Blog - HUNTERS

Facing Ransomware: The Threat Intelligence Approach

Written by Dvir Sayag | Oct 12, 2021 9:24:52 AM

Ransomware attacks are not going away any time soon. According to a blog post by Varonis, 37% of respondent organizations were affected by ransomware in 2020; ransomware attacks are happening every 11 seconds in the US in 2021; and the average ransomware payment in 2021 is $570,000.

We recently hosted Brad Mecha, Director of Managed Services at Recorded Future, and Guy Yasoor, Threat Researcher at Hunters, at the “Hands-On Security” podcast to get their take when security teams need to deal with ransomware attacks. They presented two different perspectives: Threat Intelligence and Threat Hunting.

Throughout this blog post, we will focus on the Threat Intelligence approach and share some of the key insights from our conversation with them, including specific data about the DarkSide APT group.

Ransomware APT Groups

Lately, there have been several developments in the way that ransomware groups operate. Ten years ago, ransomware attacks would have been expected to be carried out by nation-state level threat actors such as China or Russia, but we're now seeing this from crimeware groups spread around the globe. Additionally, we can see that the majority of ransomware attacks behave like other APTs and lateral-moving attacks, achieving persistence on key network assets and moving around the network before they decide to take action, which means that traditional mitigation that is being used nowadays for different threats, might apply when referring to mitigations of ransomware attacks.

Let’s take the ‘DarkSide’ group (that many believe they have recently evolved into ‘BlackMatter’) as an example. 

DarkSide is a Ransomware-as-Service (RaaS) group that has been active since August 2020 and has had a substantial impact on America’s infrastructure, infecting large and well-known companies. If we look at some of the companies that they targeted, the most relevant one was Colonial Pipeline, which aside from making it to the headlines all over the planet, caused significant disruption on the oil prices and operations across the US for several days. But they have also impacted organizations across various industry verticals including consumer goods, information technology, finance, utilities, automotive, insurance, legal, and petroleum.

What this APT group does is essentially build the infrastructure, the code, and the capabilities of the payload (ie. the encryption of the data), and it acts as a franchise: people can buy those capabilities and then use them at will, so the victims aren’t necessarily picked by the group itself as other threat actors can easily use the ransomware at their discretion.

The ransomware ‘service’ is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS) as we can read on Recorded Future’s blog.

For crime gangs, solo hackers, and more, this means that attacking targets at a large scale and receiving large amounts of money is much easier and accessible, making the war against ransomware attacks much harder for the cybersecurity industry. 

Leveraging Threat Intelligence to Stop Ransomware Attacks

Being in the security team of an organization means that most likely one has to provide answers and context to their peers and superiors about existing security threats, and the risk of suffering a ransomware attack and its possible mitigations is definitely an item on the agenda. 

Employing Threat Intelligence is a target-focused approach that can enormously simplify detection and response to ransomware attacks when dealing with well-known, concrete threats. When security teams take this approach as a strategy, most of the detection will be IOCs and TTPs based on ransomware and APT groups, targeting their specific attack techniques to detect a potential attack in the organization.

The first step to employing Threat Intelligence properly would be to truly understand the ransomware threat landscape: Who are the current ransomware groups? What industries are they targeting? What techniques are they mostly using? After answering those questions and understanding if any groups are targeting your industry or peers, it’s time to transition to the more tactical side of threat intelligence.

DarkSide Operating Method

Recent DarkSide research published by cybersecurity firms such as Cybereason, Varonis, and Arete found that common DarkSide TTPs include:

  1. Obtaining valid accounts for initial access and lateral movement
  2. Abusing exposed or unsecured remote services for initial access and lateral movement
  3. Enumerating network shares and local drives
  4. Executing the payload via scheduled tasks

Similar to other ransomware families, DarkSide also deletes shadow copies to inhibit system recovery, stops processes related to security software to evade defenses, and compresses data using an archive utility prior to exfiltration. For command and control, DarkSide ransomware uses RDP client connections routed through TOR over HTTPS, and Cobalt Strike beacons.

A major weak point that we see is data exfiltration. The DarkSide group was exfiltrating data with FTP, executing Rclone or WinSCP. This is where security teams that use threat intel properly will act accordingly, looking inside their network to find where outbound FTP/SFTP communication is allowed, whitelisting the legitimate application, and having a discussion about using more resilient protocols, then looking for what systems in their environment are executing WinsSCP or have Rclone binaries on them, and then figuring out if these are valid or not, and how applications are being used today.

Another important phase is the Initial Access phase. Initial Access vectors used by DarkSide operators include obtaining compromised credentials to RDP clients and virtual desktop infrastructure, and the exploitation of vulnerable public-facing applications. This is a great reason to double-check every public-facing application in the network and look if there are any known vulnerabilities out there targeting the specific applications. 

Regardless if it's the DarkSide group or not, building a more resilient environment is important. It could be from actions such as making sure that the specific CVEs that the APT group is using for exploitation are patched, to making sure that VPN getaways are properly secure, and that logging mechanisms are enough to detect if there is an attempt to use stolen passwords. 

Using threat intel properly implies combining prevention mechanisms as well as having detection controls in place across the attack surface to be able to detect and stop attacks on time.

Hunters XDR, when it comes to stopping ransomware attacks, combines TTP-based detection and threat intel IOCs from APT groups across all attack vectors in order to surface relevant threat signals and alerts that can stop the spread of the malware.


You can listen to the full podcast here.