Hidden Malware, Crouching Ransom

One reason ransomware can appear to strike so quickly is because you only notice it once it’s too late. “Just because they’re in your network doesn’t mean you’ll see them,” notes Peck. “Ransomware and attackers often linger long before the ransomware goes active and begins encrypting your data.” The ransomware may remain dormant for quite some time, creeping around silently looking for the best place to strike. Attackers use this time to corrupt backup restore points and empty recycle bins, all to foul recovery efforts. Then, on a set date, the ransomware wakes up and begins encrypting everything at once.

How Ransomware Has Gotten Stealthier

If the ransomware is staying dormant longer, that means it needs to hide itself well. In fact, staying completely dormant upon load is a trick to bypass antivirus filters, which expect malware to begin executing immediately. Most modern ransomware will try to turn off antivirus software if it can. If not, it will obfuscate or encrypt itself and only unpack into memory to evade disk scanning tools.

As for the encryption process itself, it’s helpful to examine it from a technical point of view. After loading the file into memory and encrypting it, it can replace the original file in only a few ways:

• Write the new encrypted data into the original file itself.
• Save the encrypted file as a new file, delete the original, and then rename the encrypted file to match the original.
• Save the encrypted file as a new file and use the built-in rename-and-overwrite-file function to replace the original file.

A Microsoft Defender anti-ransomware function called Controlled Folder Access can alert and block these operations. However, newer variants of ransomware use a stealth trick called RIPlace, which takes advantage of a Windows legacy function that allows rename-and-overwrite-file to run undetected, bypassing Controlled Folder Access.

While ransomware is encrypting, it can slow down system performance noticeably. New ransomware can hide this by displaying fake error messages to mislead the user. Lastly, many ransomware variants try to use the built-in Windows tools and features to do their scanning and targeting, known as “living off the land.” By doing this, ransomware attacks reduce the number of detectable malware components running on the network.

How Ransomware Strikes Harder

Near the end of 2019, the Maze ransomware added a new feature: data leakage extortion. Not only did this malware encrypt all your data, it exfiltrated the confidential data to its servers. This quickly caught on as a powerful new motivator for ransomware authors.

Peck notes, “Some ransomware groups are exfiltrating data to the tune of terabytes copied out over days and weeks before the ransomware locks out the systems and data. This lets them get a copy of your important data for additional extortion—pay us or we’ll leak your data—and then get additional financial gains out of selling the stolen data as well as ransoming your network.”

Security-Resistant Ransomware

A common technical response for early ransomware was to perform forensics on the ransomware binary itself, either on disk or within memory. Sometimes this provides the encryption key, so you don’t have to pay to unlock all your data. Sometimes it’s to inform threat intelligence on ransomware and create new anti-ransomware defenses.

Ransomware countered with self-destructing malware. If the service running the ransomware stops, it crashes the machine so memory cannot be read. Ransomware was also designed to not run if it detected itself running inside a virtual environment or a debugger. The malware code itself can now also include random code fragments that mislead analysis tools. Some ransomware won’t activate without an unlock code, which the remote attacker sends. This makes it difficult for defenders to capture and analyze the ransomware program.

Stopping the Evolved Ransomware

How do you defend against this newer, more powerful ransomware? Obviously, practical and pragmatic security awareness training is a first step, especially stressing the seriousness of the threat and how everyone needs to work together. But you can muster your defenses on other battlefronts.

Stopping Ransomware’s Primary Vectors

No matter how sophisticated the ransomware code, the infection still needs to get into your systems. It does this in three primary ways: (1) by phishing, one of the most common ways attackers breach organizations; (2) by gaining unauthorized access, either by guessing/stealing login credentials or by entering through a trusted third-party access; and (3) by exploiting known vulnerabilities where it can load the ransomware. Our advice here is to:

Slow the Spread of Ransomware

Once ransomware gets into your systems, which is likely in organizations with large attack surfaces, you need to set up defenses in depth. We know that the ransomware will target your domain controllers, so harden and patch them. If attackers are going to try to “live off the land,” then restrict tools like PowerShell, Nltest, PsExec, McpCmdRun, and WMic via Group Policies. In general, only system administrators and power users should need this access anyway.

Restrict open internal file shares, especially ones with wide-open permissions, such as Authenticated Users, which means everyone in the organization has access. If ransomware infects any user’s machine, it’s safe to assume everything in those shares is going to be encrypted and/or leaked. If feasible, remove or disable outdated versions of Server Message Block (SMB), which most ransomware can easily subvert.

Reducing the Impact of Ransomware

If ransomware is going to exfiltrate terabytes of data, then either restrict or monitor outbound traffic. This means tools like SSL decryption and inspection. Peck adds, “Early detection is key, and early detection comes from good endpoint detection and protection, and good network monitoring and protection.”

Be sure to back up critical systems and data and store these backups offline so that attackers can’t corrupt them. Don’t forget build templates so that you can quickly reconfigure systems from scratch as well. If you are infected with ransomware, contact law enforcement. Not only will this help bring the perpetrators to justice, but it can also lessen potential OFAC violations if you decide to pay. Even if you pay the ransom, you should still rebuild any potentially compromised systems to ensure they are clean.

Lastly, prepare and exercise an incident response plan so everyone knows who to notify and what to do when attackers strike.