The best signature move: Detecting ransomware without any signatures at all

Max Heinemeyer, Director of Threat Hunting | Monday November 18, 2019

Across Darktrace’s global customer base, ransomware is rapidly on the rise. And unlike the indiscriminate ransomware worms — like WannaCry and BadRabbit — that we’ve discussed in the past, the trend of today’s attacks is toward selective “big game hunting.” The Ryuk ransomware incident I blogged about last month demonstrates how criminals now seek to exploit the particular vulnerabilities of their strategic targets.

Despite the increasing sophistication of these attacks, however, detecting them is ultimately just a classification problem — albeit a highly complex and consequential one. To understand what makes this problem difficult, consider three ways of identifying ransomware. The first and most common way is to cross-reference new activity with the digital ‘signatures’ of known malware strains, catching attacks that the security community has already catalogued. Of course, such fixed signatures are blind to the novel malware variants that dominate the modern threat landscape.

The second level uses supervised machine learning, which entails training an AI on lots of historical examples of ransomware attacks in an attempt to find their commonalities. While this approach can, in theory, detect ransomware that isn’t identical to training data, the supervised learning approach is essentially just signatures on steroids, failing to flag malicious behavior that is fundamentally unlike anything seen before. Rather, addressing the ransomware epidemic once and for all requires unsupervised machine learning. By understanding how each particular employee and device functions while ‘on the job’ — without any signatures or training data — Cyber AI does just that.

An education in ransomware

When a world-leading education institution was hit with a strain of the Dharma ransomware family this past October, Darktrace Cyber AI immediately alerted on the attack using this learnt knowledge of the institution itself — rather than with signatures. The following timeline details each phase of the incident:

Figure 1: An overview of the attack.

In summary, the threat-actors brute-forced their way into the institution’s network by exploiting a server that lacked protection against such RDP brute-forcing — compromising an admin’s credentials. They then proceeded to scan the network until they located an open port 445, whereupon they moved laterally using the PsExec tool that allows for remote administration. The initially compromised server copied the ransomware, named “system.exe,” to hidden SMB shares on the other machines via the SMB protocol. Finally, that ransomware began encrypting data on all of these devices.

Cyber AI traced every step of the above attack by contrasting it with the institution’s normal online behavior. The graph below shows the infected server’s activity throughout the entire incident.

Figure 2: Every colored dot represents a high-confidence Darktrace alert indicating significantly anomalous activity.

Beyond just detecting the attack, however, Darktrace’s AI Autonomous Response tool, Antigena, would have taken targeted action to neutralize it within seconds. When hit with machine-speed threats like ransomware, human security teams need such AI tools to contain the damage, as Antigena would have done:

An alternate reality with Autonomous Response

The attack would have gone quite differently had it been met with Autonomous Response. To start with, Antigena would have blocked the threat-actor’s repeated login attempts over RDP, since these attempts originated from external IP addresses that had never communicated with the organization before. Antigena works by enforcing the normal ‘pattern of life’ for each impacted user and device, meaning that it would not have blocked IP addresses that regularly communicate with the RDP server. This ensures that activity necessary to daily operations isn’t interrupted during even serious threats.

Figure 3: Darktrace alerts on one of the multiple unusual IP addresses that attempted brute-forcing.

By this point, the threat would already have been neutralized by the blocked brute-forcing. But had the attackers somehow still managed to scan the network for open SMB services, Antigena would have intervened once again to surgically restrict that behavior, as Darktrace recognized that the infected server almost never scanned the internal network.

Figure 4: Darktrace alerts on the anomalous scanning behavior, which Antigena would have autonomously blocked.

Continuing on with the hypothetical, though, the server now employs PsExec to move laterally to other devices — activity that Darktrace identified as anomalous immediately. Antigena would have escalated its response at this point, stopping all outbound connections from the server for several hours. Ultimately, Autonomous Response would have completely disarmed the threat, as it has successfully demonstrated on millions of occasions already.

Uncovering the Unpredictable

It has never been easier for threat-actors to devise novel ransomware strains and to gain access to new command & control domains. Using fixed signatures, IP blacklists, and predefined assumptions is therefore insufficient, since no security tool can predict the next fundamentally unpredictable attack. Only Cyber AI — which learns what’s normal for each unique user and device it defends — is equipped for such a challenge.

Of course, detection alone won’t cut it. Modern ransomware is increasingly automated; in this particular case, the entire incident took less than two hours, from the initial brute-forcing to the concluding encryption. And although Darktrace alerted on the threat in real time, the security team was occupied with other tasks, leading to a compromise. That’s where Autonomous Response has become business-critical across every industry — it’s on guard 24/7, even when the security team can’t be.

To learn more about how Autonomous Response neutralizes ransomware without relying on signatures, check out our white paper: Darktrace Antigena: The Future of AI-Powered Autonomous Response.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.