Detecting Ransomware, the Defense in Depth Way
Ransomware is one of the greatest threats facing modern networks and it is tearing through the small to medium businesses. This blog post will address detecting ransomware in a vendor neutral format. Most of the detections discussed can be implemented with tools ranging from the most sophisticated XDR to a combination of Sysmon and Elastic Stack.
A Quick Note on Live off the Land Detection
Once inside a network, attackers may leverage systems administration tools already present in a tactic known as “living off the land”. Ransomware actors are notorious for their use of live off the land (LOL) techniques to explore a network and prepare for encryption. Many of the detections discussed in this post are for commands and executables that are frequently misused for evil but are not inherently malicious. Because network and systems administrators may be using these same tools, these alerts will require tuning specific to your network to reduce the false positive rate to a tolerable level.
Because this post is intended to focus on detecting ransomware specific techniques, most of these detections revolve around preparing the victim for encryption and encryption itself, both events that occur late in the attack lifecycle. Stay tuned for a future post on common live off the land techniques that may just catch you a ransomware actor earlier in the attack cycle.
Techniques and Detecting Ransomware
MITRE ATT&CK Technique T1489: Impact: Service Stop
MITRE ATT&CK Technique T1562: Defense Evasion: Impair Defenses
Ransomware actors are notorious for impairing the functionality of security tools, including log forwarders. There are myriad ways to accomplish this, but two of the most common are net stop and taskkill.
Detection Opportunity: Detect “Net Stop” Execution
Description: Ransomware often uses net stop to kill services that are associated with security appliances or services that hold handles to valuable files the ransomware actor wants to encrypt. For example, a database file cannot be encrypted while the database is being legitimately accessed, so ransomware will kill the database program to make the database file accessible.
Command Examples:
net stop avpsus /y
net stop McAfeeDLPAgentService /y
net stop NetBackup BMR MTFTP Service /y
Sigma Rule: This rule, provided by Florian Roth, will detect the execution of net stop: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml
Tuning: There are many legitimate reasons to kill a service. As written, this rule will generate many false positives. If your SIEM enables time bucketing, this is a perfect rule for it! Establish a normal limit for net stops per host per hour in your environment, then alert on occurrence beyond that norm. Many ransomware crews go crazy with net stop, executing it against services that don’t even exist on the victim machine, so looking for execution over X times per hour on a single host is valuable.
Detection Opportunity: Detect Taskkill Execution
Description: Ransomware uses taskkill for the same reasons it uses net stop.
Command Examples:
taskkill /IM mspub.exe /F
taskkill /IM outlook.exe /F
taskkill /IM sqlservr.exe /F
Sigma Rule: This rule, provided by Florian Roth, will detect the execution of taskkill: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_taskkill_execution.yml
Tuning: Like the rule for net stop, this rule will generate many false positives. We recommend alerting only on execution beyond a set threshold, determined based on your environment’s baseline.
MITRE ATT&CK Technique T1490: Impact: Inhibit System Recovery
Ransomware actors often use techniques that fall into this category immediately before their encryption attempt, with the goal of preventing an administrator from recovering the network without paying for the key.
Detection Opportunity: Detect Shadow Copy Deletion
Description: Volume shadow copies are the storage mechanism that supports Windows restore points. Shadow copies can be manipulated with multiple tools, including vssadmin, PowerShell, and wmic. Ransomware actors will often delete volume shadow copies immediately prior to encryption to thwart victim recovery. Detection at this point can give defenders just enough time to thwart an encryption attempt.
Command Examples:
vssadmin delete shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
wmic shadowcopy delete
{Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
{Get-WmiObject Win32_ShadowCopy | Remove-WmiObject
Sigma rule: Available courtesy of Florian Roth here: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml
Tuning: This command may be used for legitimate reasons, especially for backup maintenance.
Detection Opportunity: Detect Windows Backup Catalog Deletion
Description: wbadmin is a Windows utility that allows an administrator to create and manage backups from the command line. It is often used by network administrators to configure and manage automatic backups. Ransomware actors may use the utility to delete a previously created catalogue of backups.
Command Examples:
wbadmin.exe delete catalog
Sigma Rule: This rule from Florian Roth detects a wide variety of suspicious live off the land tool executions, including wbadmin: https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_process_creations.yml
Tuning: Routine backup management may trigger this alert. Additionally, the above sigma rule looks for a wide variety of suspicious LOL tool execution and fire on legitimate system administration activities.
Detection Opportunity: Manipulation of Recovery Mode
Description: Safe mode is a feature of the Windows OS that enables the operating system to boot into a basic state that leverages only a limited set of files and drivers. Safe mode is often used for trouble shooting and recovery. Bcdedit.exe is a Microsoft signed tool that is used to edit the boot configuration for Windows. Ransomware actors may leverage bcdedit to make it more difficult for an end user to boot into safe mode, thereby inhibiting recovery.
Command Examples:
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Sigma Rule: This rule, provided by Florian Roth, detects both of the example commands above: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml
Tuning: This rule is unlikely to be triggered by regular network administration activities.
MITRE ATT&CK Technique T1486: Impact: Data Encrypted for Impact
Detection Opportunity: Ransomware Canary
Description: Ransomware canaries are files placed on critical assets that should never be touched. These files are monitored closely and any attempt to change them should result in a critical alert. Most Endpoint Detection and Response (EDR) tools implement ransomware canaries on each endpoint, but it is also possible to create ransomware canaries manually, monitor them using Sysmon, then alert using the SIEM of your choice.
Conclusion
When I speak with audiences about ransomware detection, I’m always asked, “But doesn’t my EDR do this?”. I have a few answers to that. First, there are many small to medium business that do not have EDR but do have log collection: this is for them. Second, there are many businesses where EDR is deployed sporadically, and often not running on the most critical systems due to its high resource utilization and the possibility of interference with critical processes. Lastly, malicious actors of all types are growing increasingly skilled at disabling or hamstringing security tools. For an issue as severe as network encryption, every tool that can look for evidence of compromise should look for evidence of compromise. Additionally, where budget and operational constraints allow it, log collection/analysis and EDR should run concurrently. On critical servers, EDR should monitor the execution of the log forwarders and log analysis should monitor the execution of EDR, alerting if either one goes down.
Want more practical guidance like this? [redacted]’s IR retainers meet regularly with representatives from [redacted] threat intelligence and incident response in order to discuss current threats and how to detect them in your network. Schedule a call with a member of our cyber defense team today.
Tags:
[r Authors
Lauren serves as the Director of Incident Response and Forensics at [redacted] where she’s frequently found on the front lines, leading incident response efforts on behalf of clients. Prior to joining [redacted], Lauren worked at Los Alamos National Laboratory where she specialized in malware analysis as a member and occasional leader of the incident response team. She enjoys teaching technical content and has experience teaching malware analysis to students ranging from private sector managers to US military and everything in between. She holds a BS and MS in Computer Criminology - Computer Science and a BA in International Affairs, all from Florida State University.