Detecting Ransomware Precursors

The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of maximum impact. At this point the attack often looks like any other infiltration. However, several observable techniques are often observed just prior to ransomware execution. In this post I’ll provide examples of these detectable behaviors which you can use to build SIEM alerts and threat hunting logic. Detecting these patterns (in near real time) will give you an advantage in understanding what kind of threat you are facing and which devices have been impacted when the inevitable emergency phone calls start coming in.

Caveat 1: Alerting on this activity is a LAST line of defense. Truthfully, if you catch a real bad guy with these, you’re likely going to have a terrible couple of weeks. If you don’t already have a robust set of other detection rules for the 1st and 2nd stages, PLEASE don’t start here. This is the last chance to alert and will most likely be only of forensic value, since these often occur minutes before ransomware is deployed. If you’re lucky, you’ll have a chance to identify and isolate the impacted devices before the attack spreads further.

Caveat 2: The commands below assume two things:
1. you are monitoring process execution and associated command lines,
2. the commands are in plain text and not encoded via powershell or otherwise obscured (e.g. passed via API). If they are, and you have a robust EDR Solution, or script block logging enabled, you may still be able to see the decoded/hidden commands. Note, some of these techniques are detectable via other means (e.g. registry monitoring) and where that is the case I’ve mentioned it in the “notes” column below. Always test your rules with adversary emulation techniques!


Goal 1: Profile and Disable Protections
These actions aim to evade/disable prevention/detection tools. This could be disabling AntiVirus processes or making changes to system settings.

SubGoalNotional Command LogicExamplesNotes
Recon for security tools via WMIselect * AntivirusProduct

OR

select * AntispywareProduct

OR

select * FirewallProduct
wmic select * antivirus
wmic select * antispyware
‘*’ in these commands is literal. In every other example which follows, it is NOT literal.

wmic.exe is commonly used, but a few alternative processes are worth including:
srccons.exe | cmd.exe |
winrm.exe | winrs.exe |
wmiprvse.exe | cscript.exe|
wscript.exe | powershell.exe.
Disable security tools via service stop/delete/confignet stop *

OR

sc stop *

OR

sc delete *

OR

sc config * disabled


Examples for MS Firewall service, MS Defender, and Windows Update Service:

sc config MpsSvc start= disabled
sc config WinDefend start= disabled
sc config wuauserv start= disabled

net stop MpsSvc
net stop WinDefend
net stop wuauserv

sc stop MpsSvc
sc stop WinDefend
sc stop wuauserv

sc delete MpsSvc
sc delete WinDefend
sc delete wuauserv


Design your search logic with your own relevant tools and processes unique to your environment.

https://www.zscaler.com/blogs/security-research/recent-bulehero-botnet-payload

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
Disable windows firewall via netshnetsh firewall set opmode mode=disable

OR

netsh Advfirewall set allprofiles state off
netsh ipsec static set policy name=Bastards assign=y
cmd /c net stop SharedAccess
cmd /c netsh firewall set opmode mode=disable
cmd /c netsh Advfirewall set allprofiles state off
Disabling firewalls may assists with lateral movement and C2.

https://www.zscaler.com/blogs/security-research/recent-bulehero-botnet-payload
Disable MS Defender AV via powershellpowershell Set-MpPreference -Disable*

OR

powershell Add-MpPreference -Exclusion*
powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Set-MpPreference -DisableBehaviorMonitoring $true

powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Add-MpPreference -ExclusionPath C:

Add-MpPreference -ExclusionExtension ".exe"
These commands disable elements of MS Defender or set exclusion parameters to evade detection.

Event ID 5001 may be monitored to detect Defender AV Real-Time being disabled.

Event ID 5007 may be monitored to detect Defender configuration changes.

Monitoring this registry key will also help with detection:
HKLMSOFTWAREMicrosoftWindows DefenderExclusions

https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
Relax filesystem ACLsicacls* *grant*C:Windowssystem32icacls.exe C:Windowssystem32Id.exe /reset

CACLS "D:WpSystem" /grant Administratoren:F /T

"icacls ""C:*"" /grant Everyone:F /T /C /Q"

"icacls ""D:*"" /grant Everyone:F /T /C /Q"
Relaxing filesystem ACLs allows the malware to access all files.

https://redcanary.com/blog/ryuk-ransomware-attack/
Take ownership of files with takeown.exetakeown.exe * /F *TAKEOWN /S system /U user /P password /F Myshare*Taking ownership of files allows the malware to access all files.

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
Clear event logs to cover tracks.wevtutil* cl *wevtutil.exe cl Application

wevtutil.exe cl Security

wevtutil.exe cl System

FOR /F “delims=” %%I IN (‘WEVTUTIL EL’) DO (WEVTUTIL CL “%%I”)
Erasing events in the event logs is an anti-forensic technique.

https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf

Additional detection possibilities:
– Security EventID 1102; EventLog cleared
– System EventID 104; Any eventlog was cleared.
Delete USN Journalfsutil usn deletejournalwevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

fsutil usn deletejournal /D C:"
USN Journal keeps a log of all filesystem changes in NTFS volumes. deleting the journal is an anti-forensic technique.

https://medium.com/cert-advisory/what-you-should-absolutely-know-about-petya-and-misha-ransomware-attack-goldeneye-ransomware-8c3f8883fb8

Goal 2: Impair Recovery
These actions aim to limit the victim’s options for stopping the malware and recovering from the loss of data. ATT&CK: Inhibit System Recovery (T1490).

SubGoalNotional Command LogicExamplesNotes
Prevent system from booting into safemodebcdedit /set {default} bootstatuspolicy ignoreallfailures

OR

bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy
ignoreallfailures
bcdedit /set {default} recoveryenabled no
Prevents startup in repair mode and safemode.

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
Enforce use of safemodereg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\*reg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupManUpon execution of Snatch ransomware, it will install itself as a Windows service named “SuperBackupMan” and create the following registry key to ensure it will start up during bootup into Safe Mode.

https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365

Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.
Disable Task Managerreg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System * DisableTaskMgr *reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fLimits ability of user to profile and kill tasks.

https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/>

Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.
Delete shadow copieswmic shadowcopy delete *

OR

vssadmin delete shadows *

OR

vssadmin resize shadowstorage *

OR

powershell Get-WmiObject Win32_ShadowCopy *
Vssadmin.exe Delete Shadows /All /Quiet

vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

powershell Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }

powershellGet-WmiObject Win32_ShadowCopy | Remove-WmiObject
This is one of THE most prevalent techniques seen in all ransomware families.

https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies/

https://resources.infosecinstitute.com/topic/ransomware-deletion-methods-and-the-canary-in-the-coal-mine/

For vssadmin techniques, we now have a preventative option we well.

Goal 3: Unlock files in use
These actions aim to ensure the most damage by allowing the ransomware to encrypt even files which may be in use. Killing tasks which have files locked open is key to ensuring they are editable by the ransomware.

SubGoalNotional Command LogicExamplesNotes
Kill processes with taskkilltaskkill* /IM *taskkill.exe"" /IM sqlbrowser.exe /F"

taskkill.exe"" /IM sqlceip.exe /F"

taskkill.exe"" /IM sqlservr.exe /F"

taskkill.exe"" /IM sqlwriter.exe /F"
This is similar to the disabling of security tools, but will often be much noisier attempting to kill dozens of processes in short succession. Look for spikes in this command. The report linked below shows several examples.

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

Additional detection options may exist (e.g. Security Log EventID 4689 Process Terminated)
Kill processes with netstopnet stop *
OR
net delete *
net.exe"" stop ""samss"" /y"

net.exe"" stop ""veeamcatalogsvc"" /y"

net.exe"" stop ""veeamcloudsvc"" /y"

net.exe"" stop ""veeamdeploysvc"" /y"
Ryuk samples have been observed attempting to stop over 50 predefined processes. Look for spikes in these commands.

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
Kill processes with scsc stop *
OR
sc delete *
OR
sc config * disabled
sc stop RabbitMQ

sc config SQLTELEMETRY start= disabled

sc config SQLTELEMETRY$ECWDB2 start= disabled

sc config SQLWriter start= disabled

sc config SstpSvc start= disabled
These (like ‘net stop’ and ‘taskkill’) are often seen in a simple batch file. Look for spikes in these commands.

https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
Kill processes with wmicwmic process * deleteLook for spikes in these commands.
Delete backup filesdel /s /f /q *del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dskRyuk ransomware also used this rudimentary approach to find and delete any files matching patterns signifying backups.

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
Delete backups via wbadminwbadmin delete *wbadmin delete catalog -quiet
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
Delete computer restore pointdelete-ComputerRestorePointGet-ComputerRestorePoint | delete-ComputerRestorePointhttps://thedfirreport.com/wp-content/uploads/2020/11/fullpysa.png

Goal: Destroy/Ransom Data
This is the final stage where files are encrypted, often renamed and a ransom note is presented or dropped on the filesystem. The detection value of alerting at this stage is limited, since we are going to hope and believe that our users are going to call the emergency hotline at this point and, God forbid, not attempt to pay the attackers.

Conclusion
I hope this will help you in your fight against ransomware. Drop me a comment and let me know what other detection logic you have have found helpful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s