Defending Against Ransomware With Microsoft Security

%3CLINGO-SUB%20id%3D%22lingo-sub-2800321%22%20slang%3D%22en-US%22%3EDefending%20Against%20Ransomware%20With%20Microsoft%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2800321%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20if%20your%20organization%20has%20good%20backups%2C%20and%20has%20been%20affected%20by%20ransomware%20to%20a%20limited%20scope%2C%20it%20may%20take%20from%20a%20few%20days%20to%20weeks%20to%20fully%20recover%20from%20the%20attack.%20Most%20of%20the%20preparations%20for%20protecting%20against%20a%20successful%20ransomware%20attack%20happen%26nbsp%3B%3CSTRONG%3Ebefore%20getting%20infected%3C%2FSTRONG%3E.%20Doing%20a%20threat-analysis%20for%20identifying%20possible%20threat%20actors%20who%20could%20potentially%20target%20your%20systems%20would%20be%20a%20nice%20start.%20But%20it%20is%20not%20possible%20to%20identify%20all%20threat%20actors.%20It%20is%20therefore%20important%20to%20analyze%20the%20steps%2C%20the%20kill-chain%2C%20attack-vectors%2C%20and%20proceed%20with%20possible%20defenses%20on%20%3CSTRONG%3Estrategic%2C%20tactical%20and%20operational%20level%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ETypical%20Ransomware%20Activities%20Flow%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ransomare.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F314031i9DB27C2369048EF0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Ransomare.jpg%22%20alt%3D%22Ransomare.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAn%20important%20factor%20in%20defending%20against%20any%20malware%20and%20specially%20against%20ransomware%20is%20to%20monitor%20all%20the%20domains%20(identities%2C%20emails%2C%20endpoints%2C%20applications%20etc.)%2C%20both%20on-premises%20and%20in%20cloud.%20A%20malicious%20OAuth%20application%20can%20trick%20the%20user%20to%20log%20on%20to%20their%20cloud%20apps%20and%20encrypt%2C%20exfiltrate%20or%20destroy%20the%20data%20in%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERansomwares%20incidents%20are%20occurring%20more%20often%20than%20before%2C%20and%20this%20trend%20seems%20to%20be%20continuing.%20Few%20reasons%20contributing%20to%20this%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EDigitalization%20and%20cloud%20adoption%20-%20which%20in-turn%20has%20increased%20attack%20surface.%3C%2FLI%3E%3CLI%3EIdentity%20has%20become%20central%20perimeter.%3C%2FLI%3E%3CLI%3ELack%20of%20end-users%20training%20and%20awareness.%3C%2FLI%3E%3CLI%3EMFA%20can%20be%20bypassed%20if%20legacy%20protocols%20are%20enabled%3C%2FLI%3E%3CLI%3EThe%20ease%20of%20deploying%20ransomware%20where%20no%20coding%20or%20technical%20knowledge%20is%20required%20to%20deploy%20ransomware.%20Attackers%20can%20rent%20ransomware%20as%20a%20service.%3C%2FLI%3E%3CLI%3EAnonymous%20payment%20channels%20(crypto%20currencies)%3C%2FLI%3E%3CLI%3EDependency%20on%20legacy%20systems%2C%20unpatched%20%2F%20vulnerable%20systems%2C%20insider%20threats%20etc.%3C%2FLI%3E%3CLI%3EWeak%20cyber%20security%20architecture%20and%2F%20or%20management%20focus%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETarget%20Assets%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThe%20easiest%2C%20cheapest%20and%20hence%20the%20most%20common%20attack%20method%20is%20through%20social%20engineering.%20Emails%20bypass%20all%20the%20traditional%20security%20choke-points%20at%20perimeters%20like%20firewalls.%20If%20crafted%20well%20enough%2C%20even%20the%20most%20security-aware%20users%20may%20fall%20victim%20to%20such%20attacks.%20Similarly%2C%20compromised%20identities%2C%20open%20vulnerabilities%2C%20misconfigurations%20can%20be%20exploited%20to%20deliver%20ransomware.%20Allowing%20identities%20to%20authenticate%20via%20legacy%20protocols%2C%20can%20bypass%20MFA.%20While%20users%20(being%20the%20weakest%20link%20and%20first%20line%20of%20defense)%20are%20targeted%20the%20most%2C%20system%20hardening%20is%20equally%20important%20so%20that%20attackers%20do%20not%20find%20an%20open%20way%20in%20via%20exploiting%20vulnerabilities.%20Encryption%20is%20the%20last%20layer%20of%20defense%2C%20and%20if%20the%20attack%20is%20successful%2C%20secure%20backup%20is%20our%20safest%20bet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20Importance%20of%20Having%20a%20Ransomware%20Policy%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EBut%20before%20going%20deeper%20into%20attack%20vectors%2C%20a%20very%20important%20(and%20often%20missing)%20part%20of%20preparation%20is%20having%20an%20enterprise-wide%20policy%20for%20ransomware%2C%20%3CSTRONG%3Ebefore%20ransomware%20hits%3C%2FSTRONG%3E.%20It%20is%20important%20to%20decide%20as%20a%20policy%20if%20we%20are%20willing%20to%20pay%20the%20ransom%20or%20not.%20If%20we%20decide%20to%20pay%20as%20the%20last%20resort%2C%20we%20must%20be%20aware%20of%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EThe%20decryption%20key%20we%20get%20after%20paying%20may%20actually%20not%20work.%3C%2FLI%3E%3CLI%3EThe%20attackers'%20businesses%20depend%20on%20these%20payments.%3C%2FLI%3E%3CLI%3EThey%20may%20ask%20for%20more%20money%20(after%20we%20have%20paid%20for%20decryption-key)%20for%20not%20leaking%20your%20sensitive%20data%20on%20internet%20-%20a%20phenomenon%20called%20double-extortion.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EIf%20we%20plan%20not%20to%20pay%20the%20ransom%2C%20we%20must%20ensure%20a%20rock-solid%20backup%20strategy%2C%20a%20way%20to%20ensure%20business%20continuity%20and%20the%20ability%20to%20recover%20from%20the%20disaster.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fbackup%2Fbackup-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20backups%3C%2FA%3E%26nbsp%3Bcan%20be%20considered%2C%20which%20cover%20both%20on-premises%20and%20cloud%20workloads.%20It%20also%20provides%20MFA%20capability%20for%20sensitive%20operations%2C%20in%20addition%20to%20policy%20management%2C%20access%20control%2C%20monitoring%20and%20reporting.%20A%20contact%20point%20in%20case%20crises%20happens%20should%20already%20be%20communicated%20in%20advance.%20It%20should%20be%20understood%20that%20once%20ransomware%20is%20deployed%2C%20it%20will%20be%20more%20than%20a%20usual%20incident%20response%20process.%20There%20has%20to%20be%20a%20way%20to%20communicate%20with%20employees%20when%20emails%20and%20other%20communication%20systems%20are%20infected%2C%20or%20rendered%20useless.%20It%20should%20ideally%20be%20out-of-band.%20There%20would%20most%20probably%20be%20a%20need%20for%20inclusion%20of%20cyber%20insurance%20(if%20we%20have%20one)%2C%20legal%20counsel%20and%20public%20relations%20in%20addition.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETime%20Between%20Infection%20and%20Detection%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIt%20can%20take%20some%20time%20(a%20few%20days)%20between%20initial%20foothold%20and%20deploying%20ransomware.%20During%20this%20time%20attackers%20look%20for%20interesting%20data%2C%20try%20to%20move%20laterally%20and%20stay%20dormant.%20Ransomware%20has%20become%20an%20industry%2C%20where%20threat%20actors%20deploy%20ransomware%20to%20make%20money.%20Just%20like%20normal%20companies%2C%20they%20need%20to%20show%20increase%20in%20yearly%20profits.%20Their%20hope%20is%20that%20victims%20pay.%20To%20increase%20the%20chances%20that%20victims%20will%20pay%2C%20the%20attackers%20look%20for%20most%20valued%20data%2C%20most%20critical%20systems%2C%20exfiltrate%20the%20data%2C%20delete%20or%20deny%20access%20to%20back-up%20data%2C%20remove%20volume%20shadow%20copies%2C%20delete%20restore%20points%20etc%2C%20before%20encrypting%20the%20data%20and%20leaving%20the%20note%20for%20end-users.%20However%2C%20deleting%20or%20rendering%20executables%20useless%2C%20encrypting%20DLL%20files%20or%20other%20files%20which%20critical%20for%20running%20the%20system%20like%20windows%20directory%20files%20defeats%20the%20purpose%20of%20deploying%20ransomware.%20This%20is%20because%20the%20user%20will%20be%20left%20with%20no%20choice%20other%20than%20to%20restore%20the%20system%20from%20scratch.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECommon%20IOCs%20that%20EDR%20looks%20for%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ETo%20understand%20common%20Indicators%20of%20Compromise%2C%20we%20need%20to%20understand%20how%20a%20typical%20ransomware%20works.%20If%20ransomware%20needs%20to%20connect%20to%20a%20C%26amp%3BC-server%20to%20download%20encryption%20key%2C%20the%20chances%20of%20it%20failing%20increase.%20This%20is%20because%20the%20communication%20to%20C%26amp%3BC-server%20can%20be%20blocked%20before%20it%20can%20connect%20to%20the%20C%26amp%3BC-server.%20So%20it%20is%20more%20common%20for%20ransomwares%20to%20keep%20the%20encryption%20key%20stored%20locally%20on%20the%20system.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20ensure%20that%20antivirus%2C%20anti-malware%20and%20other%20security%20solutions%20do%20not%20stop%20ransomware%20in%20its%20track%2C%20it%20tries%20to%20stop%20these%20services%20first.%20As%20mentioned%20earlier%2C%20ransomwares%20do%20not%20encrypt%20or%20otherwise%20destroy%20entire%20systems.%20It%20encrypts%20files%20that%20typically%20contain%20important%20data%2C%20like%20Microsoft%20office%20documents%2C%20pdf%20files%2C%20databases%2C%20zip-files%20etc.%20While%20it%20is%20the%20typical%20behavior%2C%20it%20can%20change%20based%20on%20attackers%20choice%20of%20files%20to%20encrypt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20ransomwares%20also%20create%20temporary%20files%20with%20garbage%20information%20to%20fill%20up%20available%20space.%26nbsp%3B%20To%20prevent%20system%20recovery%2C%20ransomware%20will%20typically%20delete%20volume%20shadow%20copies.%20This%20can%20be%20done%20using%20tools%20like%20%22wmic%22%2C%20%22vssadmin%22%2C%20powershell%2C%20or%20by%20resizing%20the%20amount%20of%20space%20used%20for%20shadow%20copy%20storage.%20Ransomwares%20also%20delete%20system%20restore%20points%20for%20similar%20purposes.%20During%20the%20process%20of%20infection%2C%20we%20typically%20see%20one%20process%20starting%20another%20process.%20Like%20a%20word%20document%20containing%20embedded%20macro%20spawning%20a%20powershell%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20Bigger%20Picture%20-%20Using%20Microsoft%20XDR%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIt%20is%20crucial%20to%20monitor%20all%20the%20domains%20(identities%2C%20emails%2C%20endpoints%2C%20applicaitons%20etc)%20for%20IOCs.%20This%20not%20only%20ensures%20that%20security%20professionals%20receive%20signals%20from%20all%20these%20domains%2C%20but%20it%20is%20equally%20important%20to%20be%20able%20to%20correlate%20all%20this%20information%20at%20machine%20speed.%20The%20power%20of%20Microsoft's%20XDR%20lies%20in%20the%20pre-integrated%20architecture%2C%20where%20security%20professionals%20do%20not%20need%20to%20scramble%20resources%20and%20manually%20check%20each%20system%20for%20detailed%20analysis.%20All%20the%20alerts%20can%20be%20aggregated%20in%20single%20view%20by%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%3C%2FA%3E.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Security%20Center%3C%2FA%3E%20can%20help%20you%20harden%20the%20PAAS-workloads%2C%20machines%2C%20data%20services%2C%20and%20apps.%20An%20advanced%20machine%20learning%20based%20feature%20that%20ASC%20provides%20is%20called%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fmapping-adaptive-application-controls-to-mitre-att-amp-ck%2Fm-p%2F2624668%22%20target%3D%22_blank%22%3EAdaptive%20Application%20Controls%3C%2FA%3E.%20How%20this%20maps%20to%20MITRE%20ATT%26amp%3BCK%20Framework%2C%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fmapping-adaptive-application-controls-to-mitre-att-amp-ck%2Fm-p%2F2624668%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%20The%20different%20building%20blocks%20of%20Microsoft%20XDR%20are%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EDefender%20for%20Identity%20%26amp%3B%20Azure%20Identity%20Protection%3C%2FLI%3E%3CLI%3EDefender%20for%20Endpoint%3C%2FLI%3E%3CLI%3ECloud%20Apps%20Security%20(MCAS)%3C%2FLI%3E%3CLI%3EEmail%20Security%20(Defender%20for%20O365)%3C%2FLI%3E%3CLI%3EData%20Loss%20Prevention%3C%2FLI%3E%3CLI%3ESQL%3C%2FLI%3E%3CLI%3EServers%26nbsp%3B%3C%2FLI%3E%3CLI%3EContainers%3C%2FLI%3E%3CLI%3ENetwork%3C%2FLI%3E%3CLI%3EIoT%3C%2FLI%3E%3CLI%3EAzure%20App%20Service%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EImportance%20of%20Backup%20Strategy%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ERegular%20and%20effective%20backups%20are%20critical%20best%20practices.%20We%20need%20to%20regularly%20perform%20backups%20and%20restore%20to%20ensure%20that%20the%20service%20is%20running%20as%20expected.%20Using%20Azure%20backup%20as%20a%20storage%20service%20has%20multiple%20benefits%2C%20where%20backups%20are%20situated%20apart%20from%20primary%20networks.%20They%20are%20protected%20against%20ransomware.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2800321%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Even if your organization has good backups, and has been affected by ransomware to a limited scope, it may take from a few days to weeks to fully recover from the attack. Most of the preparations for protecting against a successful ransomware attack happen before getting infected. Doing a threat-analysis for identifying possible threat actors who could potentially target your systems would be a nice start. But it is not possible to identify all threat actors. It is therefore important to analyze the steps, the kill-chain, attack-vectors, and proceed with possible defenses on strategic, tactical and operational level.

 

Typical Ransomware Activities Flow

Ransomare.jpg

An important factor in defending against any malware and specially against ransomware is to monitor all the domains (identities, emails, endpoints, applications etc.), both on-premises and in cloud. A malicious OAuth application can trick the user to log on to their cloud apps and encrypt, exfiltrate or destroy the data in cloud.

 

Ransomwares incidents are occurring more often than before, and this trend seems to be continuing. Few reasons contributing to this are:

 

  1. Digitalization and cloud adoption - which in-turn has increased attack surface.
  2. Identity has become central perimeter.
  3. Lack of end-users training and awareness.
  4. MFA can be bypassed if legacy protocols are enabled
  5. The ease of deploying ransomware where no coding or technical knowledge is required to deploy ransomware. Attackers can rent ransomware as a service.
  6. Anonymous payment channels (crypto currencies)
  7. Dependency on legacy systems, unpatched / vulnerable systems, insider threats etc.
  8. Weak cyber security architecture and/ or management focus

 

Target Assets:

The easiest, cheapest and hence the most common attack method is through social engineering. Emails bypass all the traditional security choke-points at perimeters like firewalls. If crafted well enough, even the most security-aware users may fall victim to such attacks. Similarly, compromised identities, open vulnerabilities, misconfigurations can be exploited to deliver ransomware. Allowing identities to authenticate via legacy protocols, can bypass MFA. While users (being the weakest link and first line of defense) are targeted the most, system hardening is equally important so that attackers do not find an open way in via exploiting vulnerabilities. Encryption is the last layer of defense, and if the attack is successful, secure backup is our safest bet.

 

The Importance of Having a Ransomware Policy:

But before going deeper into attack vectors, a very important (and often missing) part of preparation is having an enterprise-wide policy for ransomware, before ransomware hits. It is important to decide as a policy if we are willing to pay the ransom or not. If we decide to pay as the last resort, we must be aware of the following:

 

  1. The decryption key we get after paying may actually not work.
  2. The attackers' businesses depend on these payments.
  3. They may ask for more money (after we have paid for decryption-key) for not leaking your sensitive data on internet - a phenomenon called double-extortion.

If we plan not to pay the ransom, we must ensure a rock-solid backup strategy, a way to ensure business continuity and the ability to recover from the disaster. Azure backups can be considered, which cover both on-premises and cloud workloads. It also provides MFA capability for sensitive operations, in addition to policy management, access control, monitoring and reporting. A contact point in case crises happens should already be communicated in advance. It should be understood that once ransomware is deployed, it will be more than a usual incident response process. There has to be a way to communicate with employees when emails and other communication systems are infected, or rendered useless. It should ideally be out-of-band. There would most probably be a need for inclusion of cyber insurance (if we have one), legal counsel and public relations in addition.

 

Time Between Infection and Detection:

It can take some time (a few days) between initial foothold and deploying ransomware. During this time attackers look for interesting data, try to move laterally and stay dormant. Ransomware has become an industry, where threat actors deploy ransomware to make money. Just like normal companies, they need to show increase in yearly profits. Their hope is that victims pay. To increase the chances that victims will pay, the attackers look for most valued data, most critical systems, exfiltrate the data, delete or deny access to back-up data, remove volume shadow copies, delete restore points etc, before encrypting the data and leaving the note for end-users. However, deleting or rendering executables useless, encrypting DLL files or other files which critical for running the system like windows directory files defeats the purpose of deploying ransomware. This is because the user will be left with no choice other than to restore the system from scratch.

 

Common IOCs that EDR looks for:

To understand common Indicators of Compromise, we need to understand how a typical ransomware works. If ransomware needs to connect to a C&C-server to download encryption key, the chances of it failing increase. This is because the communication to C&C-server can be blocked before it can connect to the C&C-server. So it is more common for ransomwares to keep the encryption key stored locally on the system.

 

To ensure that antivirus, anti-malware and other security solutions do not stop ransomware in its track, it tries to stop these services first. As mentioned earlier, ransomwares do not encrypt or otherwise destroy entire systems. It encrypts files that typically contain important data, like Microsoft office documents, pdf files, databases, zip-files etc. While it is the typical behavior, it can change based on attackers choice of files to encrypt.

 

Some ransomwares also create temporary files with garbage information to fill up available space.  To prevent system recovery, ransomware will typically delete volume shadow copies. This can be done using tools like "wmic", "vssadmin", powershell, or by resizing the amount of space used for shadow copy storage. Ransomwares also delete system restore points for similar purposes. During the process of infection, we typically see one process starting another process. Like a word document containing embedded macro spawning a powershell process.

 

The Bigger Picture - Using Microsoft XDR:

It is crucial to monitor all the domains (identities, emails, endpoints, applicaitons etc) for IOCs. This not only ensures that security professionals receive signals from all these domains, but it is equally important to be able to correlate all this information at machine speed. The power of Microsoft's XDR lies in the pre-integrated architecture, where security professionals do not need to scramble resources and manually check each system for detailed analysis. All the alerts can be aggregated in single view by Azure Sentinel. Azure Security Center can help you harden the PAAS-workloads, machines, data services, and apps. An advanced machine learning based feature that ASC provides is called Adaptive Application Controls. How this maps to MITRE ATT&CK Framework, can be found here. The different building blocks of Microsoft XDR are as follows:

 

  • Defender for Identity & Azure Identity Protection
  • Defender for Endpoint
  • Cloud Apps Security (MCAS)
  • Email Security (Defender for O365)
  • Data Loss Prevention
  • SQL
  • Servers 
  • Containers
  • Network
  • IoT
  • Azure App Service

Importance of Backup Strategy:

Regular and effective backups are critical best practices. We need to regularly perform backups and restore to ensure that the service is running as expected. Using Azure backup as a storage service has multiple benefits, where backups are situated apart from primary networks. They are protected against ransomware. 

0 Replies