Threat Analysis Unit

VMware Carbon Black TAU Threat Research: Visualizing Ransomware with MITRE ATT&CK

If no one had ever heard of ransomware prior to May 2017, then one thing that is fairly certain is that the WannaCry ransomware outbreak unquestionably put ransomware on the security radar, and sent shivers up CISO’s and analysts’ spines for the weeks and months that followed. Only a few weeks later, NotPetya, referred to as one of the most costly ransomware outbreaks of all time, also swept across the world. While 2018 saw a rise of crypto-mining based attacks, 2019 has seen a further increase in new ransomware campaigns, some of which are advertised for sale for a small fee via Ransomware-as-a-Service from the Dark Web. Financial loss, loss of data and PII, loss of productivity, loss of service, reputation damage and downtime, have been some of the symptoms of successful ransomware attacks over recent years. And like all malware, ransomware doesn’t discriminate. No industry vertical is excluded from this damaging type of attack. Once infected, confidence in the availability and integrity of company backups of core systems are integral to prompt recovery and mitigation, else the infected company is almost certainly in for a rough few weeks ahead.

Figure 1 – Ransomware Headlines

The Idea

And here begins our journey into delving a bit deeper into ransomware. One of the great many things about working as a Threat Researcher for the TAU (Threat Analysis Unit) team at VMware Carbon Black, is being granted time to work on longer-term research projects. Of course our work is oftentimes fast paced, highly sensitive, highly urgent, and our customers require triage and answers as quickly as possible. Being able to take time out and work on a research project allows us as a researcher to take a step back and reflect on our weekly observations, and by looking at the bigger picture. The one thing that has stood out to me for some time, is all of the hype (and often times FUD) that surrounds ransomware. So with this, I decided to research ransomware in the context of the MITRE ATT&CK framework.

My research goal was to ultimately see what, if any, were the more common MITRE TID’s, as well as the not so common TID’s that surround MITRE TTP’s in the context of ransomware. Not only was I curious at a personal level by wanting to find out if there was any overlap between ransomware families, but I also wanted to assist not only colleagues, customers and partners, but the wider InfoSec community of my findings as a whole, in the hope that the results could be used as a knowledge base of sorts, to assist threat hunting and detection against relevant ransomware specific MITRE TID’s.

The Method

In order to do this, I set out by collecting ransomware samples. I was able to quickly collect the majority of the malware samples using our very own TAU-TIN’s (Threat Intelligence Notifications) from the CB User Exchange as the starting point. It is important to note that many of these samples have likely come indirectly via our IR partners, via hunting methods from sources such as VirusTotal, or our very own ThreatSight team. I decided to gather some other families of ransomware, and the end result was a total of 80 unique ransomware samples from 80 ransomware families.

To effectively analyze the results in order to understand and interpret the output, we need a data processing pipeline. Fortunately in TAU, we have MalwareLambda. MalwareLambda in essence is a cloud based, modular, server-less architecture that supports the TAU team internally by enabling threat researchers to quickly detonate malware against custom images for dynamic analysis, providing static analysis of malware, or a hybrid of the two, by using Binee, various modules to quickly triage malware samples, and much much more, all via an easy to use web interface with a REST API, should we require it!

Using MalwareLambda I was able to submit the 80 hashes for processing. Once the processing had completed, I queried the MITRE results through our API using some Python scripting, and started to record the metadata for each ransomware sample such as their associated MD5 and SHA256 hash, VTI link, classification, and most importantly, each MITRE TID hit for each MITRE tactic. Using the TID results, I then constructed a different Cypher query  for each tactic variation to produce the results within Neo4j, and outputting to a graph visualization using the force-directed algorithm.

The Results

MITRE Tactic Coverage

Now onto the results. Let us first start to discuss some of the findings. To begin with, here is a breakdown of the MITRE Tactic coverage for the 80 different ransomware families.

Figure 2 – MITRE Tactic Coverage

You will probably notice immediately that there is no coverage for Initial AccessLateral Movement and Exfiltration. This could potentially be due to a couple of reasons. Due to the very nature of dynamic analysis, Initial Access may unlikely include a TID because the sample in question has in part been manually loaded and executed. Obtaining the initial access may require an IR engagement to seek out the initial infection vector, whether that be via a spear-phishing attachment or supply chain attack. Lateral Movement may likely show no coverage because the goal of ransomware for the most part is to infect the target machine. In general there are very few instances where ransomware has used the infected host to spread laterally, but it is noteworthy that this may in part be a limitation due to the way in which isolation of a Virtual Machine plays its part during detonation within a sandbox environment. One confirmation of this is the fact that the WannaCry sample (among others) used in the pool of ransomware samples, did not show signs of Lateral Movement, yet we know that it contained the EternalBlue exploit to further propagate. A multi-VM environment would need to be run to prove whether or not lateral movement activity exists, in the context of sandbox testing. Lastly the Exfiltration tactic is likely empty because the general goal of ransomware is to ultimately encrypt the files on the victim machine and to use that as leverage against the victim in order to receive a ransom payment. It is likely that exfiltration is more commonly observed with other types of malware such as banking trojans or nation state attacks whereby PII and other sensitive data is covertly sent back to the C2 controller. There are of course exceptions to this, such as in the case of SamSam ransomware families whereby humans are actively interacting with the infected host, performing further recon and moving laterally via manual techniques. As the testing method used is dynamic analysis, manual techniques such as in the case of SamSam and similar ransomware will not be measured.

All the TID’s!

Shown below is a graph visualization produced with Neo4j and a master Cypher query that contained all of the associated MITRE TID’s for all ransomware samples analyzed. Each red node represents the MITRE TID, and each blue node represents the ransomware family, with the connections between showing their relationships, i.e which sample aligned with which TID. The higher density areas towards the centre of the graph shown in by the red nodes, visually indicate an increased amount of connectedness between TID’s and ransomware families. Or in other words, the commonalities of TID’s shared between ransomware families. The red nodes around the outer edges are the TID’s that show the least connectedness, or in other words, these TID’s are the outliers as they have the least in common with the ransomware families overall.

Figure 3 – All TIDs

Execution

Out of all the 80 samples analyzed, there were only three TID’s that existed across all samples:

T1053 – Scheduled Tasks

T1059 – Command-Line Interface

T1064 – Scripting

It is very common for ransomware to use these TTP’s to execute either through a dropper or launcher.

Figure 4 – Execution

Persistence

Shown in this graph are the more common TID’s such as:

T1060 – Registry Run Keys / Startup Folder

T1067 – Bootkit

T1053 – Scheduled Task

T1158 – Hidden Files and Directories

These are the most common TTP’s used for persistence, which allows ransomware to persist after the infected host is restarted. Persistence TTP’s include persisting via the Windows Registry, persisting via Scheduled Tasks in Windows, persisting by changing file attributes to make certain files hidden from the user, and by even overwriting the Master Boot Record (MBR) for bootkit based ransomware.

Shown in the outer areas are some of the less common TID’s such as:

T1083 – File and Directory Discovery

T1112 – Modify Registry

 

Figure 5 – Execution

Privilege Escalation

Another tactic which seemingly showed less TID’s associated with ransomware is privilege escalation. Here we can see the following TID’s of interest.

T1053 – Scheduled Task

T1050 – New Service

 

Figure 6 – Privilege Escalation

Defense Evasion

This tactic contains much more connectedness to the ransomware families. Some of the common TID’s are:

T1497 – Virtualization/Sandbox Evasion

T1045 – Software Packing

T1143 – Hidden Window

T1036 – Masquerading

Sleep timers and and loops are common forms of sandbox evasion. Common packers such as UPX or .Net Reactor are often seen used to obfuscate and hide the original code, slowing down the manual analysis phase. Execution of an encoded PowerShell script with the window forcibly hidden from the users view is a common technique used to hide the script during execution. Additionally, masquerading a malicious process as a known good Windows processes such as svchost.exe is another technique used to prolong the discovery of an infected host.

Figure 7 – Defense Evasion

Credential Access

Only two TID’s for this tactic:

T1081 – Credentials in Files

T1056 – Input Capture

Perhaps less common of ransomware is to harvest or steal credentials for browsers, chat clients, FTP clients, as well as incorporating a keylogger or clipboard listener to further steal contents from the infected host.

Figure 8 – Credential Access

Discovery

Another tactic with lots more ransomware families showing connectedness between TID’s.

T1049 – System Network Connections Discovery

T1016 – System Network Configurations Discovery

T1083 – File and Directory Discovery

T1057 – Process Discovery

T1497 – Virtualization/Sandbox Evasion

T1124 – System Time Discovery

These techniques are commonly observed for the reason that once the malware has been able to run, enumeration of the environment such as the system time, VM environment, system, file and process activity, may further be used to enable anti-analysis techniques, as well as to provide environment specific details back to the C2 controller.

Figure 9 – Discovery

Collection

Shown here are some of the more common TID’s:

T1005 – Data from Local System

T1119 – Automated Collection

T1056 – Input Capture

Followed by some less common ones:

T1115 – Clipboard Data

T1039 – Data from Network Shared Drive

Figure 10 – Collection

Impact

Here we can see close relationships between the following common TID’s:

T1486 – Data Encrypted for Impact

T1490 – Inhibit System Recovery

T1485 – Data Destruction

T1491 – Defacement

T1489 – Service Stop

Perhaps not so surprising, we find that data is encrypted, the state of the system is deemed irrecoverable, data may be destroyed for good, as well as modifying the desktop wallpaper with a ransom note, and shutting down critical services such as OS or 3rd party security and monitoring services.

Figure 11 – Impact

TID’s by Count

Shown below is a graph representing the breakdown of the least to most TID’s and their connectedness between the different ransomware families.

Figure 12 – TIDs by count

Wipers

One area of interest is making the distinction between ransomware, and ransomware that performs wiping activities to the infected host. Of the 80 samples analyzed, 9 samples which were solely classified as a wiper were analyzed. Loading the TID’s we can observe the following TID’s that are present with wipers. Note that our analysis did not classify MegaCortex, LockerGoga and NotPetya as a wiper, but adding those samples to the graph may provide extra confirmation for these TID’s.

T1485 – Data Destruction

T1067 – Bootkit

Figure 13 – Wipers

Ransomware 

If we compare the above graph to the graph below, you will see that the majority of TID’s are very similar to the wipers shown above.

Figure 14 – Ransomware

Ransomware TID Profile 

Using the MITRE ATT&CK Navigator, we can quickly get a good visualization of the ransomware profile of each of the TID’s by tactic.

Figure 15 – TIDs by Tactic

Conclusion

While this research may have only been performed on a small scale of 80 different ransomware families, the intention was to highlight some of the common and less common TID’s. It is important to note that the results are only as reliable as the analysis technology used. Manual analysis may be required to further uncover or confirm additional TID’s not reported by the sandbox. In addition, while MITRE is much more granular than previous models like the Cyber Kill Chain, it is still an evolving knowledgebase. This means that that the knowledgebase is only as good as the information that is populated within it. That could mean that as newer techniques are discovered, and until such time that they are added to the MITRE framework, there could potentially be gaps in these findings when viewed in the future, and that perhaps samples may need to be re-submitted for more accurate results.

That said, the results are hopefully clear enough to deduce the TID’s to look out for in your organisation. The TID’s serve as a starting point for further threat hunting without having to know command-specific syntax or variations. Making use of the MITRE knowledgebase by referring to some of the top TID’s shown, helps to gather further insights and knowledge into such TTP’s.