Ransomware continues to be one of the most serious and disruptive cyber threats. The business models, motivations, and infection techniques of emerging campaigns have diversified, and new strands of ransomware continue to outpace the release of decryption tools. By 2019, global ransomware damage costs are expected to surpass $11.5 billion per year.
The three most memorable ransomware campaigns of 2017 - Wannacry, NotPetya, and Bad Rabbit - were ground-breaking in their scope, spread, and destructive power, demonstrating that every business, industry, and country is a potential victim. Although the damage caused by these attacks highlighted the importance of good cyber hygiene, many companies have struggled to address even the most widely reported vulnerabilities. As prevention is better than cure, this article will discuss some of the most common infection vectors and how the Darktrace Enterprise Immune System can assist security teams in catching ransomware threats.
Motivations: financial gain or wreaking havoc?
Ransomware is traditionally linked with making a quick buck by getting the victim to pay a set fee to unlock encrypted files. The phenomenon of ransomware-as-a-service has made this easier than ever before, as it has allowed virtually anyone to purchase ever more potent ransomware distribution kits on the Dark Web. The recent growth in cryptocurrencies has also made maintaining anonymity much easier than before, resulting in a definite increase in financially motivated cyber-criminals.
Regrettably, the goal of ransomware is no longer just to make money. NotPetya and other campaigns such as Ordinypt were designed to purposefully destroy data instead. Even though NotPetya provided its victims with payment instructions, it had no way of identifying who had actually made the payment. The uncertainty surrounding the recovery of lost files and the possibility of being associated with funding malicious organizations have therefore deterred many victims from meeting the ransom demands.
No matter how much a business tries to safeguard their assets, incidents are inevitable, and ransom attacks are an increasingly likely choice of criminal action. But it is now possible to identify in-progress attacks and handle them before they become a crisis.
Case Study 1: Executable file download from a compromised website
Many prolific ransomware strands have been distributed by phishing emails, infected file downloads, compromised websites, malvertising, and exploit kits. In many cases, ransomware is often downloaded and installed without the victim’s knowledge. To illustrate the ransomware download mechanics, we will analyze the life-cycle of a GandCrab incident. In the case study detailed below, the Darktrace Enterprise Immune System flagged a customer device retrieving an executable file from a previously unmonitored location following a redirection from another rare site.
The file containing ransomware was downloaded from a website registered to a Polish domain. Shortly after downloading the file, the customer’s device began reaching out to two locations which had not been contacted by any other network devices, nomoreransom.bit and bleepingcomputer.bit. Both are command and control servers for GandCrab ransomware. Once contacted, the malicious virus proceeded to encrypt files on the SMB server, adding the .GDCB (GandCrab) extension as it moved through the folders.
Within seconds of the virus appearing on the company’s network, the Darktrace Cyber Analyst team alerted the security team of the threat. Preventative action was then taken, which allowed the threat to be contained within a timely manner.
Case Study 2: Bruteforcing Remote Desktop Protocol access
In addition to devising clever ways of downloading ransomware onto victim’s machines, some hackers have turned to bruteforcing Remote Desktop Protocol (RDP) access instead (HC7 & Lockcrypt). Exposing Remote Desktop services to the Internet is risky, as attackers can force access into a network by guessing login information and remotely exploiting a range of possible vulnerabilities and administrative tools in order to infect other available machines.
In another particularly serious breach, Darktrace detected a series of suspicious activities indicating that a malicious actor had taken control of a key server and was using it as a pivot point in order to move laterally throughout the network and install Remote Access Tools (RATs) on multiple devices.
In the initial stage of the attack, the Darktrace Enterprise Immune System observed over 400,000 incoming connections on a port that was targeting devices with RDP turned on and immediately flagged the first signs of a bruteforce attack.
The attack was successful; a compromised server was then used to retrieve malware that granted backdoor access and scanned the network for devices with open RDP channel. The hacker subsequently tunneled through the intermediary, gained control over multiple other machines, and installed third-party remote access software to all available devices.
Although most RDP bruteforcing incidents the Darktrace Enterprise Immune System observes do not escalate this far, the Darktrace Cyber Analyst team are constantly flagging instances of publicly accessible remote management services. To prevent ransomware that specifically exploits insecure RDP configuration, businesses should move these critical services to a virtual private network. Moreover, with Darktrace Antigena, Darktrace’s autonomous response solution, businesses can benefit from an added layer of protection. In this case, it would have blocked any anomalous RDP connections to the server, thus preventing any lateral movement throughout the network.
One of the top malware trends in recent months has been the stellar growth of crypto-mining malware. Of the various crypto-currencies, the most prominent malware used for illegal mining activities is Monero, a crypto-currency that can be profitably mined on commodity hardware such as laptops and workstations. Moreover, a related trend observed recently is that of laterally moving malware which, as its name suggests, moves between devices to execute its payloads in a variety of different ways. This malware, used in attacks such as WannaCry, NotPetya and BadRabbit, uses techniques such as encrypting hard drives with ransomware while also deploying Monero miners.
As Darktrace regularly detects crypto-mining attempts the moment they occur on a network, we can estimate the cash flow stream a cyber-criminal earned on a laterally moving Monero-miner infection that Darktrace identified.
How it began
Last month, a customer’s device – which we will call patient zero – became infected with a Monero-miner. After a short time, patient zero started looking for accessible SMB drives by scanning the internal network for devices on port 445. As the device had not conducted any network scanning activity in the past, Darktrace flagged the process as an unusual network scan and an anomalous SMB enumeration:
Once patient zero identified accessible IPC$, ADMIN$ or C$ SMB drives, it transferred an executable to the drive. After the file transfer, the malware used PsExec to connect to the device and execute the malicious software. As patient zero had not made any SMB drive writes and had not used PsExec in this fashion before, alerts were raised immediately:
Spread and containment
The now-infected device started mining Monero and attempted to communicate over Tor2Web with Command & Control (C2) servers:
Using Darktrace, the security team identified the infection within minutes and assessed the complete extent of the infection in less than an hour. Within three hours from initial detection, the security team had run a clean-up script on their network which stopped the spread.
We have estimated the hypothetical revenue for this particular attack. To make the mining less detectable, some of the current Monero-mining malware applies restrictions to both the number of threads that can be used and the maximum CPU usage capacity. As a result, we have estimated the figures below on a worst-case scenario basis.
We know that 300 machines were infected and that the Monero miners were running for around 4 hours.
Mining profitability is commonly measured in the amount of hashes calculated per second per CPU core or GPU. This number, known as hashes per second (H/S), can differ based on the hardware used. A common number on the lower end of the scale for H/S on a single CPU is 20 H/S for the CryptoNight algorithm used to mine Monero.
GPUs, being more efficient for the CryptoNight algorithm, can yield 2-3x the H/S rate of CPUs and beyond. Keeping with a worst-case scenario basis, we will assume all infected devices had only 2 CPU cores and no GPUs, meaning a single infected machine yielded 40 H/S. This leads us to the following calculation: 300 infected devices x 40 H/S = 12000 H/S.
A Monero-mining revenue calculation tool produced the following results: with a Monero price of $202.43 at the time of infection (disregarding electricity costs), the criminal would have earned roughly $15.85 in 24h. As the miners only ran for around 4 hours, the resulting revenue would have only been $2.64. So how is this profitable?
It’s a numbers game
Cryptocurrency-mining operations are designed to last for months, not hours. If this infection had gone undetected, the criminal would have earned $15.85 per day, or $475.62 per month. Furthermore, victims with larger networks are much less likely to notice the infection. As attacks spreading this kind of malware are often indiscriminate in nature, they will often hit thousands of organizations at the same time, giving them the capacity to generate much more than just half a dollar.
Last month Darktrace identified an advanced malware infection on a customer’s device, which used a sophisticated Command & Control (C2) channel to communicate with the attacker. The attacker spent a lot of effort in engineering a C2 channel that was meant to stay covert for months.
The malware used changing domains generated by Domain Generation Algorithms (DGAs). It also sent HTTP POST requests to malicious IP addresses while using reputable domain names for the hostname of the HTTP requests in order to blend in with normal web browsing. The attacker effectively tried to make the C2 communication look like a user browsing the well-known car rental website sixt.com and the luxury watch manufacturer breitling.com . Without using blacklists or signatures, Darktrace instantly identified this anomalous behavior, and as a result, the security team immediately isolated the infected device.
Beaconing to DGA websites
A laptop appeared on the network and made anomalous HTTP requests. The initial HTTP requests were made to the DGA domain tequbvchrjar[.]com on IP address 66.220.23[.]114. Within the next two days, several hundred HTTP POST requests were made to either this domain or to jckdxdvvm[.]com or cqyegwug[.]com, all hosted on the IP 66.220.23[.]114. Darktrace identified this behavior as beaconing – repeated connections often used in C2 communication – to DGA-domains.
What made this even more suspicious is that the POST requests used 5 different Internet Explorer User Agents for the HTTP requests. This was unusual behavior for the laptop as Darktrace had previously only observed Google Chrome User Agents. Darktrace’s unsupervised machine learning identified the User Agents as new and in conjunction with the DGA-domains as unusual activity.
The beaconing followed a steady pattern during afternoon to evening hours when the laptop was being used. This is visualized in the following graph over several days:
Malicious beaconing to reputable domains
In addition to beaconing to the DGA-domains, the device made several hundred HTTP POST requests using the hostnames sixt.com and breitling.com. Both domains are rather well-known and no public record exists of these domains having been compromised. The HTTP POST requests were made without prior GET requests and continued for several days – this is highly unusual behavior and does not resemble a user browsing those websites.
Upon closer inspection it became clear that the malware used indeed the hostnames sixt.com and breitling.com for the HTTP requests – but it was sending the HTTP requests to IP addresses owned by the attacker, not to the IP addresses that sixt.com and breitling.com resolve to on non-infected devices.
The requests for sixt.com were sent to the IP 184.105.76[.]250 while the requests for breitling.com were sent to 64.71.188[.]178. These two IP addresses, as well as the IP address hosting the DGA-domains, were hosted in the same ASN, AS6939 Hurricane Electric, which made this behavior even more suspicious. It is unlikely that all domains would be hosted in the same ASN by chance.
The malware authors used the trick of beaconing to well-known hostnames to circumvent reputation-based security controls and domain-based filters such as domain-blacklists, and to divert attention from security analysts investigating the beaconing. After all, the behavior looked on the surface like a user was browsing rental cars and luxury watches.
Further rapid investigation
Darktrace quickly revealed more details about the C2 communication. All requests were made to suspiciously-looking PHP endpoints and returned HTTP status code 200, ‘OK’, in all cases. The following shows an example of requests to three domains.
Darktrace instantly alerted on this as anomalous behavior:
A PCAP was directly downloaded from the Darktrace interface to inspect the suspicious C2 traffic:
Actively developed malware strain
It appears that this malware strain is under active development.
Open source research suggests that malware that behaves similarly has been circulated at least since the end of 2016. Some sources have attributed the malware families Razy and Nymaim to the executables seen. However, little research on these strains exist and both malware strains are generic in nature. Below are two samples from 2016:
These pieces of malware likely represent a prior version of the malware identified by Darktrace. The 2016 version also communicated with sixt.com and breitling.com, but also made HTTP requests to carvezine.com and sievecnda.com. No DGA domains were observed in the 2016 version.
The PHP endpoints in the URI have also changed. In the version from 2016, the PHP endpoints always ended in ‘/[DGA-string]/index.php’. C2 traffic is often seen to be sent to ‘index.php’ endpoints. Defenders started monitoring the static URI Indicator of Compromise (IoC) ‘index.php’. The malware authors know this as well and have adapted their C2 communication accordingly. As shown in the above screenshots, the PHP endpoint is now in the format of ‘[DGA-string].php’. This further shows that legacy controls – such as static monitoring for quickly outdated Indicators of Compromise – do not scale in today’s threat landscape.
Although the malware authors intended for their implant to stay covert and defeat common security controls, Darktrace instantly alerted on the anomalous behavior. Darktrace’s detections could not have been clearer. The following graphic shows a part of the communication exhibited by the infected device around the time of the infection. Blue lines represent outgoing connections from the device. Every colored dot represents a high-level Darktrace alert:
Using no blacklists or signatures, Darktrace detected this highly anomalous malware behavior instantly. A piece of malware that was meant to stay covert for months was quickly identified using anomaly detection on network data.
Indicators of Compromise:
The last 12 months have shown tremendous volatility in the value of cryptocurrencies, of which Bitcoin is the most prominent example. At the start of 2017, Bitcoin lingered around the $2,000 mark before suddenly taking off, climbing to historic highs of close to $20,000 in December 2017. Demand has since subsided, and at the time of writing, the price of Bitcoin is near to $10,772.
While Bitcoin is the most popular cryptocurrency, numerous alternatives, often called ‘altcoins’ have emerged and grown in value in the last 12 months. For example, Dogecoin, originally created to be a spoof cryptocurrency after a widespread internet meme, reached a notable market capitalization milestone of $2bn in January 2018 .
Nowadays it is almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones or desktop computers. At this late state, it just takes too long to perform the relevant calculations, and the cost of electricity is higher than the anticipated revenue in most cases. Other altcoins such as Monero use different algorithms, making them viable alternatives for aspiring crypto miners. It is often still feasible to mine altcoins on commodity hardware and see a return on investment.
The value of most altcoins is closely tied to the value of Bitcoin and, in many cases, the relationship is broadly proportional – a rise in Bitcoin prompting a similar lift in the altcoins. Monero, which has been rapidly adopted by Darknet markets , has profited from this effect. While Monero was valued at around $10 in January 2017, its price has been pumped up to $419 a year later.
There is much that is still not clear about the cryptocurrency phenomenon. Debate as to its relative value and its status as a currency rages, and will not be resolved any time soon. However, from a cyber security perspective there can be no doubt that the combination of altcoins being mineable on commodity hardware, the fact that mining is now becoming profitable as a side-effect of Bitcoin’s rise, and a maturity in cryptocurrency-related tech has led to a surge in cryptocurrency-related attacks.
Darktrace has observed an abrupt increase of cryptocurrency-related attacks over the last 12 months. Both the frequency and the diversity of these attacks has grown significantly and largely mirrors the remarkable rise in the value of Bitcoin over that period.
Previously, cyber-criminals monetized their operations via banking Trojans/credit card fraud, selling stolen data and ransomware on the Darknet. However, criminals are notoriously adaptable and will follow the money wherever it leads, leading to an increase in cryptojacking’s popularity.
Cryptocurrency mining might not be as profitable as ransomware is upfront, but it can be secretly pursued for months without creating the havoc that characterizes ransomware attacks. Most users and security products might not notice a cryptocurrency miner being installed on a corporate device as it does not show obvious threats or messages to a user, except for an occasional increase in CPU or RAM usage.
Identifying these attacks can be very difficult for traditional security tools as they were not originally designed to catch this type of threat. Nor was Darktrace, but its approach – which relies on its evolving understanding of patterns of behavior – means that it can detect such attacks without having to know what to look for in advance.
Darktrace has detected a number of different attack vectors related to cryptocurrency attacks.
- Nefarious use of corporate resources
Darktrace has detected a range of incidents where employees were intentionally installing cryptocurrency mining software on their corporate devices to mine for personal gain. These employees do not have to pay for the electricity used to run the corporate device in the office – they are basically turning their employer’s electricity into cash by commandeering it for mining operations.
This is commonly seen as a compliance breach and increases the attack surface of a device that has mining software installed. It puts the corporate device at risk and also increases operational costs as the power consumption usually goes up for mining devices. The most popular cryptocurrency choices for this kind of mining in the last 12 months were Etherium and Monero – altcoins that can profitably be mined without the need for inordinate electricity.
- Coinhive drive-by mining
Coinhive is a technology that allows website owners to use their visitors’ computing power to mine a tiny fraction of cryptocurrency for the website owner. Visitors will experience a small increase in computer resource consumption while browsing the website. Some websites experiment with this model to create new forms of revenue streams alternative to advertisement and banner placements.
Coinhive usage is often not an opt-in process. Darktrace has observed various customer devices that regularly visit websites leveraging Coinhive technology. While the power consumption increase for a device browsing a website with Coinhive is ultimately negligible, the cumulative effect of a sizeable portion of the workforce unwittingly browsing websites using Coinhive results in increased power consumption cost for the organization as a whole.
- Malicious insider
A malicious insider compromised his employer’s website to put a Coinhive script on there. This then mined Monero for every visitor on the employer’s website for the malicious insider’s personal gain.
- Traditional malware
Cyber criminals are constantly looking to improve the return on investment of their operations. Reports suggest that criminals are starting to adjust their monetization methods based on the financial means of their targets. Suppose you can’t pay the fee extorted in a ransomware attack? They’ll just install a crypto miner on your device instead to ensure that the attack is not completely fruitless.
As malware authors become more sophisticated, they often deploy multi-staged malware that can swap weaponized payloads. Once malware has infected a system successfully, its authors can often decide what actions to take next. Encrypt the device and extort a ransom? Install a banking Trojan to harvest credit card details? Install more spyware modules to look for data exfiltration? Or, now, install a cryptocurrency miner.
These pieces of malware operate stealthily and often go undetected for several weeks. An infection might start with a phishing email that contains a macro-enabled document. As soon as a user enabled the macro, the malware will download a file-less stager that lives in memory and cannot be detected by traditional antivirus. Command and control communication is usually maintained via IP addresses that change on a daily basis in order to outrun threat intelligence and blacklisting attempts. As no obvious damage is done straight away, these attacks often stay under the radar for prolonged times, so long as self-learning technology such as Darktrace is not employed.
This becomes much more concerning as malware authors could swap one payload for another overnight if they deem it more profitable, switching from a furtive crypto mining Trojan to ransomware the next day. While we have not observed this kind of attack in the wild yet, it is plausible, and in cyberspace what can be done, will be done.
Revolutionary technologies like cryptocurrencies have both their dark and light aspects. For all of the creative energy released by the crypto-blockchain revolution, Bitcoin and its alternatives have quickly become the universal currency of the criminal underworld. Indeed, the former Chief Economist of the World Bank, Joseph Stiglitz – an adamant critic of cryptocurrencies – has said that the whole value of Bitcoin resides in its “potential for circumvention” and “lack of oversight”.
While Stiglitz’s case may be overstated, there can be no question that cyber criminals have sensed a new opportunity to make money. A lot of organizations still regard crypto mining as a compliance incident. This can lead to grave consequences as a cryptocurrency mining device might lead to more severe incidents that can have a serious effect on business operations.
This kind of threat is difficult to detect as no obvious damage is done. However, with Darktrace’s machine learning we can correlate even the weakest indicators of such an attack into a compelling picture of threat. While traditional tools may struggle to see these deviations, Darktrace can pinpoint the changes in behavior effected by cryptocurrency miners without having to rely on any blacklists or signatures.