By Jaycee Roth
It is 6:30AM on a Monday morning, you are startled awake by your phone receiving a call. It is Veronica, a long-time employee complaining that she cannot access any of the data on the shared D: drive – a critical drive to the organization’s operations. You roll out of bed and make your way across the room, the light glow of your desktop welcoming you to start the day from your at home office. You are greeted by the login screen, type in your 16-character password and navigate to the D: drive and in that moment realize, it no longer exists. You attempt to ping the server where the D: drive was located, and it does not reply. You login to your vSphere host to check on what could be causing the issues on your virtual servers. Panic begins to set in as you come to see there are no machines available. You reboot the virtual hosts, scratching your head thinking this must be a mistake. Upon reboot you notice a small text file. Opening it up, it reads:
As you probably understood, we have stollen big volume of data from your network. Mainly, we stole data using our smart filters from all your servers- full dump of your network. We may discuss the volume of stolen data. To sum up, we have destroyed your system and infrastructure. We would like to suggest you think twice and think about the problems associated with GDPR. After 24 hours, in case of non-dialog 20% of your actual data will be publicised. We stole approximately 1 TB of your data. Have a nice day”
Data as a Hostage, or DasH, is when threat actors use a combination of exfiltration (copying data from the victim network to an attacker-controlled asset) and digital vandalism (deletion of data) to disrupt businesses and their operations. Threat actors infiltrate the network, identify, copy out sensitive or mission critical data, and then proceed to delete the data, and in some instances the virtual machines as well. A ransom note is typically left behind notifying of the stolen data and requesting a payment be made within a certain time frame or the stolen data will be published or permanently deleted. In some cases, we have observed the threat actor quite brazenly email the ransom note to everyone in the company address book – presumably, the address book among the exfiltrated data set. The bottom line is that if your firm does not have a solid data backup plan to restore that deleted data, there may be no other choice than to pay the threat actors their ransom demand.
We are seeing a trend where threat actors, who historically would have gained unauthorized access to a firms’ network to propagate ransomware, have shifted to DasH. Threat actors are copying large volumes of data from a victim’s environment and subsequently deleting that source data. We have observed files, such as PDFs, Microsoft Office, database files, and other critical user data, as well as full virtual machines being deleted from the environment.
Due to the two-step process of having to exfiltrate a large volume of data and subsequently deleting the source data, the result is a much longer duration of compromise. Interestingly, this is a disadvantage for the threat actor, as it creates a higher risk of being caught or disconnected from the network mid-attack due to the additional time they would require in the environment to exfiltrate large volumes of data.
Why would threat actors shift from traditional ransomware to DasH? Ransomware has in the past been successfully reverse engineered by prominent cyber security firms which has resulted in the successful creation of decryption tools for the splintered variant. However, breaking through ransomware encryption is very rarely successful and typically only accomplished on amateur variants. The shift to DasH would eradicate the opportunity to find a workaround to decryption through reverse engineering. This tactic is growing in popularity because with the data deleted and with no option to decrypt, it essentially impels the victim into paying the ransom.
The motivation behind this trend is the rising popularity and implementation of Endpoint Detection and Response (EDR) platforms. EDR solutions have become so good at detecting and terminating malware that it is noticeably impacting threat actor’s revenue streams and therefore forcing them to shift their tactics. An EDR tool is an advanced endpoint protection solution with Artificial Intelligence (AI) and Machine Learning (ML) capabilities. It is basically an antivirus on steroids. EDR platforms have proven to be very effective at mitigating ransomware attacks. With the growing eminence of EDR platforms and the need for them to help combat today’s sophisticated attacks, they are becoming more accessible and affordable for small and medium-sized businesses to implement. This has left attackers with a shrinking pool of potential victims and with these limited options:
- Continue to feed from a shrinking pool of victims.
- Close for business – we all know this is never going to happen.
- Shift their tactics, work smarter, and go after the next tier of victims.
The whole objective of EDR platforms is to secure endpoints against known and unknown attacks, including malware and exploits, before they can compromise a system. EDR platforms are still an extremely useful solution in the prevention of a threat actor intruding and establishing a foothold in a victim’s environment, but no single solution is perfect. EDR solutions, though more stringent than traditional or legacy antivirus, can still be defeated.
Essentially, once an attacker successfully enters the environment, they can navigate laterally throughout the network traversing files and folders for valuable data. When the data is identified, the threat actor will perform data staging –compressing data to a smaller size so that it will be uploaded/downloaded quicker. Forensic analysis to identify data staging involves looking for newly created archive files as well as access to file compression tools. The threat actor would then use a File Transfer Protocol (FTP) client, such as Filezilla, WinSCP, or direct access to cloud repositories, to exfiltrate the data. The act of using FTP or using a cloud repository is not inherently malicious and would not be stopped by EDR tools or antivirus. The threat actor would then securely delete the data from the environment, and in some cases the full virtual machine, which again would not trigger an EDR tool or antivirus alert.
Once a victim’s data has been exposed to an unauthorized third party, this will trigger legal obligations to then notify impacted customers. The data breach legal requirements depend on where the company is based. From a digital forensic perspective, the deletion of the operating system data or entire virtual machines would prevent forensic visibility into the incident. Deletion of the virtual machines is a form of anti-forensics and would cover the threat actors’ footprints. It would completely erase any possibility of reconstructing malicious activity on those deleted machines. To simplify the idea of forensics, we contrast it with the idea of playing connect the dots. Each system/host is representative of a dot, and the analyst is the pen that connects the dots to reconstruct the incident and show a full picture of what happened during an attack. The more dots that are erased the less clear the picture is, and if all dots are erased there would be no picture at all.
The landscape is changing, and organizations are going to have to adapt to protect themselves from this rising threat. Organizations are encouraged to continue securing their environments with EDR tools such as SentinelOne as they are critical in ensuring the network is protected from malicious activities. However, an EDR solution by itself is not enough to ensure you are protected. Security should be viewed in a defense-in-depth approach, where the more layers you have the more secure you are. To help combat this new threat, we would suggest considering the implementation of a Security Information and Event Monitoring (SIEM) system. SIEMs collect all data to a centralized platform and retain it for a duration of time. They can usually be set up with rules to trigger alerts should different events happen within the environment. In a situation where hosts are being completely deleted from the network, having a SIEM would ensure forensic visibility into the incident as the log data would be retained. Exfiltration takes place at the network level. Corporations do not normally log all traffic events on the firewall due to the amount of data they receive. Having a firewall that’s configured to capture and log data egress recommended. Another measure would be implementing a network intrusion detection or prevention system (NIDS/NIPS) which detect threats by gathering information about incoming and outgoing internet traffic. A Data Loss Prevention (DLP) system could also be considered, this type of technology is used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.