Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on May 9, 2019 09:15 UTC by GovCERT.ch (permalink) Last updated on May 9, 2019 10:10 UTC
As we have seen an ever-increasing number of ransomware cases that show a rather sophisticated modus operandi, we are publishing a warning via MELANI Newsletter along with this blog post, documenting technical details about the recent ransomware attacks against Swiss small and medium enterprises (SMEs). The goal of this blog post is to give you a better understanding of the various modus operandi of the most common ransomware families we have encountered hitting Swiss targets in the past months.
The initial foothold is gained by various methods, depending on the threat actor and the exposure of the victim. Common infection vectors are:
Once the attacker gained access to the victim's network, the attacker analyses the victim’s environment (reconnaissance). From there, the modus operandi varies based on the threat actor: Some attackers, such as LockerGoga, continue the attack whereas in the case of “normal” bot infections, we believe that access to these infected devices is sold in dark net markets. In both cases, the threat actor drops additional malware for lateral movement. During that phase, the attacker also tries to steal credentials and infect more systems to get a more solid foothold on the victims network. Once the attacker infected enough systems and/or gained high privileges (such as windows domain admin), they drop the actual ransomware and encrypt data and/or destroy systems.
A commonly observed pattern is that the threat actors either use worm components to automatically spread in victim's network (e.g. by a exploiting known vulnerabilities in the victim’s operating system and/or to steal credentials in order to increase their privileges.
In the following we are going to show three distinct malware families with their modus operandi.
Emotet (also known as Heodo) is being used as an initial dropper. Even though Emotet has been commonly known as a ebanking trojan and information stealer, it has become more a dropper-like malware that is likely being sold on dark web markets on a pay-per-install base. Currently, we see a lot of Emotet activity in Switzerland, commonly being distributed with large malspam campaigns. The initial infection vectors are Office documents or JavaScript files. These are often placed on compromised webservers (which are then spammed out to potential victims) or directly attached to the spam email (email attachment). Sometimes, Emotet uses information stolen from Outlook email boxes to distribute further and to have credible sender addresses and subject lines (email thread hijacking).
The current AV detection rate of Emotet is still low, mainly because it has polymorphic elements which reduce the actual coverage of traditional Antivirus products. A trick Emotet uses is a so-called dummy program that is launched upon starting, only after that, the unpacking happens, and the actual malware is loaded. This polymorphism is directly implemented into the distribution mechanism, in a way that downloaded samples seem different binaries at first glance, even if they are downloaded in short succession. In the case of the ransomware attacks, we have observed that the attackers are dropping some Trickbot components.
Trickbot is a very modular malware, consisting of different modules. Most important are the following Trickbot modules that allow the attacker to make a lateral movement:
An experiment performed by Palo Alto in July 2018 showed that Emotet / Trickbot infected a vulnerable windows domain controller within 20min after the initial infection of a client.
Once the threat actor gained enough privileges, they eventually drop Ryuk. Ryuk is a very capable ransomware that does the following:
vssadmin.exe delete shadows /all /Quiet
For more information about Ryuk, Checkpoint did a good write-up here.
We have seen various cases in Switzerland where organisations have been badly hit by this threat and we are aware of even larger damage in Germany. Please note that there are also variations that have been observed, e.g. different malware being used aside from Ryuk or different or unknown infection vectors.
LockerGoga got (in)famous for its attack against Norsk Hydro, Hexion, Momentive and others. It is a rather new ransomware that first emerged in the beginning of 2019.
The attackers target services that are exposed to the Internet and are penetrating the network from that point. There is unconfirmed information that the group also used spear phishings as their initial attack vector. Once having a foothold in the organization, they begin to move laterally, either with RDP with the help of stolen credentials or using psexec and manually copying files via SMB. Psexec is especially used for the last step, the execution of batch and powershell scripts as well as the final execution of LockerGoga on as much devices as possible. For the lateral movement and the control of the footholds, the attackers commonly use CobaltStrike, a commercial pentesting/post-exploitation framework. CobaltStrike is well documented by the authors here. The attackers are going after the Active Directory in order to gain as much privileges as possible using adfind.exe.
Upon starting LockerGoga, a parent process is created, that can spawn as much child processes for encryption as needed and possible (until CPU utilization reaches around 90%). For encryption, LockerGoga uses the Crypto++ library. It uses AES as symmetrical algorithm with a keylength of 128 bit in CRT mode, others are claimed to use AES-256. The session key and the initialization vector are appended to each file after having been encrypted with RSA asymmetrically. The necessary public key is hardcoded in the binary. LockerGoga tries to lock out users by setting a new password and doing a logoff. It disables network interfaces as well. LockerGoga binaries are often digitally signed by various CAs such as Sectigo or Alisa Ltd.
Emotet/Trickbot/Ryuk and LockerGoga are just two examples of current ransomware threat landscape. However, there are a lot more ransomware families that may cause huge damage. As follows a short and certainly not comprehensive list:
Apart from the usual countermeasures we have been writing about in the most recent MELANI Newsletter, there are more things to consider in order to reduce the attack surface. We cannot provide a full coverage of what is possible and what needs to be done but try more to provide you with some hints and thoughts what could be done beyond the obvious things.
Notes about Backup and Restore
The most important counter-measure is having a sound backup strategy that is tested and also covers worst-case scenarios. Please consider the following points when implementing or reviewing your current strategy:
Network Segmentation
You should consider having a good networking segmentation. Even in times where many people propose de-perimetrisation and moving every protection mechanism to the endpoint, we believe that a good network segmentation and the isolation of critical systems are of great value when an infection happens. It may not prevent the actual infection, but it limits the speed of any worm-like spreading as well as it poses additional obstacles for the attacker. This may eventually lead to its detection, because the likelihood that the attacker makes a mistake during the lateral movement raises with every barrier he has to cross. Good internal intrusion detection systems (IDS)that watch out for unknown traffic and have current signature sets at hand may alert before too much damage occurred. Always segment between office automation and industrial control systems. Do never expose industrial control systems directly to the internet nor to your business network that has internet access. Do not forget that also network devices might be targeted and that these should be kept on a current patch level.
Gateway
There are several good measures on the gateway level:
Remote Access / Internet Facing systems
This is currently one of the main attack vectors and these systems must be carefully protected:
Authentication
Always implement a second factor for any Internet facing system as well as for any privileged accounts. Follow the principle of least privilege when granting access from the outside. The higher the privilege the more important is a good authentication.
On endpoints and servers
The protection of the endpoints would be a blogpost of its own, however there are a few things we would like to mention:
ActiveDirectory
The active directory (AD) is one of the most important assets, organisations must take care to ensure its integrity. We cannot give a full security recommendation on how to protect your AD but we would like to mention a few important points:
On data storage:
A lot of security can also be achieved when configuring your data storage devices correctly and add additional security there:
We have outlined a more comprehensive approach on the architecture level. We are aware of the fact that it is difficult to implement this in a 1:1 way but it may serve as a source of ideas if new storage areas are going to be defined and implemented.
If the data storage is distributed over different zones, chances to survive a ransomware attack are greatly increased.
The first storage zone contains the normal data storage that is accessible to the users. This is where normal backups are made and a regular transfer to a second storage zone is made. The second storage zone should contain a delayed copy of the first zone. It is only done after some checks have been successful (Entropy checks to detect encrypted files, watermarks, plausibility based on timestamps and hashes). If any anomaly occurs, the synchronization process is stopped and an alert is raised. Another check is being done between the second storage zone and the backup zone.
Database servers
Please be aware of the fact that attackers might also encrypt database servers which can exceed the damage of classical file encryption.
During the incident
Being hit by ransomware should be considered in every business continuity planning / disaster recovery. It has both technical and organizational components. Most crucial is to have a plan to resume operations as quickly as possible, even if this means to be able to switch certain processes to an analog mode. It is important as well to have a communication strategy. We always recommend being as transparent as possible as based on our experience, public opinion is favourable if an organization informs openly and informs about current status and actions that are taken. If an incident is well-handled, reputation damage is minimal. It is important to stay calm during the incident, not to overreact and to avoid making mistakes that may render the incident even worse. A few important points to consider:
CobaltStrike
We would like to thank Swisscom CSIRT for providing precise and up-to-date CobaltStrike IOCs.
hXXp://dopearos[.]com:443/zDJT hXXp://dopearos[.]com:443/submit.php hXXp://dopearos[.]com:443/en_US/all.js hXXp://dopearos[.]com:443/ hXXp://dopearos[.]com:443/8WyT
dopearos[.]com
Emotet/Trickbot
LockerGoga:
Back to top
