Anatomy of a Ransomware Attack
The Varonis Forensics Team recently investigated and remediated a ransomware event that resulted in large-scale encryption and exfiltration across multiple file servers. The threat actor obtained long-term persistence, escalated privileges to domain administrator, executed command and control of multiple hosts, achieved mass data exfiltration, and ultimately destroyed data.
Overnight, the victim company received an alert that appeared to show ransomware propagating on multiple file shares. These events originated from a single user, and patterns detected within the events resembled those often generated by ransomware. In the early morning, the company took immediate action to disable the compromised domain Administrator account and engaged Varonis to assist in the incident response and recovery process.
Using the Varonis platform, the forensics team immediately identified the ransomware strain as "LockBit" and determined the full scope of impact. The Varonis team also observed PSExec used to perform lateral movement and remote execution within the environment.
An initial forensic review of the host generating PSExec activity revealed a few key findings:
The threat actor had live remote sessions on the compromised device via the legitimate remote administration tool, TightVNC.
Multiple local administrator accounts had been created for additional persistence (across multiple devices). This included usernames such as: DomainAdmin, Support1, Support2, WDAGUtilityAccount and clienttest.
Varonis also observed the creation of "contactus"-style files dropped by the threat actor shortly after our investigation began — indicating an active attempt to communicate with the forensic team while the threat actor also had a live session on the device.
Attempt by threat actor to directly contact response team through file creation.
Once we knew the attacker was still active on the compromised device, Varonis worked with the company to take appropriate remediation steps to minimize the active threat, such as:
Disabling the network interface on compromised virtual machines.
Performing an environment-wide sweep to hunt for deployments of TightVNC, additional local user creations, and any suspicious connections to the now-identified C2 IP addresses. Several other hosts were found to be configured as secondary access points. These hosts were remediated as required in each instance.
Further investigation revealed that the local administrative accounts were created at least 45 days before the encryption event, providing evidence that the attacker had a foothold within the environment for a significant amount of time, as is often observed in these types of breaches.
Varonis investigators identified a secondary form of persistence — a PowerShell-based TCP reverse-shell running on compromised hosts. A snippet of the shell shown below — the domain it attempted to resolve de-obfuscates to "block.securerequest[.]tw'", a newly registered domain as of October 2021. The shell in question is a slightly modified version of a publicly available script from a known offensive security group known as the "KaliBoys."
Variant of publicly available reverse TCP shell identified on compromised servers — the script contacts "block.securerequest[.]tw"
The script obfuscates command invoke calls using KaliBoys as an alias to "IEX" to avoid certain static detection mechanisms while also obfuscating domains in hexadecimal, as shown above with "$A=”62 6C…" which contains the malicious domain in question. Even advanced adversaries across the globe often abuse these types of publicly available toolsets ― why reinvent the wheel when the necessary tools or scripts already exist?
After investigating Windows event logs on the compromised foothold server, Varonis identified, in authentication logs, exploitation attempts of Log4Shell originating from a public-facing application months before the ransomware event. The victim was operating an older Windows version, and it appears likely that the threat actor used this vector to gain initial access to the network.
An image of one of the exploit attempts from Windows event logs is shown below. Research into the application indicates that the version in use was susceptible to this type of exploit.
Log4Shell exploitation attempts against public-facing application from Windows event-logging.
As mentioned, Varonis helped the company identify multiple local administrative accounts that the threat actor created on compromised devices. Additionally, abusing a domain administrator account allowed the threat actor to create multiple domain accounts for future use.
The PowerShell backdoor and use of TightVNC provided the threat actor remote connection mechanisms for future access while bypassing standard controls such as inbound firewall communication blocks and server proxy mechanisms to prevent direct internet communication from outside sources. TightVNC server was implemented on the compromised host as a startup item to maintain an active presence on the compromised device. At the same time, the PowerShell backdoors appeared to be more ad-hoc in startup nature.
TightVNC presence in CurrentVersion\Run within Windows Registry.
We also observed multiple attempts to download and execute PowerShell (such as the above backdoor) on compromised devices from temporary servers hosted by the attacker, as shown in the below example.
PowerShell execution string taken from running process analysis.
While many advanced AD/EVR evasion techniques exist for executing remote PowerShell scripts, sometimes a basic remote invocation, such as the example shown above, is all that is needed to achieve the goal of code execution.
Credential access / privilege escalation
Varonis identified evidence that the offensive utility "Mimikatz" was deployed and used on compromised servers. This allowed the attacker to perform common credential-based attacks such as pass-the-hash or ticket-based attacks. We believe that the attacker was then able to compromise additional accounts that had a logon presence on the initial foothold server.
It is critically important to reduce the over-use of high-privilege accounts, such as domain admins, to decrease the overall attack surface presented to an attacker in the early stages of a breach — especially using said accounts for logon access to internet-facing servers.
Evidence of Mimikatz presence in USN journal of compromised device.
Before the encryption attack, the threat actor was able to reset the password of a service account on the compromised device, which also happened to be a domain administrative account. Understanding and using the principle of least privilege is critical to prevent the over-privileging of service accounts, especially those that authenticate to servers that may be exposed to internet-based users. The same account was then abused for lateral movement across the environment in the weeks and months leading up to final encryption. Disabling WDigest credential caching, implementing LAPS, and avoiding the use of critical accounts on externally-facing servers can each help reduce an organization's credential attack surface.
Our team previously discovered evidence of the common "Advanced Port Scanner" software installed on compromised devices through a review of file-system evidence and the USN journal. Abuse of this application allowed the attacker to easily scan the company's entire internal network to identify which IP addresses have live hosts, what services those hosts are running, what ports are open, and other critical details typically available via network probing.
Additionally, the forensics team discovered suspicious DNS behavior in the centralized logging of DNS requests from devices where this utility was deployed. That allowed us to infer that reverse DNS requests were being used to perform network scanning.
Evidence of Advanced Port Scanner presence in USN journal.
Identifying internal network reconnaissance can be difficult in many organizations due to the lack of log collection from internal firewalls — these tend to be extremely noisy and often of less value when compared to internal-external firewall events. Aggregating and analyzing internal and external DNS requests can help make up for a lack of internal firewall visibility by letting an organization know when a host is behaving abnormally concerning DNS.
Command and control
The threat actor in question used the common "PSExec" tool to laterally move to multiple servers where TightVNC and the previously mentioned PowerShell reverse TCP shell were deployed, providing remote access back into the environment through multiple vectors. Evidence of this was observed both in active network connections and firewall event logs that the Varonis Forensics Team was able to use to help identify the full scope of the breach.
This activity was corroborated through evidence observed at the file-system level in the USN journal and Windows event logs due to the service creation events triggered by first-time PSExec remote use.
In the company's firewall logs, the team observed evidence of mass data exfiltration to a suspicious IP address that had both SFTP and RDP exposed and was hosted on a temporary server environment, which unfortunately lent credence to the threat of significant data theft and exposure. Implementing a server proxy and preventing direct-internet-out for servers to block unwanted outbound internet communications should be a major security goal.
Varonis Forensics identified evidence of FileZilla installation and usage on compromised servers in the USN journal. A snippet of the journal showing the malicious presence of the FileZilla installer is shown below.
Evidence of FileZilla installation from the USN journal.
Our investigation revealed thousands of requests to "Pastebin.com" were made by the compromised device in question ― likely, this was used both for tool ingress and potential data egress. However, the full extent is unknown.
Our investigation also revealed the presence and use of the Brave browser — the likely source of the DNS requests in question ― by the threat actor. If internet browsing is required from a compromised device, Brave is a common choice for threat actors due to the inherently private nature of operations.
Evidence of Brave browser use revealed in USN journal.
After persisting in the network for a significant amount of time, performing reconnaissance across the environment, exploring file servers, and creating multiple backdoor access mechanisms, the attacker launched LockBit ransomware across multiple file shares. Our team helped the company determine the full scope of the incident using evidence collected from multiple servers. The threat actor made a surgical strike against critical file shares, rather than encrypting all reachable servers, demonstrating the importance of securing network access to sensitive data as much as possible.
The Varonis Forensic Team strives to help companies remediate, recover, and re-strategize cybersecurity postures after critical incidents such as this one. To that end, a list of generalized environment-hardening recommendations is provided below to help other organizations who face similar challenges.
Implement MFA on all identity-providing platforms: This includes VPN, Azure AD/Microsoft 365, remote access applications such as Horizon View, etc. Service accounts should be included as they are often overlooked — you can't claim full MFA coverage if you have even one domain account allowed to bypass it.
Implement Microsoft LAPS to manage local administrative accounts while reducing local admin permissions as much as possible.
Implement vulnerability assessment and management programs to support patch management and understand when servers or applications require critical attention. This is especially critical when hosting in-house developed applications exposed to the internet.
Strive to reduce privileges as much as possible — especially on service accounts. Often referred to as the concept of least privilege ― strive to provide accounts with the bare minimum amount of permissions for their job.
Seek to block direct internet-out for server environments and instead pass traffic through a proxy which can block unwanted communications.
Reduce the use of critical accounts on externally-facing servers to lower credential attack surface.
Ensure your AV/EDR deployment also protects your servers in addition to user endpoints.
Below we present the steps this threat actor took with respect to the MITRE cyber kill chain.
Log4Shell exploitation of internet-facing application
T1190 ― exploit public-facing application
Evidence of PowerShell and PSExec across multiple servers
T1059.001 ― PowerShell
T1059.003 ― Windows Command Shell
Local account creation and software persistence via registry
T1547 ― Boot or logon autostart execution
T1136 ― Create account
T1133 ― External remote services
Mimikatz/abuse of password reset to gain access to domain admin account
T1078 ― Valid accounts
T1068 ― Exploitation for privilege escalation
T1003 ― OS credential-dumping
Indicator removal via file deletion
T1070.004 ― Indicator removal on host ― file deletion
Mimikatz/abuse of password reset to gain access to domain admin account
Same as PrivEsc above
"Advanced Port Scanner 2" utility abused for internal recon
T1046 ― Network service scanning
T1018 ― Remote system discovery
PSExec and RDP were used for moving throughout the environment, likely with assistance from PTH/PTT attacks via Mimikatz
T1021.001 ― Remote services: remote desktop protocol
T1021.002 ― Remote services: SMB/Windows admin shares
T1550 ― Use alternate authentication material
T1560 ― Archive collected data was staged into ZIPs on compromised host prior to exfiltration
Command and control
TightVNC and PowerShell were both used for C2 operations by the threat actor
T1071 ― Application layer protocol
T1573 ― Encrypted channel
T1105 ― Ingress tool transfer
T1219 ― Remote access software
T1573 ― Encrypted channel
T1041 ― Exfiltration over C2 channel
T1048 ― Exfiltration over alternative protocol SSL/SFTP usage to transmit data over the internet to ephemeral locations via FileZilla — it is also believed that data was transmitted over TightVNC/PowerShell sessions to some extent
LockBit ransomware was deployed to encrypt portions of the environment
T1531 ― Account access removal
T1486 ― Data encrypted for impact
Indicators of compromise
The IP addresses and domains provided below are mostly owned by temporary server providers, such as DigitalOcean. As such, just because an IP appears in your logs does not necessarily mean the communication is malicious, as it is possible that contact with the IP address was outside of the time the attacker controlled it.
However, if you do see one or more of these IP addresses or the provided domain in your proxy, DNS, or firewall logs it should be investigated to ensure the events are not malicious in nature.
While "crash and burn" ransomware attacks do occur, an attacker is far more likely to live within an enterprise environment for a significant amount of time before encrypting data. During this period, the threat actor will seek to escalate privileges, perform internal discovery for sensitive data or additional footholds, exfiltrate critical data, and finally cause the destruction of stored data.
Deploying security solutions such as the Varonis Data Security Platform can help organizations detect these types of threats early in their lifecycle via machine learning and user behavior analysis — potentially preventing both the exfiltration and destruction of data. Varonis can also help organizations automate the response to ransomware activities to provide peace of mind, even when no one is awake to review critical alerts.