figure 6: Case Studies – highlighted in pink are the techniques performed in these incidents

Case Study 1: RansomHouse affiliate (an “Old Guard”)

Figure 7: High-level timeline of incident attributed to RansomHouse affiliate

In the first case study, the RansomHouse affiliate achieved initial access via a known vulnerability. The affiliate proceeded to perform account brute forcing and network scanning using the commonly leveraged, SoftPerfect Scanner. Obtaining a service account granted with administrative privileges, the affiliate proceeded to perform Remote Desktop Protocol (RDP) for lateral movement. Notably, the service account was secured with a weak password and the last date of password reset was the same as its creation date – a common issue we have observed across SMEs, whereby they use a weak password for account creation, and subsequently neglect to change the password later.

The affiliate further enumerated the victim’s environment, obtaining additional credentials to access their ESXi, Network Attached Storage (NAS), various databases and Software-as-a-Service (SaaS) platforms. With their better understanding of the victim’s environment and the “crown jewels” to target for sensitive data, the affiliate proceeded to deploy the AnyDesk remote access software and a PowerShell script. This resulted in large outbound data exfiltration over 700 gigabytes (GB) of data before removing backups and deploying ransomware across their Network Attached Storage (NAS), backup servers, and virtual infrastructure (VMware ESXi) servers.

This case study highlights the sheer impact of a ransomware attack in environments lacking network segmentation, password policy enforcement, and sufficient access controls.

Case Study 2: SEXi affiliate (“New Blood”)

Figure 8: High-level timeline of incident attributed to SEXi (a.k.a. APT Inc.) affiliate

In our incident attributed to an affiliate of SEXi (now rebranded as APT Inc.) ransomware, the affiliate infiltrated via a SSLVPN entry, landing on a demilitarised zone (DMZ) server subnet. The affiliate was also observed to deploy the SoftPerfect Scanner for network discovery, resulting in the identification of a vulnerable Veeam Backup & Replication server. Exploiting the vulnerability to create a new local admin account, the threat actor proceeded to perform credential dumping on the Veeam server, obtaining valid ESXi and NAS credentials.

Pivoting to the ESXi and NAS servers, the SEXi affiliate proceeded to deploy their ransomware and delete all backup data on the NAS. Due to network segmentation in place, ransomware deployment was contained within the DMZ, and no data exfiltration was observed.

Case Study 3: LockBit affiliate (another “Old Guard”)

Figure 9: High-level timeline of incident attributed to LockBit affiliate

In our latest battle with LockBit, the affiliate infiltrated via a SSLVPN server using a valid SSLVPN account. In this case, the SSLVPN account belonged to a third-party vendor and had a weak password which had not been changed for over three (3) years. The affiliate landed on a DMZ zone, though due to poor network segmentation in place, the SSLVPN account was capable of accessing a management subnet with /16 IP addresses – a significantly large IP address range for the threat actor to access, not to mention a vendor.

Due to password reuse, the LockBit affiliate proceeded to takeover an administrator account, leveraged to laterally move to additional environments via RDP protocol. Notably, the admin account was utilised to perform a DCSync attack on the Domain Controller (DC). The affiliate then proceeded to perform data staging, focused on discovering Excel, PDF, and Word documents contained within shared folders. At this point, the affiliate installed MegaSync, a legitimate tool for data transfers, and created a folder for file staging. The affiliate then deployed ransomware. However, due to outbound network restrictions in place – no data exfiltration was involved.

Notably, the victim was not observed to be listed on LockBit’s dedicated leak site, which we hypothesised was due to their inability to exfiltrate data from the victim’s environment. This highlights the effectiveness in file transfer restrictions in not only mitigating against the compromise of data, but the ability to avoid reputational damage from public awareness of the ransomware incident.

Case Study Comparison; Same Same (TTPs), But Different (Impact)

Comparison of these similar attacks highlight how enforcing simple controls to restrict malicious activity can significantly minimise the impact of ransomware attacks.

Figure 10: Case Studies – summary of key observations

Through our incident experience, we highlight the following common issues in SMEs:

  • Initial access is achieved through preventable “low hanging fruit”, such as;
    • Commodity VPNs (e.g., Fortinet SSLVPN, SonicWall SSLVPN, etc.)
    • Infostealer data and credentials leaked on dark web
  • Lack of awareness and/or implementation of:
    • Strong password policies – guidelines that enforce the creation and use of complex, hard-to-crack passwords
    • Patch management – regular updating of software to remediate susceptibility to vulnerabilities that otherwise may be exploited by malicious actors
    • Perimeter services – security measures that protect the outer boundaries of a network, such as firewalls and intrusion detection systems (IDS)
    • Network segmentation – practice of dividing a network into smaller, isolated segments to limit access and lateral movement opportunities

What can SMEs do to minimise the risk and impact of ransomware threats?

From basic hardening configurations within Active Directory to enabling detection with honeytokens and strategically planning network restrictions, we share practical tips and strategies that we have implemented in our clients’ environments. This demonstrates how small businesses can reduce their risk from a full-scale ransomware attack or minimize the impact of such events. Additionally, we note that these strategies can be further leveraged by larger entities to strengthen their own environments.

Initial Access

Threat actors often seek “low hanging fruit” to gain initial access. For example, exposed SSLVPN gateways are frequently brute forced by malicious actors using leaked credentials. 

The following tips can aid SMEs in minimising their attack surface exposure to reduce the risk of unauthorised access.

On the perimeter-level, SMEs can consider the follow tips to minimise their attack surface exposure;

  • Stock take exposed services, patch or restrict administrative portals
  • Trim down access from SSL VPN to internal network
  • Isolate the systems with legacy operating systems

Access controls can further limit the opportunity for threat actors to infiltrate and/or persist in their post-compromise stages;

  • Housekeep accounts, and strengthen existing multi-factor authentication
  • Trim down access from SSL VPN to internal network
  • Use a separate set of credentials for SSL VPN access

Discovery

Threat actors typically use tools like Network Scanners (e.g., SoftPerfect) that rely on file shares to enumerate files for targeting.

A file share is a network resource that allows multiple users or devices to access and share the files and folders over a network. Threat actors frequently leverage these file shares to identify files of interest (e.g., containing ‘password’, ‘confidential’, ‘finance’, ‘secret’, ‘backup’, ‘admin’, etc.).

Figure 11: Sample file share discovery

To restrict the opportunity for threat actors to perform discovery via file shares, we recommend:

  • Perform a stock-take on file servers to identify critical files housing sensitive and/or confidential data
  • Review what users are allowed to access critical files, and restrict access based on the principle of least privilege

Canary tokens[4], otherwise known as a honey tokens, provide another avenue for proactive threat detection. Canary tokens are a digital identifier embedded within files, URLs, or systems to detect unauthorised access or activity. When an attacker interacts with a canary token, it triggers an alert to notify administrators of a potential breach.

Figure 12: Canary Token for Network Folders[5]
Figure 13: Canary Token for Windows Folders[6]

Lateral Movement

Threat actors target privileged accounts as part of their intrusion, in particular Domain Admins, leveraging their heightened privileges to perform various activities, spanning from data collection and exfiltration to ransomware deployment.

This begs the question; Do we really need to use “Domain Admins” for day-to-day operations?

Tips to secure domain admin accounts and reduce opportunities for lateral movement:

  • Account tiering is an effective means to reduce the risk of credential theft for administrative accounts. In short, it is the process of categorizing accounts and systems into tiers based on criticality. According to Microsoft, the “tier model creates divisions between administrators based on what resources they manage….[so that] admins with control over user workstations are separated from those that control applications”.[7
  • Enforce logon restrictions to ensure highly privileged accounts do not possess access to less secure resources. For example, domain admins (tier 0) should not possess permissions to access user workstations (tier 2).[8]
  • Restrict login attempts from Remote Desktop Services[9]
  • Ensure critical systems are kept up-to-date with regular patching. This involves referencing the systems categorized as critical (or “tier 0), and prioritizing these systems in your patch management process. As an example, Veeam Backup & Replication[10] and ESXi instances [11] are regularly targeted by multiple groups for ransomware deployment.  

Exfiltration (and Remote Access)

Threat actors frequently abuse legitimate solutions to facilitate their remote access (e.g., AnyDesk, TeamViewer, etc.) and data exfiltration (e.g., MegaSync, Rclone, etc.). Furthermore, in some cases we observed that host-based firewall may have been controlled by a compromised administrative account.

To detect for the malicious misuse of these legitimate tooling and/or accounts, we advise the use of an Active Directory-Integrated DNS (ADIDNS) sinkhole – ensuring proper Access Control Lists (ACLs) are configured.

A DNS sinkhole, otherwise known as a sinkhole server, is a DNS server that provides false information to prevent the use of domain names. It is a strategy used to block malicious traffic. When a device attempts to access a known malicious domain, the DNS sinkhole redirects the request to a non-routable address, effectively “sinking” the traffic and preventing the device from connecting to a harmful site.[12]

Figure 14: DNS Sinkhole

Conclusion

As the ransomware landscape continues to evolve and diversify in the threats faced, focusing on identification of predictable TTPs, or even a ‘critical path’, helps us prioritize efforts to defend against the most pertinent threats.

Whilst SMEs may struggle due to their technical limitations and resources, we hope this blog helps provide insight in the simple, yet effective means in which SMEs can uplift their security posture. As a reminder, implementation of these strategies requires carefully designed architecture and process planning (e.g., appropriate access controls, standard operating processes) to maintain effectiveness. Furthermore, we note that these approaches are universal and applicable in larger enterprises, providing proactive opportunities to harden your security posture.

What lies ahead for the future of ransomware?

As organisations increasingly shift to cloud and integration of Software-as-a-Solution (SaaS), we expect to see increased targeting against these environments. Whilst we already observe ransomware actors selling compromised databases, we project an uptick in the reselling of access for re-intrusion into victim environments by other threat actors. The application of artificial intelligence (AI) and automation intelligence within the cybercriminal is a continued discussion, as we anticipate threat actors expanding beyond the use of AI for content generation (in the context of social engineering) to other applications. There’s no telling for certain what else the future holds, but for now, let’s concentrate on safeguarding ourselves against the most crucial threats.

MITRE ATT&CK TTPs for the “Critical Path”

We include the observed MITRE ATT&CK tactics and techniques highlighted in the “critical path”:

MITRE IDMITRE ATT&CK TacticMITRE ATT&CK Technique
T1583Resource DevelopmentAcquire Infrastructure
T1587Resource DevelopmentDevelop Capabilities
T1588Resource DevelopmentObtain Capabilities
T1566Initial AccessPhishing
T1190Initial AccessExploit Public-Facing Application
T1078Initial AccessValid Accounts
T1133Initial AccessExternal Remote Services
T1059ExecutionCommand and Scripting Interpreter
T1053ExecutionScheduled Task/Job
T1047ExecutionWindows Management Instrumentation
T1106ExecutionNative API
T1204ExecutionUser Execution
T1569ExecutionSystem Services
T1136PersistenceCreate Account
T1543PersistenceCreate or Modify System Process
T1098PersistenceAccount Manipulation
T1505PersistenceServer Software Component
T1547PersistenceBoot or Logon Autostart Execution
T1055Privilege EscalationProcess Injection
T1134Privilege EscalationAccess Token Manipulation
T1027Defense EvasionObfuscated Files or Information
T1562Defense EvasionImpair Defenses
T1112Defense EvasionModify Registry
T1140Defense EvasionDeobfuscate/Decode Files or Information
T1036Defense EvasionMasquerading
T1218Defense EvasionSystem Binary Proxy Execution
T1497Defense EvasionVirtualization/Sandbox Evasion
T1070Defense EvasionIndicator Removal on Host
T1222Defense EvasionFile and Directory Permissions Modification
T1564Defense EvasionHide Artifacts
T1003Credential AccessOS Credential Dumping
T1083DiscoveryFile and Directory Discovery
T1082DiscoverySystem Information Discovery
T1018DiscoveryRemote System Discovery
T1057DiscoveryProcess Discovery
T1135DiscoveryNetwork Share Discovery
T1016DiscoverySystem Network Configuration Discovery
T1046DiscoveryNetwork Service Discovery
T1069DiscoveryPermission Groups Discovery
T1087DiscoveryAccount Discovery
T1482DiscoveryDomain Trust Discovery
T1518DiscoverySoftware Discovery
T1021Lateral MovementRemote Services
T1210Lateral MovementExploitation of Remote Services
T1570Lateral MovementLateral Tool Transfer
T1005CollectionData from Local System
T1560CollectionArchive Collected Data
T1039CollectionData from Network Shared Drive
T1105Command and ControlIngress Tool Transfer
T1219Command and ControlRemote Access Software
T1071Command and ControlApplication Layer Protocol
T1041ExfiltrationExfiltration Over C2 Channel
T1048ExfiltrationExfiltration Over Alternative Protocol
T1567ExfiltrationExfiltration Over Web Service
T1486ImpactData Encrypted for Impact
T1490ImpactInhibit System Recovery
T1485ImpactData Destruction

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.


Viewing all articles
Browse latest Browse all 18

Trending Articles