Technology
Products
Industries
News
Events
Resources
Company
English
Technology
Products
Industries
News
Blog
Events
Resources
Company

How AI stopped a WastedLocker intrusion before ransomware deployed

Max Heinemeyer, Director of Threat Hunting | Tuesday December 22, 2020

Since first being discovered in May 2020, WastedLocker has made quite a name for itself, quickly becoming an issue for businesses and cyber security firms around the world. WastedLocker is known for its sophisticated methods of obfuscation and steep ransom demands.

Its use of ‘living off the land’ techniques makes a WastedLocker attack extremely difficult for legacy security tools to detect. An ever-decreasing dwell time – the time between initial intrusion and final execution – means human responders alone struggle to contain the ransomware variant before damage is done.

This blog examines the anatomy of a WastedLocker intrusion that targeted a US agricultural organization in December. Darktrace’s AI detected and investigated the incident in real time, and we can see how Darktrace Antigena would have autonomously responded to stop the attack before encryption had begun.

As ransomware dwell time shrinks to hours rather than days, security teams are increasingly relying on artificial intelligence to stop threats from escalating at the earliest signs of compromise – containing attacks even when they strike at night or on the weekend.

How the attack unfolded

Figure 1: A timeline of the attack

Initial intrusion

The initial infection appears to have taken place when an employee was deceived into downloading a fake browser update. Darktrace AI was monitoring the behavior of around 5,000 devices at the organization, continuously adapting its understanding of the evolving ‘pattern of life’. It detected the first signs of a threat when a virtual desktop device started making HTTP and HTTPS connections to external destinations that were deemed unusual for the organization. The graph below depicts how the patient zero device exhibited a spike in internal connections around December 4.

Figure 2: The patient zero device exhibiting a spike in internal connections, with orange dots indicating model breaches of varying severity

Reconnaissance

Attempted reconnaissance began just 11 minutes after the initial intrusion. Again, Darktrace immediately picked up on the activity, detecting unusual ICMP ping scans and targeted address scans on ports 135, 139 and 445; presumably as the attacker looked for potential further Windows targets. The below demonstrates the scanning detections based on the unusual number of new failed connections.

Figure 3: Darktrace detecting an unusual number of failed connections

Lateral movement

The attacker used an existing administrative credential to authenticate against a Domain Controller, initiating new service control over SMB. Darktrace picked this up immediately, identifying it as unusual behavior.

Figure 4: Darktrace identifying the DCE-RPC requests

Figure 5: Darktrace surfacing the SMB writes

Several hours later – and in the early hours of the morning – the attacker used a temporary admin account ‘tempadmin’ to move to another Domain Controller over SMB. Darktrace instantly detected this as it was highly unusual to use a temporary admin account to connect from a virtual desktop to a Domain Controller.

Figure 6: Further anomalous connections detected the following day

Lock and load: WastedLocker prepares to strike

During the beaconing activity, the attacker also conducted internal reconnaissance and managed to establish successful administrative and remote connections to other internal devices by using tools already present. Soon after, a transfer of suspicious .csproj files was detected by Darktrace, and at least four other devices began exhibiting similar command and control (C2) communications.

However, with Darktrace’s real-time detections – and Cyber AI Analyst investigating and reporting on the incident in a number of minutes, the security team were able to contain the attack, taking the infected devices offline.

Automated investigations with Cyber AI Analyst

Darktrace’s Cyber AI Analyst launched an automatic investigation around every anomaly detection, forming hypotheses, asking questions about its own findings, and forming accurate answers at machine speed. It then generated high-level, intuitive incident summaries for the security team. Over the 48 hour period, the AI Analyst surfaced just six security incidents in total, with three of these directly relating to the WastedLocker intrusion.

Figure 7: The Cyber AI Analyst threat tray

The snapshot below shows a VMWare device (patient zero) making repeated external connections to rare destinations, scanning the network and using new admin credentials.

Figure 8: Cyber AI Analyst investigates

Antigena: AI that responds when the security team cannot

Darktrace Antigena – the world’s first and only Autonomous Response technology – was configured in passive mode, meaning it did not actively interfere with the attack, but if we dive back into the Threat Visualizer we can see that Antigena in fully autonomous mode would have responded to the attack at this early stage, buying the security team valuable time.

In this case, after the initial unusual SSL C2 detection (based on a combination of destination rarity, JA3 unusualness and frequency analysis), Antigena suggested instantly blocking the C2 traffic on port 443 and parallel internal scanning on port 135.

Figure 9: The Threat Visualizer reveals the action Antigena would have taken

When beaconing was later observed to bywce.payment.refinedwebs[.]com, this time over HTTP to /updateSoftwareVersion, Antigena escalated its response by blocking the further C2 channels.

Figure 10: Antigena escalates its response

The vast majority of response tools rely on hard-coded, pre-defined rules, formulated as ‘If X, do Y’. This can lead to false positives that unnecessarily take devices offline and hamper productivity. Darktrace Antigena’s actions are proportionate, bespoke to the organization, and not created in advance. Darktrace Antigena autonomously chose what to block and the severity of the blocks based on the context of the intrusion, without a human pre-eminently hard-coding any commands or set responses.

Every response over the 48 hours was related to the incident – Antigena did not try to take action on anything else during the intrusion period. It simply would have actioned a surgical response to contain the threat, while allowing the rest of the business to carry on as usual. There were a total of 59 actions throughout the incident time period – excluding the ‘Watched Domain Block’ actions shown below – which are used during incident response to proactively shut down C2 communication.

Figure 11: All Antigena action attempts during the intrusion period across the whole organization

Antigena would have delivered those blocks via whatever integration is most suitable for the organization – whether that be Firewall integrations, NACL integrations or other native integrations. The technology would have blocked the malicious activity on the relevant ports and protocols for several hours – surgically interrupting the threat actors’ intrusion activity, thus preventing further escalation and giving the security team air cover.

Autonomous Response: Stopping ransomware before encryption ensues

This attack used many notable Tools, Techniques and Procedures (TTPs) to bypass signature-based tools. It took advantage of ‘living off the land’ techniques, including Windows Management Instrumentation (WMI), Powershell, and default admin credential use. Only one of the involved C2 domains had a single hit on Open Source Intelligence Lists (OSINT); the others were unknown at the time. The C2 was also encrypted with legitimate Thawte SSL Certificates.

For these reasons, it is plausible that without Darktrace in place, the ransomware would have been successful in encrypting files, preventing business operations at a critical time and possibly inflicting huge financial and reputational losses to the organization in question.

Darktrace’s AI detects and stops ransomware in its tracks without relying on threat intelligence. Ransomware has thrived this year, with attackers constantly coming up with new attack TTPs. However, the above threat find demonstrates that even targeted, sophisticated strains of ransomware can be stopped with AI technology.

Thanks to Darktrace analyst Signe Zaharka for her insights on the above threat find.

Learn more about Autonomous Response

IoCs:

IoCComment
www.betech-system[.]com
84.38.182[.]191
C2 communication
true-post[.]com
84.38.183[.]101
C2 communication
130.0.233[.]178
bywce.payment.refinedwebs[.]com
cawuj0.payment.refinedwebs[.]com
acbynzexo.payment.refinedwebs[.]com
cdb6eaa5.payment.refinedwebs[.]com
payment.refinedwebs[.]com
C2 communication

Darktrace model detections:

  • Compliance / High Priority Compliance Model Breach
  • Compliance / Weak Active Directory Ticket Encryption
  • Anomalous Connection / Cisco Umbrella Block Page
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Compliance / Default Credential Usage
  • Compromise / Suspicious TLS Beaconing To Rare External
  • Anomalous Server Activity / Rare External from Server
  • Device / Lateral Movement and C2 Activity
  • Compromise / SSL Beaconing to Rare Destination
  • Device / New or Uncommon WMI Activity
  • Compromise / Watched Domain
  • Antigena / Network / External Threat / Antigena Watched Domain Block
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Slow Beaconing Activity To External Rare
  • Device / Multiple Lateral Movement Model Breaches
  • Compromise / High Volume of Connections with Beacon Score
  • Device / Large Number of Model Breaches
  • Compromise / Beaconing Activity To External Rare
  • Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
  • Anomalous Connection / New or Uncommon Service Control
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Compromise / SSL or HTTP Beacon
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Compromise / Sustained SSL or HTTP Increase
  • Unusual Activity / Unusual Internal Connections
  • Device / ICMP Address Scan

Max Heinemeyer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max oversees global threat hunting efforts, working with strategic customers to investigate and respond to cyber-threats. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.