Arete investigates a lot of ransomware attacks. In fact, 90% of our business is helping organizations big and small, recover from and investigate ransomware attacks. Variants like Maze, Sodinokibi, WastedLocker, Ryuk, Conti, Dopplepaymer, Dharma and countless others are extremely active every day of every week. Whether they are hacking into an organization and deploying their ransomware or they are responding to emails to negotiate the release of decryption keys, these groups will continue to operate with the main focus of disrupting businesses by encrypting files, stealing data and waiting to receive payment for decryption keys.
One of the common themes across our client organizations is their reliance on anti-virus (“AV”). When discussing the initial facts of a ransomware infection and learning about their environment, I usually ask “Do you use AV and what is the name?” All the clients respond with “yes, we use AV” and the software used are across the board. Bitdefender, Windows Defender, Sophos, McAfee, Symantec, TrendMicro, and Webroot are among the common responses; and they all offer ransomware protection.
The products themselves are great. They stop a large majority of malware. They have been pioneers in the computer security industry. They have built networks and distribution systems for virus definition updates. They have even built out response teams to gather intelligence from client’s networks who have suffered a breach in order to make their products better to aid other customers. There have been countless tests of their products and rankings from non-lab environments up to Gartner reports. Even TechRadar’s recent article “Do I really need antivirus for Windows 10?” highlights the need for AV and lists some great recommendations. I do encourage you to read the article, but the summary of it is “Yes. You need AV”. In fact, your organization needs more than just AV, it needs a true endpoint protection that leverages Artificial Intelligence (“AI”) as well as real time updates to its rule sets (notice how I did not state virus definitions? More on that later).
As a computer security aficionado, incident responder, trusted advisor, and empathetic human, it pains me to find out these reputable products repeatedly fail protecting large and small networks from malicious activities performed by these threat actors. Organization after organization purchase these licenses, deploy the product then at some point in the future become a victim of a cyber-attack. Simply purchasing AV software and deploying it, is no longer good enough.
The intent of this article is to demonstrate where traditional AV capabilities fall short based on the Tactics, Techniques, and Procedures (“TTP”) used by the threat actors. Again, the AV products I mentioned earlier are great products. There is nothing wrong with their ability to detect malware and prevent it. If those products are in use, then implementing compensating controls can enhance detection of unauthorized access and minimize the success of an attack.
Traditional AV and EDR Defined
For the purposes of this article, I am going to draw a vast difference between “traditional AV” and Endpoint Detection and Response (“EDR”) software. I have generalized the functionality to not specifically compare product by product, rather I intend to compare the category of traditional AV to EDR tools.
- Traditional AV – Definition based or signature scanning that searches for a known-known. Meaning, if the malware is known by the security community, the product should identify it. Some of the products may also have passive endpoint behavioral monitoring.
- EDR software – Some developers are calling their products Next Generation AV. EDR tools offer traditional AV scanning, AI detection, active EDR monitoring, and restoration.
- AI detection – the EDR agent will monitor the system and examine the calls or events specific processes make on the system or across the network. The agent then analyzes these events and if the events are determined to be malicious, the processes are stopped.
- Active EDR monitoring – These EDR agents can be monitored by a Security Operations Center (“SOC”) for additional support, triage, threat hunting and quicker response to threats including centralized logging of activity for historical analysis or forensics, near instant detection, and immediate containment.
- Tamperproof agent – The agent on the endpoint cannot be uninstalled by an administrator account. Rather, uninstall must be initiated from the central software console.
- Restoration – Some EDR solutions leverage windows volume shadow service to create a snapshot of the system and if a threat is detected, roll the system back to a clean state all the while retaining vital forensic evidence from the event.
Right from the start, the EDR tools offer three critical components as compared to traditional AV: AI detection, active EDR monitoring, and tamperproof agents. These components align well with protection computers any time and anywhere.
The threat actors, in a large majority of ransomware attacks, follow a very similar attack sequence across variants and across matters:
- Identify a target or victim – usually by scanning for misconfigured system, phishing email, or watering-holeweb attack
- Exploit target – Gain access to the target system.
- Reconnaissance – Examine the target system ß this is THE critical step.
- Escalate privileges – Obtain administrator credentials for the system or the domain.
- Establish persistence – Create a backdoor to allow re-entry into the network.
- Lateral movement – Identify additional systems on the network such as domain controllers or backups.
- Data exfiltration – Package up and steal data for additional extortion.
- Deploy ransomware – Encrypt files and wait for contact from the victim.
The attack flow listed above has been simplified from other theories that exist in the cybersecurity community. This flow is intended to simply depict the sequence of steps the attack follows across each attack. I’ve purposefully highlighted step 3 Reconnaissance to examine it further against the TTPs of these threat actors.
Threat Actor TTPS
Once a threat actor gains access to the target system, there is a wealth of information the threat actor can gather from that single system. Information about the domain name, previously logged on users, privilege level of the logged-on account, running applications, and available hosts within the network. This information is easily obtained by running a few commands which are resident on any Windows system.
The most important piece of information they can obtain after gaining access is about the security software on the system and the privilege level of the account.
- Privilege level of the account will determine how the attack can disable or modify security software to prevent the detection of their attacker tool package they may intend to copy to the system. Privilege level will also determine what additional system resources they would have access to as that user.
- Security software installed on the system will give perspective to the threat actor on the organization’s approach to security as well as determine ways to disable the software from scanning and alerting.
During many investigations, Arete Incident Responders have observed threat actors gaining access to systems, then returning days or weeks later with customized batch scripts or PowerShell scripts designed to disable AV and backup products from functioning correctly.
Examples of scripts and tactics recovered from investigations:
- Batch script to unload the virus definitions from Microsoft Defender. Once the definitions were unloaded, the AV scanning engine would be useless because it would not know what to look for. This is creative as it does not disable the running service that may cause an alert that the Defender service stopped on a system. Instead, the threat actor chose to unload the definitions in hopes that those events are not monitored by a log aggregator.
- Batch script to disable Symantec Endpoint Protection (“SEP”). The threat actor had already gained access to the system with escalated privileged, aka Administrator account. They ran the script to disable the SEP services. The victims’ environment was not configured to alert when the SEP services were disabled.
- Batch script to white list specific folders. The TA essentially used the white listing or exclusion functionality against the AV product. Once executed, the script added a specific folder to be excluded from AV scanning then used that folder to stage their tools.
- Dumping of browser cached credentials to obtain usernames, passwords, and logon URLs for centrally managed AV products. Once the threat actor gained access to the central console, they disabled AV scanning for all the available hosts.
In each of these scenarios above, the actions performed were not through malware. Rather, the threat actor had interactive access to the system and was able to a variety of methods to disable AV prior to downloading their tools, living-off-the-land (“LOTL”) and ultimately ransomware payloads. The AV did not even have a chance to detect the malware because it was disabled prior to the malware reaching the system.
EDR enhanced protection
Arete Incident Responders respond to incidents with a large toolkit of cybersecurity products. The tool of choice to investigate, contain, and eradicate ransomware threats for Arete IR is SentinelOne. Once deployed, the agent cannot be uninstalled by a typical administrator account. Additionally, access to the central console is limited, invite only, and multi-factor authentication is used.
Understanding the actions, the threat actors perform during their reconnaissance phase, traditional AV products have a high chance of missing those actions. Whereas a next generation endpoint protection tool like SentinelOne would inhibit the threat actor’s ability to successfully recon the environment.
- Scripts to unload definitions: SentinelOne would detect any attempts to modify the agent causing an alert within the central console as well as blocking the process from continuing.
- Scripts to whitelist or exclude directories: Exclusion of directories from scanning can only be modified via the console interface. The endpoint itself cannot modify the exclusion list.
- Dumping of cached credentials from the browser: Detection of these tools are commonly identified as Potentially Unwanted Application or Program (PUA/P). SentinelOne would detect these and prevent them from executing.
- Scripts to disable the SentinelOne agent would fail. The agent itself can only be uninstalled by initiating uninstall from the console or by using a pass phrase obtained from the central console. The pass phrase is uniquely generated for each endpoint.
In addition to the power of the tamper proof agent from SentinelOne, the attempts of modifying or abnormal activity by the user account would be detected by the AI scanning engine which would create an alert. The alert could then be triaged quickly to identify unauthorized access and, by using a new feature not previously discussed, SentinelOne could isolate the system from the network.
Network isolation, as it pertains to SentinelOne, allows the incident responder to disable network connectivity for that endpoint except for connection to the console. This would remove the threat actor from accessing that system and allow the incident response team to continue their investigation.
The observations made by Arete Incident Responders has identified threat actors are aware of the environment they penetrate. Instead of just blindly copying their tools to the compromised systems, the threat actors are looking for installed security software to minimize alerts by disabling or bypassing the security software. The commercially, widely, and easily available AV products have limitations with being tamperproof and can be removed by the threat actors because of the escalated privileges they have obtained. Organizations should move either implement compensating controls for traditional AV solutions to detect any changes to the software or implement an ERD solution like SentinelOne to inhibit and prevent future success from these threat actors.