Detecting Ransomware Precursors

The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of maximum impact. At this point the attack often looks like any other infiltration. However, several techniques are often observed just prior to ransomware execution. In this post I’ll provide examples of these detectable behaviors which you can use to build SIEM alerts, custom EDR prevention/response rules, and threat hunting logic. Detecting these patterns (in near real time) will give you an advantage in understanding what kind of threat you are facing and which devices have been impacted when the inevitable emergency phone calls start coming in.

Caveat 1: Alerting on this activity is a LAST line of defense. Truthfully, if you catch a real bad guy with these, you’re likely going to have a terrible couple of weeks. If you don’t already have a robust set of other detection rules for the 1st and 2nd stages, PLEASE don’t start here. This is the last chance to alert and will most likely be only of forensic value, since these often occur minutes before ransomware is deployed. If you’re lucky, you’ll have a chance to identify and isolate the impacted devices before the attack spreads further.

Caveat 2: The commands below assume two things:
1. you are monitoring process execution and associated command lines,
2. the commands are in plain text and not encoded via PowerShell or otherwise obscured (e.g. passed via API). If they are, and you have a robust EDR Solution, or script block logging enabled, you may still be able to see the decoded/hidden commands. Note, some of these techniques are detectable via other means (e.g. registry monitoring) and where that is the case I’ve mentioned it in the “notes” column below. Always test your rules with adversary emulation techniques!

Goal 1: Profile and Disable Protections
These actions aim to evade/disable prevention/detection tools. This could be disabling AntiVirus processes or making changes to system settings.

SubGoal	Notional Search Logic	Examples	Notes
Recon for security tools via WMI	select * AntivirusProduct OR select * AntispywareProduct OR select * FirewallProduct	wmic select * antivirus wmic select * antispyware	‘*’ in these commands is literal. In every other example which follows, it is NOT literal. wmic.exe is commonly used, but a few alternative processes are worth including: srccons.exe | cmd.exe | winrm.exe | winrs.exe | wmiprvse.exe | cscript.exe| wscript.exe | powershell.exe.
Disable security tools via service stop/delete/config	net stop * OR sc stop * OR sc delete * OR sc config * disabled	Examples for MS Firewall service, MS Defender, and Windows Update Service: sc config MpsSvc start= disabled sc config WinDefend start= disabled sc config wuauserv start= disabled net stop MpsSvc net stop WinDefend net stop wuauserv sc stop MpsSvc sc stop WinDefend sc stop wuauserv sc delete MpsSvc sc delete WinDefend sc delete wuauserv	Design your search logic with your own relevant tools and processes unique to your environment. https://www.zscaler.com/blogs/security-research/recent-bulehero-botnet-payload Additional Detections: 7036 – Service started or stopped 7040 – Start type changed (Boot | On Request | Disabled)
Disable windows firewall via netsh	netsh firewall set opmode mode=disable OR netsh Advfirewall set allprofiles state off	cmd /c netsh firewall set opmode mode=disable cmd /c netsh Advfirewall set allprofiles state off	Disabling firewalls may assists with lateral movement and C2. https://www.zscaler.com/blogs/security-research/recent-bulehero-botnet-payload
Disable or misconfigure Defender AV via powershell	powershell Set-MpPreference -Disable* OR powershell Add-MpPreference -Exclusion*	powershell Set-MpPreference -DisableRealtimeMonitoring $true powershell Set-MpPreference -DisableBehaviorMonitoring $true powershell Set-MpPreference -DisableRealtimeMonitoring $true powershell Add-MpPreference -ExclusionPath C: Add-MpPreference -ExclusionExtension “.exe”	These commands disable elements of MS Defender or set exclusion parameters to evade detection. Microsoft-Windows-Windows Defender/Operational.evtx – Event ID 5001 may be monitored to detect Defender AV Real-Time being disabled. – Event ID 5007 may be monitored to detect Defender configuration changes. Monitoring this registry key will also help with detection: HKLM\SOFTWARE\Microsoft\Windows\Defender\Exclusions https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
Stop Services with WMIC	wmic service where * call stopservice	wmic service where “caption like ‘%%sense%%'” call stopservice	The example command is aimed at disabling the Windows Defender Advanced Threat Protection (EDR) service.
Relax filesystem ACLs	icacls* *grant*	"icacls ""C:*"" /grant Everyone:F /T /C /Q" "icacls ""D:*"" /grant Everyone:F /T /C /Q"	Relaxing filesystem ACLs allows the malware to access all files. https://redcanary.com/blog/ryuk-ransomware-attack/
Take ownership of files with takeown.exe	takeown.exe * /F *	Takeown /S c:\ TAKEOWN /S system /U user /P password /F Myshare*	Taking ownership of files allows the malware to access all files. https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
Clear event logs to cover tracks.	wevtutil* cl *	wevtutil.exe cl Application wevtutil.exe cl Security wevtutil.exe cl System FOR /F “delims=” %%I IN (‘WEVTUTIL EL’) DO (WEVTUTIL CL “%%I”)	Erasing events in the event logs is an anti-forensic technique. https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/ https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf Additional detection possibilities: – Security EventID 1102; EventLog cleared – System EventID 104; Any eventlog was cleared.
Disable Logging	wevtutil* sl *	`wevtutil.exe sl Security /e:false`	The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log” https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/
Delete USN Journal	fsutil usn deletejournal	fsutil usn deletejournal /D C:"	USN Journal keeps a log of all filesystem changes in NTFS volumes. deleting the journal is an anti-forensic technique. https://medium.com/cert-advisory/what-you-should-absolutely-know-about-petya-and-misha-ransomware-attack-goldeneye-ransomware-8c3f8883fb8

Goal 2: Impair Recovery
These actions aim to limit the victim’s options for stopping the malware and recovering from the loss of data. ATT&CK: Inhibit System Recovery (T1490).

SubGoal	Notional Search Logic	Examples	Notes
Prevent system from booting into Automatic Repair Mode	bcdedit /set {default} bootstatuspolicy ignoreallfailures OR bcdedit /set {default} recoveryenabled no	bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no	Prevents startup in Automatic Repair Mode https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
Disable System Restore	schtasks.exe /Change /TN * /disable	schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable	Defray ransomware disables a default scheduled task which perform system restore backups. https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
Enforce next startup in safemode	reg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\*	reg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan	Upon execution of Snatch ransomware, it will install itself as a Windows service named “SuperBackupMan” and create the following registry key to ensure it will start up during bootup into Safe Mode. https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365 Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.
Disable Task Manager	reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System * DisableTaskMgr *	reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Limits ability of user to profile and kill tasks. https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/> Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.
Delete shadow copies	wmic shadowcopy delete * OR vssadmin delete shadows * OR vssadmin resize shadowstorage * OR powershell Get-WmiObject Win32_ShadowCopy *	Vssadmin.exe Delete Shadows /All /Quiet vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} powershell Get-WmiObject Win32_ShadowCopy | % { $_.Delete() } powershellGet-WmiObject Win32_ShadowCopy | Remove-WmiObject	This is one of THE most prevalent techniques seen in all ransomware families. https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies/ https://resources.infosecinstitute.com/topic/ransomware-deletion-methods-and-the-canary-in-the-coal-mine/ For vssadmin techniques, we now have a preventative option we well.
Make deleted files unrecoverable with cipher.exe	cipher*/W:C:\	cipher /W:C\	cipher.exe clears the unallocated sectors of the disk from any residual data; making it impossible to forensically recover deleted files. https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
Delete backup files	del /s /f /q *	del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk	Ryuk ransomware also used this rudimentary approach to find and delete any files matching patterns signifying backups. https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
Delete backups via wbadmin	wbadmin delete *	wbadmin delete catalog -quiet cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest	wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
Delete computer restore point	delete-ComputerRestorePoint	Get-ComputerRestorePoint | delete-ComputerRestorePoint	https://thedfirreport.com/wp-content/uploads/2020/11/fullpysa.png

Goal 3: Unlock files in use
These actions aim to ensure the most damage by allowing the ransomware to encrypt even files which may be in use. Killing tasks which have files locked open is key to ensuring they are editable by the ransomware.

SubGoal	Notional Search Logic	Examples	Notes
Kill processes with taskkill	taskkill* /IM *	taskkill.exe"" /IM sqlbrowser.exe /F" taskkill.exe"" /IM sqlceip.exe /F" taskkill.exe"" /IM sqlservr.exe /F" taskkill.exe"" /IM sqlwriter.exe /F"	This is similar to the disabling of security tools, but will often be much noisier attempting to kill dozens of processes in short succession. Look for spikes in this command. The report linked below shows several examples. https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ Additional detection options may exist (e.g. Security Log EventID 4689 Process Terminated)
Kill processes with netstop	net stop * OR net delete *	net.exe"" stop ""samss"" /y" net.exe"" stop ""veeamcatalogsvc"" /y" net.exe"" stop ""veeamcloudsvc"" /y" net.exe"" stop ""veeamdeploysvc"" /y"	Ryuk samples have been observed attempting to stop over 50 predefined processes. Look for spikes in these commands. https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ Additional Detections: 7036 – Service started or stopped 7040 – Start type changed (Boot | On Request | Disabled)
Kill processes with sc	sc stop * OR sc delete * OR sc config * disabled	sc stop RabbitMQ sc config SQLTELEMETRY start= disabled sc config SQLTELEMETRY$ECWDB2 start= disabled sc config SQLWriter start= disabled sc config SstpSvc start= disabled	These (like ‘net stop’ and ‘taskkill’) are often seen in a simple batch file. Look for spikes in these commands. https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/ https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ Additional Detections: 7036 – Service started or stopped 7040 – Start type changed (Boot | On Request | Disabled)
Kill processes with wmic	wmic process * delete wmic		Look for spikes in these commands.

Goal: Destroy/Ransom Data
This is the final stage where files are encrypted, often renamed and a ransom note is presented or dropped on the filesystem. The detection value of alerting at this stage is limited, since we are going to hope and believe that our users are going to call the emergency hotline at this point and, God forbid, not attempt to pay the attackers.

Conclusion
I hope this will help you in your fight against ransomware. Drop me a comment and let me know what other detection logic you have have found helpful.