Your best defense against ransomware: Find the early warning signs
As ransomware continues to prove how devastating it can be, one of the scariest things for security pros is how quickly it can paralyze an organization. Just look at Honda, which was forced to shut down all global operations in June, and Garmin, which had its services knocked offline for days in July.
Ransomware isn’t hard to detect but identifying it when the encryption and exfiltration are rampant is too little too late. However, there are several warning signs that organizations can catch before the real damage is done. In fact, FireEye found that there is usually three days of dwell time between these early warning signs and detonation of ransomware.
So, how does a security team find these weak but important early warning signals? Somewhat surprisingly perhaps, the network provides a unique vantage point to spot the pre-encryption activity of ransomware actors such as those behind Maze.
Here’s a guide, broken down by MITRE category, of the many different warning signs organizations being attacked by Maze ransomware can see and act upon before it’s too late.
Initial access
With Maze actors, there are several initial access vectors, such as phishing attachments and links, external-facing remote access such as Microsoft’s Remote Desktop Protocol (RDP), and access via valid accounts. All of these can be discovered while network threat hunting across traffic. Furthermore, given this represents the actor’s earliest foray into the environment, detecting this initial access is the organization’s best bet to significantly mitigate impact.
ATT&CK techniques |
Hunt for… |
T1193 Spear-phishing attachment |
|
T133 External Remote Services |
|
T1078 Valid accounts |
|
T1190 Exploit public-facing application |
|
Execution
The execution phase is still early enough in an attack to shut it down and foil any attempts to detonate ransomware. Common early warning signs to watch for in execution include users being tricked into clicking a phishing link or attachment, or when certain tools such as PsExec have been used in the environment.
ATT&CK techniques |
Hunt for… |
T1024 User execution |
|
T1035 Service execution |
|
T1028 Windows remote management |
|
Persistence
Adversaries using Maze rely on several common techniques, such as a web shell on internet-facing systems and the use of valid accounts obtained within the environment. Once the adversary has secured a foothold, it starts to become increasingly difficult to mitigate impact.
ATT&CK techniques |
Hunt for… |
T1100 Web shell |
|
T1078 Valid accounts |
|
Privilege escalation
As an adversary gains higher levels of access it becomes significantly more difficult to pick up additional signs of activity in the environment. For the actors of Maze, the techniques used for persistence are similar to those for privileged activity.
ATT&CK techniques |
Hunt for… |
T1100 Web shell |
|
T1078 Valid accounts |
|
Defense evasion
To hide files and their access to different systems, adversaries like the ones who use Maze will rename files, encode, archive, and use other mechanisms to hide their tracks. Attempts to hide their traces are in themselves indicators to hunt for.
ATT&CK techniques |
Hunt for… |
T1027 Obfuscated files or information |
|
T1078 Valid accounts |
|
Credential access
There are several defensive controls that can be put in place to help limit or restrict access to credentials. Threat hunters can enable this process by providing situational awareness of network hygiene including specific attack tool usage, credential misuse attempts and weak or insecure passwords.
ATT&CK techniques |
Hunt for… |
T110 Brute force |
|
T1081 Credentials in files |
|
Discovery
Maze adversaries use a number of different methods for internal reconnaissance and discovery. For example, enumeration and data collection tools and methods leave their own trail of evidence that can be identified before the exfiltration and encryption occurs.
ATT&CK techniques |
Hunt for… |
T1201 Password policy discovery |
|
T1018 Remote system discovery
T1087 Account discovery T1016 System network configuration discovery T1135 Network share discovery T1083 File and directory discovery |
|
Lateral movement
Ransomware actors use lateral movement to understand the environment, spread through the network and then to collect and prepare data for encryption / exfiltration.
ATT&CK techniques |
Hunt for… |
T1105 Remote file copy T1077 Windows admin shares |
|
T1076 Remote Desktop Protocol
T1028 Windows remote management T1097 Pass the ticket |
|
Collection
In this phase, Maze actors use tools and batch scripts to collect information and prepare for exfiltration. It is typical to find .bat files or archives using the .7z or .exe extension at this stage.
ATT&CK techniques |
Hunt for… |
T1039 Data from network share drive |
|
Command and control (C2)
Many adversaries will use common ports or remote access tools to try and obtain and maintain C2, and Maze actors are no different. In the research my team has done, we’ve also seen the use of ICMP tunnels to connect to the attacker infrastructure.
ATT&CK techniques |
Hunt for… |
T1043 Common used port T1071 Standard application layer protocol |
|
T1105 Remote file copy |
|
T1219 Remote access tools |
|
Exfiltration
At this stage, the risk of exposure of sensitive data in the public realm is dire and it means an organization has missed many of the earlier warning signs—now it’s about minimizing impact.
ATT&CK techniques |
Hunt for… |
T1030 Data transfer size limits |
|
T1048 Exfiltration over alternative protocol |
|
T1002: Data compressed |
|
Summary
Ransomware is never good news when it shows up at the doorstep. However, with disciplined network threat hunting and monitoring, it is possible to identify an attack early in the lifecycle. Many of the early warning signs are visible on the network and threat hunters would be well served to identify these and thus help mitigate impact.