Demystifying Ransomware Attacks Against Microsoft Defender Solution

Published Nov 24 2020 09:05 PM 13.1K Views
Microsoft

RS2.gif

Hi IT Pros,

As you have known it, Ransomware is in the aggravated assault mode at this time of year 2020, the joint cybersecurity advisory comes from the Cybersecurity Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have just given a serious warning about Ransomware Threat as shown in the following announcement:

 

TanTran_1-1606259880764.png

 

Debut in August of 2018, the Ransomware Ryuk gained shocking attention in 2019, Ryuk gangs demanded multi-million-dollar ransoms from victims, among them are companies, hospitals, and local governments. The actors are able to pocket over $61 million just in the US alone, according to FBI's report.

Check Point, a security software vendor also noted that the gang was attacking on an average of 20 companies every week in the third quarter of 2020.

Sean Gallagher from Sophos Lab, gave us the story about a typical Ryuk and Conti Ransomeware attack.

  • The attack began on the afternoon of Tuesday. September 22,2020 when multiple employees of the targeted company had received highly targeted phishing emails.
  • The email was tagged with external sender warnings by the company’s mail software. The link, served up through the mail delivery service Sendgrid, redirected to a malicious document hosted on docs.google.com.

Multiple instances of the malicious attachment were detected and blocked. But there was one employee who clicked on the link in the email that afternoon, allowing the outlook mail to  execute "print_document.exe", a malicious executable file identified as Buer Loader.

  • The Buer Loader malware dropped qoipozincyusury.exe, a Cobalt Strike “beacon,” along with other malware files.
  • Cobalt Strike’s beacon makes a covert connection to the command and control of hackers.

By Wednesday morning the actors had obtained administrative credentials and had connected to the Domain Controller Server, where they performed a data dump of Active Directory records.

Data dump to an Admin User directory was most likely accomplished using "SharpHound".

SharpHound is the official data collector for BloodHound. It is written in C# and uses native Windows API functions and LDAP namespace functions to collect data from domain controllers

 

  • Ransomware attack is now ready to remotely deploy to other servers using WMI, Powershell and Remote Desktop RDP
  • Next, the "SystemBC", a malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic that shares code and forensic markers with other malware from the Trickbot family. 
  • The malware installed itself (as itvs.exe), and created a scheduled job for the malware, using the old Windows task scheduler format in a file named itvs.job—in order to maintain persistence.

TanTran_2-1606259880776.png

  • The organizational backup server was among the first target. The attackers used the icacls command to modify access control, giving them full control of all the system folders on the server. GMER is frequently used by ransomware actors to find and shut down hidden processes, and to shut down antivirus software protecting the server.

Ryuk ransomware was redeployed and re-launched three more times in short order after each failed attempt, no files were encrypted.

TanTran_3-1606259880784.png

Lesson Learn

  •  The actor could repeat the attack multiple times with different variants of Ryuk, the attack period could be prolonged for days or weeks with multiple backdoors been used.
  • Response time is critical to prevent damage from further steps down the path of attacking sequence, from reconnaissance, credential compromise to later movement, domain dominance and exfiltration, data encryption, data deletion.
  • Team effort should be fully utilized during the attacking period.
  • If more resources are needed, Security Team could consult with online security support experts ASAP to form an united front against hackers .
  • We need to stop the attack at the Cobalt Strike Beacon level (step 2 in the above Chart) when compromised system starts connecting to outside command and control center of actor.
  • The attack also shows that Remote Desktop Protocol can be dangerous even when it is inside the firewall.
  • Proactive prevention with ASR rules for Office documents' macros could be an important factor to avoid the ransomware attack right at step 0, by giving no attack opportunity . We should consider it as one good and needed option to prevent ransomware attack. (see Attack Surface Reduction - ASR)

How good is Microsoft Defender for Endpoint and Identity against ransomware attack? 

You may be worried and wonder how good the MD for Endpoint and MD for Identity could protect your systems from ransomware.

Well, let us bring MD to the test. The most trusted industry test could be AV-Test from the Independent IT-Security Institute in Magdeburg of Germany, who has been known as the owner of the largest malware database in the world, it has counted a total of 1121.95 millions of malware to date (11/27/2020). Every day, the AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA).

  • For Windows Systems Antivirus Products.  AV-Test conduct monthly tests against widespread and prevalent malware discovered in the last 4 weeks, for example, the test-set of August 2020 included 21,851 (virus) samples, the test-set of October 2020 included 12316 (virus) samples. AV-TEST creates identical and reproducible conditions for all the antivirus products from all big AV vendors who join the test program.
  • MD for Endpoint continue getting AV-TEST top score monthly It scored 100% compared to the Industry average at 97.6% protection level against 339 different samples of " 0 day" malware type, the "unknown yet and newly appeared in the field" malware type, tested for the month of May and June, 2020.
  • Microsoft Defender for Endpoint scored 100% compared to the Industry average at 98.8% protection level against 334 different samples of " 0 day" malware type, tested in September and October 2020, as shown in the following image.

27-1.png

  • The test result table for all products based on protection, performance, usability scores is shown here, value of 6 is the highest score:
 

27-2.png

 

Test antivirus software for Windows 10 - October 2020 | AV-TEST (av-test.org)

 

In its Security Report for 2019, AV-Test Lab gave the following conclusion:

… the embedded Windows defense systems proved to be reliable protection against automated mass malware. In the regular certification tests over the past year (2018), Microsoft‘s consumer product, “Microsoft Defender Antivirus“ garnered the AV-TEST rating as “Top Product“ five out of six times. Which among other things was due to the reliable detection and defensive performance against widely distributed and frequently occurring malware. The business solution from Microsoft exhibited even better test results in 2019 and was even able to defend the title of “Top Product“ in six out of six annual tests.

Microsoft Defender for Endpoint Simulation Attack

Now, let us conduct our own test using the MD for Endpoint - Evaluation Lab feature:

  • we will create at least 3 test devices run windows 10 and windows server 2019 as shown here:            

Rs04.png

  • We run the " known ransomware infection" simulation by Safe breach for testmachine1
  • You may also want to run different attack simulations provided by Safebreach and AttackIQ for different devices

Rs05.png

 

with " known ransomware infection" attack simulation , the following ransomware names are detected and alerted on test machine1:

Rs3.png

 

Click on WannaCrypt ransomware to show the details about malicious file named Llac.exe and how long it stayed before being quarantined (3 minutes and 15 seconds):

Rs4.png

 

Click on Petya ransomware to show detail of malicious file named bdata.bin, it was existed within only 5 seconds and been quarantined:

Rs5.png

The ransomware attack overview and its entities are shown in the incident named “Multi-stage incident involving Initial access & Discovery including Ransomware on multiple Endpoints” tree graph,

  • The Wanacry Ransomware file, llac.exe was blocked at source on testmachine1 with a total of 6 failed attempts.
  • The Wanacry Ransomware file, llac.exe was blocked at source on testserver3.

Picture6.png

  • The Petya ransomware file, bdata.bin had been laterally spread out to testserver2 before it was stopped.

Rs7.png

 

 

Ransomware Action

 

MD for Endpoint and MD for Identity Alert

Malicious services were created on remote servers using the same admin credentials, using WMI Event to drop command payload.

MD for Endpoint Alert: WMI suspicious Event

Rs8.png

PowerShell is used to download more malicious payloads.

 

MD for Endpoint Alert

Rs001.png

Credential theft activity

MD for Identity Alert about overpass the hash attack:

Rs10.png

Rs11.png

Impersonate action on privilege account and privilege group membership by PowerShell script.

Alert by MD for Identity and displayed in Cloud App Security Portal:

Rs12.png

Keyboard hijack activity

Alert by Defender for Endpoint:

Rs13.png

Fileless attacks with memory payload.

These activities could be detected by AMSI, Microsoft’s Anti-Malware Scanning Interface, when it inspects the in-memory process. MD for Endpoint raised the alert, details as follow:

 

Rs14.png

Mimikatz was used as a credential theft tool, It was detected and blocked from installation.

Mimikatz files were quarantined.

Alert by MD for Endpoint

 

Rs15.png

Backdoor activity detected

Alerted by MD for Endpoint:

Rs16.png

Ransomware Payload and encryption activities are prevented beforehand.

There is no domain dominant - alert event.

There is no encryption - alert event.

 

 Ryuk Ransomware Prevention and Protection strategy provided by MD for Endpoint - Threat Analytics.

Microsoft Defender for Endpoint Analytics proposed an analyst report and mitigation (plan) against the Ryuk ransomware. Each of the attack step in Ryuk’s killing chain is mapped to the protection measures which include Antivirus-EDR (MD for Endpoint), Azure ATP (MD for Identity), Multi Factors Authentication MFA, Attack Surface Reduction rules for Office Macro, Windows Host Firewall, and Tamper Protection Security Policy.

The detail of Ryuk attack based on MITRE ATT&CK process is shown in the following image, each Ransomware action step of the attack sequence was mapped to one or multiple counter attack measure:

Rs01.png

Mitigations provided by MD for Endpoint - Threat Analytics

  1. Apply these mitigations to reduce the impact of this threat:
  • Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Enforce strong, randomized local administrator passwords. Use tools like LAPS.
  • Monitor for clearing of event logs. Windows generates a security event ID 1102 when this occurs.
  • Ensure internet-facing assets have the latest security updates. Audit these assets regularly for suspicious activity.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not be present on workstations.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI.
  1. Check the recommendations card for the deployment status of monitored mitigations in “Threat & Vulnerability Management” under “Remediation”.

Rs02.png

If Security Administrators enable EDR and all features of Defender, setup alert notification and completely finish all of the Defender Endpoint and Defender Identity’s remediation plans against each ransomware and malware, then, I guess, our colleagues may have a much better sleep at night, knowing that their systems are safe and well protected from ransomware and other malware threats.

To get it upto the "100%"  level of protection, your defender strategy should always include Windows 10 Defender Guard (Application Guard, Credential Guard, Exploit Guard with Attack Surface Reduction rules, System Guard, …) together with MD for Endpoint, to be deployed on workstations and servers and MD for Identity applied to all domain controllers, it is part of the defense strategy and included in M365 E5 license. You may want to check the blog articles related to Microsoft Defender for Identity setup and operation.

 

I hope the info is useful,

Have a valuable time with your Defender!

 

 

___________________________________

Reference:

 

8 Comments
Co-Authors
Version history
Last update:
‎Jun 17 2021 12:42 AM
Updated by: