Top 10 Ransomware measures (Detection)

Ransomware Killchain

Killchain-path of an ransomware attack — Source: Bundesamt für Sicherheit in der Informationstechnik

The list below points out examples of attacker techniques that are commonly observed in the context of ransomware campaigns. Each item contains exemplary recommendations for detection. The order of the items is random and does not represent prioritization. Attackers frequently change tactics and techniques. Up-to-date and detailed information including detection advice can be found in the MITRE ATT&CK knowledge base.

Ransomware measures (Detection)

1. Monitoring of RDP

RDP is often used by attackers to gain initial access to the target. RDP authentication events should therefore be analyzed for suspicious combinations of various parameters such as IP address, IP location, User SID and Computer Name. In the Windows environment, successful RDP logins can be monitored using event ID 4624 (Logon-Type 10). Failed RDP logins can be detected using Event ID 4625 (Logon-Type 10) and used to prevent brute force attacks. It should be noted that not only RDP connections from external to internal, but also connections within the network should be checked for anomalies (lateral movement).

Effect in phase 1

2. Unusual Use of Command Line Interpreters

After gaining initial access to computer systems, command line interpreters, especially PowerShell, are often used to reload or execute malicious code. Execution of commands via command line interpreters should therefore be checked for irregularities. Changes to the configuration of these programs should also be monitored. For example, with respect to PowerShell, changes to the execution policy (Set-ExecutionPolicy command) should be examined.

Effect in phase 1, 2, 3, 4 and 5

3. Credential Dumping

Dumping of credentials is used by attackers in particular for lateral movement in the network. Tools such as "Mimikatz", "Procdump" as well as built-in tools such as the Windows library "Comcvsc.dll" are used by attackers. During this process a dump of the Local Security Authority Subsystem Service (LSASS) might be created and read to obtain passwords of users. Another method used by attackers to obtain user credentials is to directly access the Security Accounts Manager (SAM) database, where user passwords are stored. Such access is gained, for example, via the Windows tool "reg". In addition, the so-called LSA Secrets are a typical target for attackers. Besides local users and passwords, credentials of various types of services (e.g. browsers, databases, etc) are also stored here, making them particularly suitable for further propagation in the network. LSA Secrets are stored in the Windows Registry in "HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets". Basically, alerts should be generated as soon as typical command lines are observed in connection with the mentioned tools or under the described circumstances. When using an EDR product, it is usually possible to fall back on rules supplied by the manufacturer."

Effect in Phase 2 and 3

4. Scheduled Tasks

Attackers create new scheduled tasks to permanently infiltrate a compromised system. Since this technique is one of the most popular methods to gain persistence, the creation of new scheduled tasks should be closely monitored and analyzed. On Windows, the paths "%systemroot%\System32\Tasks" and "%systemroot%\Tasks" should be included in monitoring. In the context of scheduled tasks, the following Windows Event IDs are particularly relevant: 4698 (Scheduled Task Creation), 4700 (Scheduled Task activation) and 4701 (Scheduled Task Deactivation).

Effect in phase 1

5. Network Reconnaissance

After an attacker gains access to a computer system, they typically attempt to gather information about the network and the resources on it. Central directory services such as Active Directory (AD) are particularly in the attacker's focus. To detect such activities, command line interpreters should be monitored for the execution of common tools. Examples of tools for network recon are "ADFind", "ADRecon", "Bloodhound" or "net". These tools especially enumerate group policy settings of the AD. To detect such activities, LDAP traffic should be checked for irregularities. As a basis for comprehensive monitoring of the Active Directory, it is possible to define extended monitoring policies for various areas (e.g. access to the directory service, account management, etc.). The log data collected in this way should be evaluated regularly.

Effect in phase 3

6. Encrypted C&C Communication via HTTPS

Attackers often use HTTPS to communicate with command-and-control (C&C) servers. The basis for systematic detection in this case is an HTTPS proxy. For the detection of C&C traffic, information about known C&C servers should be considered in particular. Such information can be obtained from projects such as Feodotracker, Threatfox and URLHaus. In addition, unusual network connections (e.g., regular contact with an unknown host) should be monitored.

Effect in phase 2 and 3

7. Exfiltration

Apart from data encryption, data exfiltration also often takes place as part of ransomware campaigns. For efficient exfiltration, file archives are typically created by the attackers. Therefore, corresponding file creation events should be monitored, especially in unusual file paths. As a basis for collecting such events, it is recommended to use the tool "Sysmon" using Sysmon Event ID 11. In particular, the tool can be used to create rules for common file types in the context of encryption or archiving.

Effect in phase 4

8. File Access Monitoring

During a ransomware attack, attackers access files on the infected system, in particular to encrypt them. With the help of so-called “Canary files”, such file accesses can be detected quickly and reliably. Since Canary files are intended solely for attack detection and legitimate users do not usually access the files, any modification or access to such a file is a strong indication of an ongoing attack. Canary files should be present in critical locations of the respective infrastructure (especially backup directories, network drives) and systematically monitored for access.

Effect in phases 4 and 5

9. Manipulation of Backups

On infected end systems, local backups are often deleted, which is the attacker's way of preventing data recovery. In the Windows environment, this particularly affects shadow copies, which can be administered using the “vssadmin.exe” process. Behavior in the context of the “vssadmin.exe” process should therefore be monitored. Apart from "vssadmin", attackers use tools such as "wbadmin" and "bcdedit" to disable backup functionality. Logging of created processes can be done using either Windows Event ID 4688 or Sysmon Event ID 1.

Effect in phase 5.

10. Modification of Endpoint Security Software

To avoid detection by endpoint security software, security tools are often modified or deactivated on the client devices as part of ransomware campaigns. The modification or deactivation is implemented in particular via command line interpreters. In the Windows environment, the Windows Defender is often the target of the attackers. Changes to its configuration are typically made via the PowerShell command "Set-MpPreference". In addition, changes to the configuration may be reflected in the registry (HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender).

Effect in phase 1, 2, 3, 4 and 5