Ransomware

Active Defense Strategies for Kaseya-style Ransomware Attacks

woman glasses

The recent Kaseya ransomware incident combined the worst possibilities the infosec community has had to contend with in recent months:

  1. A supply-chain attack
  2. Ransomware
  3. An unpatched application vulnerability (zero day)

This is by no means an isolated incident. All vulnerabilities reported on widely used software products, especially those that do not require authentication to exploit, will likely become a target to spread ransomware. 

Attacking the supply chain is simply a cost-effective way to scale ransomware operations. 

In this blog post, we’ll use the Kaseya incident as a blueprint to recommend a short playbook for what you can do while you await a patch for any software vulnerability you know nothing about.
 


View our recent webinar for more information on the best defenses against Kaseya supply-chain and similar attacks.



Zero days and active defense

Zero days are a tough nut to crack. The average organization uses hundreds of different types of software and tools. It’s almost impossible to have an accurate software inventory, let alone account for issues like supply-chain attacks and zero days.

While the research community plugs away trying to proactively find and hunt bugs to remediate costly zero days in widely used software before adversaries do, Active Defense allows security teams to take a step back and evaluate the problem of zero days as a whole.

Active Defense shifts the focus of security teams away from individual software and esoteric, difficult-to-parse exploitation techniques to proactive defensive strategies while they wait for a patch to be installed.

By hypothesizing the objectives that adversaries achieve when exploiting Zero Days, we can plan our Active Defenses in a manner that can:

  1. Reduce the impact of exploitation
  2. Give an early warning of malicious activity
  3. Gather intelligence on the adversary

Zero days through the kill-chain

The following table demonstrates where zero days are likely to be used in the kill-chain:

 

Kill-Chain Phase

Possible Zero-Day Targets

Possible Motivation

Initial Infection and foothold

Internet-facing software applications and services

Obtain access to a high-value environment

Privilege escalation

Operating system components and locally installed software

Obtain a higher level of privilege to aid the rest of the kill-chain

Lateral movement

Distribution software and internally exposed services

Expand attack footprint in locked-down environments

Action on objectives

Zero days against specialized software

Exploit weaknesses to steal data

 

Zero days are a means to the end goal. Whether in the initial stages of the operation or the critical last step.

From a defensive perspective, this gives us a valuable advantage: If we cannot stop the zero day itself, we have opportunities to trap the adversary either before or after they use it. And you can do just that with Active Defense.
 

Actively defending against Kaseya-style incidents

The scenario here is that you know about a zero-day target that does not yet have a patch. Let us also assume that the zero day is being used for initial infection and foothold to distribute ransomware within the environment.

The following table shows strategies for actively defending against techniques observed in the Kaseya REvil Ransomware incident.

 

Phase

Technique

Active Defense Tactic

Hints, Tips, Tricks

Initial infection

Exploit an internet-facing application

Create public-facing decoys to capture intelligence

Use the application vulnerable to the zero day as a template for the decoy

Execution

Use of PowerShell

Monitor for commands and scripts that involve stopping or disabling services

N/A

Defense evasion

Kill processes and services

Deploy decoy processes and services commonly killed by ransomware

The most commonly attacked processes are those that lock files that are a target for encryption; therefore, “outlook.exe”, MS Office processes, and database processes are usually targeted 

Pre-encryption checks

Delete volume shadow copies

Monitor for the deletion of volume shadow

Typically, volume shadow copies are deleted using vssadmin.exe or WMI

Encryption

Encrypt files

Deploy decoy files on endpoints to monitor for file modification events

Placing files in common encryption start locations (such as C:\ or %appdata% or Document folders) is a smart way to minimize the impact of encryption

 

In the case of Kaseya, specifically, there was no worm-like behavior observed as the encryptor was pushed to machines via an update.
 

Beware of distribution points

One of the classic strategies these days, as seen in the Kaseya incident, is to compromise software and update distribution points to deploy ransomware at scale.

It is not a stretch to say that any software that installs updatable services on endpoints can be a target of similar attacks and the table in the previous section is the best form of defense for that.

We wish to draw attention to two pervasively present distribution points for ransomware in most organizations:

  1. Active Directory
  2. SCCM

With recent disclosures around serious vulnerabilities—the Print Nightmare Vulnerability, for example—organizations are at risk of both Active Directory and SCCM as targets for any ransomware that leverages such a vulnerability to spread.

Here are four suggestions to actively defend against techniques in such a scenario.

 

Phase

Technique

Active Defense Tactic

Internal recon (Active Directory)

Query Active Directory for privileged users with rights to create a group policy

Plant decoy users in privileged groups and OUs

Internal recon

(Active Directory)

Query Active Directory for SCCM servers

Plant decoy systems with attributes consistent with SCCM servers

Lateral movement via zero days like Print Nightmare

Use the Print Nightmare vulnerability to obtain RCE on Active Directory and SCCM

  1. Disable the print spooler service on AD and SCCM
  2. Plant a decoy system on the network with hostname and DNS indicating it is an SCCM server

Lateral movement

Creation of new group policy or SCCM policy to distribute encryptor

Monitor and log the creation of new policies

 

Closing Notes

Organizations should expect that any major vulnerability disclosed is likely to become a target for spreading ransomware.

Due to the unpredictability of TTPs that may be used in individual incidents, we advise organizations to adopt a wider array of Active Defense techniques to build resilience against a variety of ransomware operator strategies.

We also encourage organizations to adopt Active Defense and deception strategies in the following parts of their IT environment:

  1. DMZ (both external and internal segments)
  2. Data center segments hosting business-critical applications for east-west lateral movement
  3. Active Directory
  4. Privileged endpoints
  5. Endpoints of personnel interacting with sensitive applications

Learn more about Kaseya Supply-Chain ransomware attack by viewing our webinar hosted by ThreatlabZ.

 

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.