Sciblog

blog.scilabs.mx

Uncategorized 

Recommendations: Before, during and after ransomware attack

SCILabs

Current ransomware landscape in LATAM

This publication presents a series of recommendations in response to the continuous and growing wave of ransomware attacks in Latin America.

Based on SCILabs telemetry and information collected from both public and private sources, it was identified that during the first half of 2023, attacks were carried out in at least 16 countries in Latin America. At least 15 specialized threat groups carried out these attacks.

The most active families or groups, at least during the first half of 2023, are listed below.

  • LockBit 3.0: 46.5%
  • 8Base: 11.1%
  • BlackCat: 9.1%
  • Cl0p: 8.1%
  • Medusa: 7.1%

Figure 1. Graph of ransomware groups present in LATAM during 1H2023

 

It is important to highlight that LockBit 3.0 remains the top spot on the list, maintaining this position since at least the first half of 2022. This group has constantly evolved, adjusting, and improving its TTPs (Techniques, Tactics, and Procedures) and partner model.

On the other hand, we have observed a significant growth in the appearance of new groups, such as 8Base and Medusa, which have increased the frequency of their attacks in the region.

The following graph shows the sectors and industries most affected by these threats, according to SCILabs telemetry.

Figure 2. Graph of sectors most affected by ransomware in LATAM during 1H2023

 

It can be noticed that the sectors most affected by this type of attack are the service, industrial, and financial sectors. The repercussions of an attack in any of these sectors can trigger attacks in the supply chain, impacting the direct victim and causing collateral damage that can affect various companies worldwide. A recent example is the attack by RansomHouse against the company IFX Networks in September 2023, which involved more than 700 companies internationally, unequivocally demonstrating the global nature of these incidents.

 

How could a ransomware attack affect organizations?

If a ransomware attack is successful, threat actors could steal, encrypt, and leak all kinds of information from victim organizations, which could lead to disruption in operations, financial loss, compromise of sensitive information, and loss of reputation and trust in the organization.

Therefore, organizations must be aware of the TTP (Tactics, Techniques, and Procedures) of this type of threat, as well as the recommended measures to minimize the probability of being infected and to know how to act in case of compromise by some ransomware family.

 

How to prevent or reduce the impact of a ransomware attack?

Organizations must have proactive security strategies that prevent malware attacks and, when necessary, carry out a correct response and the subsequent recovery from a computer security incident. SCILabs makes the following recommendations that can be considered to prevent and reduce the chances of suffering a ransomware attack.

 

Preparation focused on methodology for the response

  • Have a regulatory framework that dictates the policies to be followed by regular employees when detecting a possible phishing email, as well as the guidelines that system administrators and third parties must adhere to follow up on the event, reducing the possibility of an attack through this means since multiple threats use it as the main distribution method.

 

  • Have a continuity plan that considers maintaining business continuity during a “Cyberattack based on ransomware” as part of its scenarios.

 

  • Have an incident response process that contains a communication plan focused on managing the crisis during an incident at all levels of the organization, which indicates what can be said to customers, employees, and public opinion if required.

 

  • Conduct ransomware-related attack simulations to determine the capacity of the organization’s incident response team to confront the threat; if the organization does not have an internal incident response team, have a pre-contracted external one that can support the organization according to its needs, ensuring that the process is based on intelligence in such a way that attacks the threat by understanding the threat actors behind it.

 

Improvements in the general strategy or processes

  • Constantly provide awareness courses on social engineering attacks and prevention of malware infections to your collaborators to make them aware of the threats to which they may be exposed.

 

  • Carry out permanent awareness campaigns focused on educating users about ransomware using targeted phishing tests that allow us to detect those with less knowledge of the threats and provide them with a particular type of training. According to our telemetry, phishing is usually the most common means of malware distribution, so we suggest at least doing the following:
    • Verify that the email’s subject, sender, and content are consistent.
    • Avoid opening suspicious links or attachments.
    • Do not send sensitive or confidential information to unknown senders.

 

  • Establish a well-defined alert protocol so that members of your organization can report unusual computer activity or a possible cyber-attack and know how to act in an emergency.

 

  • Avoid opening links and downloading attachments from unknown or suspicious emails or web pages since they may contain malware.

 

  • If possible, it is highly recommended to establish a strict policy in your organization through controlled access lists to prevent any threat actor from using legitimate tools with potential malicious use (PUA).

 

  • If the organization has legacy or unsupported servers or equipment, keeping them on an isolated, monitored, and protected network is highly recommended to prevent them from being easily compromised.

 

  • Plan and periodically perform security testing of your infrastructure and applications to identify if vulnerabilities exist so you can mitigate them before a threat actor exploits them.

 

  • Avoid enabling the content of suspicious documents or those that have not been issued by reliable sources since, being a valid method for applications, it can be easily executed to carry out malicious activities in the operating system.

 

  • If possible, turning off Microsoft Office macros or, failing that, allow, through a GPO policy, only those that were digitally signed to be executed.

 

  • Maintain an out-of-band (OOB) management network for the administration of your critical services so that they can only be accessed by specific users.

 

Preparation focused on prevention

  • Have a plan for managing vulnerabilities at the level of the entire organization, which includes the providers directly connected to it, so that it promptly detects holes that attackers can use and carry out the necessary remediation measures, minimizing the possibility of damage by this means.

 

  • Detect advanced threats in the network through the use of Machine Learning or algorithms that can detect malicious behavior since visibility in the network is key to knowing when malware is moving laterally, whether through attempted exploitation of a vulnerability or reuse of weak passwords in administration accounts.

 

  • Manage a comprehensive process that ensures that any server exposed to the Internet is appropriately protected.

 

  • Establish within the organization’s policies the use of a second authentication factor to access services and critical infrastructure to minimize the possibility of unauthorized access.

 

  • Continuously map which equipment is being unsafely exposed to the Internet to take the necessary measures to protect or turn off services, paying particular attention to web servers, mail servers, VPN, or SSH services.

 

Improvements to critical operational tools

  • Maintain advanced monitoring on the most accessed equipment in an intrusion to identify on time when a suspicious event is happening. Servers exposed to the Internet should be considered, for example:
    • Web Servers
    • Mail Servers
    • VPN Servers

 

  • If the organization has Citrix servers, it is advisable to validate that these are only accessible through a VPN or the local network because these are access points used by ransomware operators.

 

  • Safeguard the logs to a central server so as not to lose them, so they can be used and analyzed during an investigation or incident response process.

 

  • Suppose remote access to RDP or terminal services is required. In that case, they should only be accessible to the corporate network through a secure VPN (with multiple authentication factors) or through a Zero Trust remote access gateway.

 

    • Servers critical for general operation:
      • Domain controllers
      • Authentication Servers
      • Hypervisors

 

    • Backup Servers or Servers with privileged access to most of the infrastructure:
      • Jump Servers
      • Antivirus Servers
      • Monitoring servers
      • Equipment for server management
      • File sharing servers

 

Activities to perform in the operational tools

  • Periodically update and install security patches for the software used in your organization to mitigate present vulnerabilities and reduce the possibility of exploitation.

 

  • Maintain monitoring of the change or addition of GPOs that are not programmed or generated by unauthorized users to prevent them from being used in distributing malware or enabling vulnerable services.

 

  • Carry out complementary hardening of equipment and services exposed to the Internet:
    • Implement elements such as multi-factor authentication (MFA). If a password is stolen, more is needed to access the service.
    • Implement a Web Application Firewall (WAF), which uses specialized filters to reduce the risk of an attack on your Web applications.
    • Use auditing tools, such as auditd or sysmon, and send the logs to a SIEM system to recognize abnormal computer behavior.

 

Detection and blocking improvements

  • Stay informed of threats affecting the region. It is advisable to acquire a threat intelligence service specialized in Latin America, which generates indicators of compromise, countermeasures, and recommendations for decision-making at a strategic, tactical, and operational level.

 

  • Enable encrypted traffic inspection features of security devices at your perimeter to improve detection and visibility.

 

  • Restrict access to Internet pages classified as malicious through web filtering tools to reduce the possibility of a user accessing this type of content.

 

  • Carefully control and supervise the traffic leaving your network to detect suspicious behavior and act promptly in its analysis, checking the following in the logs:
    • Network traffic to malicious or suspicious addresses, according to your threat intelligence or anomalous behavior.
    • Network traffic from DMZ servers to equipment or services outside of server operation.
    • Name resolution requests from DMZ servers to domains outside of server operation.
    • Web servers, file transfers, or email that make connection requests unrelated to your service.
    • Additionally, pay special attention to communications with cloud storage services that are not official ones of the company. If possible, block them.
    • Be especially careful when downloading from storage sites or cloud services such as Mega, Discord, Dropbox, Google Drive, OneDrive, Pastebin, GitHub, among others. Malware operators often use these services to host their artifacts.
    • Configure alerts that are activated when a computer sends a large amount of information to detect if there is any information leak related to attacks.

 

  • Have a quality XDR solution on your organization’s server or EndPoint. Not all XDR solutions are the same, and many created as antivirus solutions do not have the features necessary to respond to an incident. Verify that the solution used in your organization has passed different anti-tampering tests and has a centralized monitoring console that is protected against possible encryption.

 

  • If possible, it is highly recommended to disable Windows Script Host, used to interpret and execute JScript (.js files) and VBScript (.vbs and .vbe files), which can be potentially dangerous during a cyber-attack.

 

  • Set up an anti-spam filter that blocks external and internal emails with malicious content, links, or malware.

 

  • Verify access permissions to shared folders and folder security at the file system level. We suggest using “read-only sharing” to prevent malicious files from being deposited.

 

  • Use the principle of least privilege (PoLP) to configure your organization’s accounts, especially for services published online.

 

  • Segment networks to prevent the spread of ransomware. Network segregation can help prevent the spread of ransomware by controlling traffic flows and access to multiple subnets and restricting an adversary’s lateral movement.

 

  • Enable system auditing to track login and logout events in Active Directory; this can be used to conduct a deep investigation into unauthorized access.

 

  • Perform threat hunting activities on your organization’s infrastructure to identify unusual processes, unidentified scheduled tasks, suspicious executable files in system paths, and anomalous use of resources in the EndPoint. For example, check the logs for using LOLbins, execution of PowerShell commands with suspicious behavior, connections through the SMB protocol to detect lateral movements, tasks scheduled to maintain persistence, or programs that run when the operating system starts.

 

  • Use DLP systems to reduce the probability of information leaks from the organization and detect anomalous behavior in transferring or deleting large volumes of information. To do this, it is advisable first to classify all the organization’s information.

 

  • Generate offline backups (magnetic tapes or similar, or cold storage) in a geographic location other than that of your data center, as it provides additional security. If the infrastructure is compromised, external storage can help restore its operation in less time.

 

  • Maintain “golden images” (templates or images of the system).

 

Remote administration recommendations:

  • Creation of a GPO policy in the active directory so that the remote access option to computers via RDP is disabled; this prevents it from being misused on network devices.

 

  • It is suggested that software not be used for remote access to the organization’s devices. If remote administration is necessary, using a VPN with two-factor authentication and enabling RDP service on the devices on time is recommended. This measure reduces the possibility of an unauthorized user accessing these resources.

 

  • In remote access services such as VPN, creating blocks defined by geolocation is advisable to avoid access from countries where it does not operate.

 

  • Create detection rules that alert you when there are VPN accesses from 2 geographically distant points in a short time, known as impossible trips, to identify on time when a user presents this behavior and investigate them. If you feel it is necessary, blocking the account when detecting this behavior can help reduce the impact of an attack.

 

  • Audit remote access activities to detect access from abnormal sources or access to critical services with users not related to said service.

 

  • Suppose the use of remote access software is required due to the operation. In that case, the following recommendations must be taken into account:
    • Add said software to an allowlist or controlled access list only for the computers where it is required and make mandatory disabling for the rest of the devices on the corporate network. So that only a controlled number of devices can be accessed with the application.
    • Implement a two-factor authentication in the remote administration software. If the application you use does not have this option, it is suggested to use one with this functionality. It reduces the possibility of an attacker guessing the password and taking control of the device.
    • Likewise, enable all logs for monitoring; send them to the correlator and create detection rules for when it is accessed in this way to audit whether the accesses are authorized.
    • Disable or uninstall the software while it is not being used so that it is not inadvertently used.

 

Recommendations related to PowerShell

  • Create a GPO policy in the active directory to turn off PowerShell on computers where it is unnecessary and only allows some users with specific needs to run it.

 

  • If the use of PowerShell is required on some computers, it is suggested that you take the following actions into account:
    • Update to the latest version and remove previous versions to prevent attackers from exploiting vulnerabilities and executing malicious code.
    • Configure the execution of scripts unless they are signed or have been generated for internal use by the organization’s functions. It reduces the possibility of executing unauthorized commands.

 

Recommendations related to SMB

  • Create a GPO policy in the active directory to prevent the use of SMB from being enabled by default and remove access to hard drives through this protocol through administrative accounts. This is because these configurations give rise to the possibility of lateral movement.

 

 

 

Recommendations for Active Directory

  • Limit or restrict domain administrators’ access to any device that is not a domain controller. If an administrator requires using their credentials, it is advisable to grant access to an end user’s device, audit the accesses, and record this activity in an SIEM.

 

  • Acquire a specific purpose solution for Active Directory protection. Deception solutions, malware traps, or honeypots can help you detect an attack attempt in time on your active directory and your operational network.

 

  • Perform threat-hunting processes on domain controllers, servers, workstations, and active directories in search of new accounts or accounts whose generation is unrecognized or suspicious.

 

  • Change passwords on all computers periodically and use multiple-factor authentication on the accounts of all active directory users.

 

  • Never run unofficial services with high privileges or domain administrator accounts; they could store and use credentials maliciously.

 

  • Limit the creation of domain administration accounts and other privileged groups; the fewer accounts and groups, the more difficult it will be for an attacker to find administrative accounts for malicious use.

 

  • It is essential to protect the domain administrator account with strong passwords, MFA, and regular changes.

 

  • If possible, it is recommended to deactivate the built-in administrator account and remove users from the local administration group.

 

  • Enable real-time auditing and correlation rules related to the modification of GPOs. Because some threat actors carry out malicious activities by abusing them.

 

  • Restrict installation of additional software or configuration of server roles on domain controllers other than those defined by your organization’s security policies.

 

  • Perform patch management and vulnerability scanning regularly.

 

  • Use secure DNS services to block malicious domains.

 

  • Enable and configure the Windows firewall with the rules defined in your organization’s security policies.

 

  • Use an allowlist application to establish which applications are allowed to run in the active directory.

 

  • If possible, implement a PAM (privileged access management solution).

 

  • Use a secure management workstation (SAW).

 

Recommendations for hypervisors

  • Keep virtualization software updated with the latest patches released by the manufacturer.

 

  • Implement an XDR tool to identify, detect, and prevent attacks on contained virtual machines.

 

  • Isolate the network. The hypervisor should be on an isolated network with the resources necessary to operate, such as vSANs and backups.

 

  • Define rules for VEEAM, HYPERV, and VMWare so that they can only be accessed from specific management servers and restrict access to those servers.

 

  • Manage identity and access. Consider decoupling ESXi, vCenter, and other hypervisors from Active Directory; this way, the virtualization infrastructure will be protected if compromised. Use dedicated accounts for infrastructure management, enable multi-factor authentication (MFA), and manage credentials securely.

 

  • Restrict the necessary services to be used on hypervisors.

 

  • Activate the local firewall to allow administrative access only from trusted network segments or hosts.

 

  • Send the hypervisor logs to the organization’s central SIEM to provide visibility into the security events that have occurred.

 

  • Maintain frequent backups that an attacker cannot delete. This can be achieved by having backups offline or at specialized services.

 

Specific recommendations for vSphere and ESXi

  • It is advisable only to consider hardware that includes TPM 2.0 to install virtualization software. The virtualization software will automatically use the security chip to store authorization keys and ensure system files are not modified.

 

  • SecureBoot. This ensures that the code to be executed at the start of the server is digitally signed and has not been modified, making persistence and initial control by threat actors difficult.
    • To enable it: /usr/lib/vmware/secureboot/bin/secureBoot.py -c

 

  • This is a property of ESXi and vSphere to restrict the execution of binaries on the hypervisor, preventing a threat actor from deploying and executing their tools. To check if it is active and then to activate it:
    • esxcli system settings kernel list -o execinstalledonly
    • esxcli system settings kernel set -s execinstalledonly -v TRUE

 

IMPORTANT: The configurations mentioned above must be done in laboratory or UAT testing environments before performing them in your production environment to avoid inconveniences.

 

  • If the organization’s operation allows it, it is highly recommended to restrict the use of the following tools since SCILabs has identified them through incident response. Although some can be used legitimately, it is crucial to be attentive to their behavior and to issue an alert in case of any unknown or suspicious installation.

 

Tool Activity Tool Activity
ADRecon Recognition WinSCP Exfiltration
PsExec Lateral movement NirCmd Command execution/Defense evasion
Mimikatz Credential access Rclone Exfiltration
Nirsoft password recovery tools Command execution/Defense evasion PCHunter Recognition /Process manipulation
ExMatter Exfiltration GMER Defense evasion
Bloodhound tool Recognition BazarLoader Lateral movement
CrackMapExec Lateral movement GrabFF Web browser credentials
Inveigh/InveighZero Capture/Credential access GrabChrome Web browser credentials
MegaSync Exfiltration BrowserPassView Web browser credentials
Adfind Recognition/Lateral movement KeeThief Credential access
Rubeus Credential access FileGrab Exfiltration
Stealbit Exfiltration CobaltStrike Command and Control /Post Exploitation
ConnectWise/ScreenConnect Persistence/Lateral movement FileZilla Exfiltration
Process Hacker Recognition Advanced Port Scanner Recognition
Conexiones RDP Persistence/Lateral movement NetScan Recognition/Lateral movement
ProxifierPE Command and Control (Proxy) Pcloud Exfiltration
OpenChromeDumps Credential access Advanced Port Scanner Recognition
S3 Browser Web Browsing WmiExecAgent Lateral movement/Command execution
Veeamp Credential access

Table 1. Tools used by ransomware groups

 

What to do during a ransomware attack?

When an organization has already been compromised, it faces multiple unknowns; for example, Will there be a free way to recover the information? What to notify senior management? How do you initiate recovery tasks? Did an employee orchestrate the attack? Is it possible to clean compromised computers? What to block or isolate? Among many others, therefore, it is recommended to focus on the following:

 

  • Initiate an incident response process, which can call the BCP (Business Continuity Plan) where the continuity scenario has already been tested in the event of a cyber-attack caused by ransomware; this will allow the previously defined plan to be followed and the crisis handled appropriately.

 

  • If you do not have a BCP, if possible, design a contingency plan that allows maintaining the operation of the business with a DRP (Disaster Recovery Plan) that include a robust backup policy where they are required. Offline backups of critical operating information prevent it from being compromised in a ransomware attack.

 

  • If you do not have an incident response process, it is important to consider the following:
    • Involve an expert team in incident response, specialized in cyber intelligence, in a way that allows you to act more quickly and with greater certainty.
    • Define the organization’s position to be communicated internally and externally in such a way that a single reality of the situation is seen, avoiding panic and reducing the media impact.
    • Define a “war room where all those who must participate during the response to the incident are physically or virtually present (as appropriate).
    • Designate someone responsible for communicating the status of the incident to senior management and other areas of the organization.
    • Define an incident leader who can make decisions to be executed by the rest of the organization’s teams. Below are some activities that the incident leader will need to do during the event:
      • Choose the investigation sources that will give you information to investigate the incident.
      • Determine if it is necessary to obtain triage of the equipment involved.
      • Generate the hypotheses that will direct the investigation, which will be confirmed or disqualified based on the evidence obtained.
      • Generate recommendations for the containment, eradication, and recovery of the incident.
    • Designate a technical leader who can coordinate the group of specialists responsible for the various technology areas involved in the affected critical processes, where they are informed about their required support during response activities so that they can act with the necessary speed.

 

  • Remain calm and do not make conclusions immediately, as this can lead to hasty decisions that affect the response process and hinder the re-establishment of the operation.

 

  • Avoid searching for those internally responsible for the attack, as this can lead to confrontational situations with personnel that obstruct the development of the incident response.

 

  • If you have samples of artifacts, conduct an in-depth analysis of them to find indicators of compromise that will help in the detection, containment, and possible eradication of the threat.

 

  • Avoid disclosing information on social networks and the media about what happened, to prevent false expectations of the situation from being generated, considering that, if it is a company listed on the stock market, if the messages are not handled properly and convey peace of mind, the uncertainty that the media can create can cause shares to fall.

 

  • Avoid uploading samples to public analysis tools since other users could download them, disclosing the organization’s confidential information.

 

  • In case of carrying out immediate containment activities, such as isolating affected equipment, it is recommended that the equipment where the incident is happening is not turned off, just offline. Because if it is turned off, important information could be lost in the investigation of the incident.

 

Lateral movement prevention

  • Configure the Windows Firewall on all hosts to block widely used techniques, such as PowerShell.exe or other Living-Off-the-Land scripts and binaries.

 

 

  • Restrict or prevent remote administration tools, such as AnyDesk, GoToAssist, Atera, HOST, Team Viewer, among others commonly used by threat actors to carry out lateral movements on the victim’s network.

 

  • Depending on the magnitude of the incident, the incident response team will determine the actions that make the most sense and establish a critical path that can lead to the recovery of the affected systems based on the understanding of the threat and the intelligence available.

 

What to do after a ransomware attack?

Once organizations have emerged from the crisis that a ransomware attack entails, it is important to consider the following recommendations:

 

  • Conduct a lessons-learned session that allows the organization to determine what they could have done differently and implement lines of action to avoid reinfection.

 

  • Carry out an advanced hunting exercise that allows you to identify if the same or a similar threat exists somewhere in the network that must be addressed as soon as possible.

 

  • Maintain exhaustive monitoring for at least three months to determine that the organization has no traces of the attacker. This involves understanding the alerts generated by the different security solutions implemented during incident response and investigating each in depth.

 

  • Create detection models that resemble the attacker’s modus operandi to detect a new event associated with the same threat.

 

  • Carry out a campaign aimed at users summarizing the events that the organization has just gone through and the importance of following established security guidelines.

 

  • Carry out a comprehensive diagnosis that allows you to determine the organization’s current state from the point of view of processes, people, and technology, where you can know how the organization’s internal and external cybersecurity posture is so that it can create a cybersecurity strategy.

 

  • Design the organization’s cybersecurity strategy with a holistic vision where at least the following points are considered:
    • Consider new opportunities that must be supported by cybersecurity services to protect critical data, considering what the business objectives are, its needs, and the regulatory compliance that it must support.
    • Consider a focus on the risks the organization faces according to its sector and its threat model.
    • Understand the importance of the human factor and users’ personality to respond to internal and external expectations and determine how and to whom to direct continuous awareness campaigns.
    • Carry out continuous cyber intelligence monitoring and mapping of your threat model that allows you to visualize your cybersecurity posture and how it is perceived internally and externally.
    • Ensure that the security strategy includes identification capabilities through an architecture of visibility and continuous monitoring, prevention through a holistic approach where constant threat hunting is considered, protection through appropriate technology at the necessary points, prepared people, robust processes, response orchestrated by expert personnel, recovery and verification through processes and a focus on resilience.