To foster better collaboration and cyber ground truth, VMware and Accenture’s Cyber Defense group teamed up to deliver relevant security research. Our goal is to expose criminals’ tactics, techniques, and procedures (TTPs) and thereby help security teams better focus their prevention, detection and response programs.

Ransomware isn’t new—in fact, it’s over 30 years old. Attacks date back as far as 1989 and have been the most pervasive cyber threat since 2005, with a dramatic spike in recent years that continues to increase. In fact, Cybersecurity Ventures predicts that the damage caused by ransomware could cost up to $265 billion by 2031, making it ever more important for companies to prepare their defenses and understand ways to stop the attackers prior to ransomware deployment.

The old quote “defenders have to be right 100% of the time” proves to be untrue. The reality is that in most cases there are several opportunities for teams to disrupt the criminal’s behavior prior to the ransomware executing. This blog will examine the common tactics that cybercriminals use to infiltrate and move around a company network prior to ransomware deployment, paying close attention to the time-to-ransom (TTR).  Each stage of the attacker lifecycle offers unique opportunities to detect and remove them from the network prior to significant and costly damage. It only takes one mitigation to break the criminals’ kill chain.

Cyber Extortion at scale is big business and business is good for criminals

Time-to-Ransom (TTR)
Time-to-Ransom refers to the amount of time from when the threat actor gains initial access into a network to the time the threat actor deploys the ransomware. This time can range from hours to days, or even months. 

As ransomware-as-a-service (RaaS) explodes in popularity on the crimeware forums, cybercriminals are finding new and unique ways to deploy ransomware across organizations. Ransomware groups may be recruiting insiders or affiliates specializing in a specific part of the attack chain to increase the stealth of their attack while employing multiple extortion tactics by first stealing company data before locking it up. According to Accenture incident responders, data extortion was confirmed in about 30% of 10 cases they analyzed between June 2020 and June 2021.

As ransomware groups become increasingly capable, TTR can decrease. In contrast, however, if the actor combines data extortion with data destruction, the on-network requirements to steal sensitive data require greater TTR and additional on-host activities, providing opportunities for detection. According to Accenture incident response investigators, in analyzed cases over the past year, the TTR has been as low as 2.5 hours and as high as six months, with Carbon Black estimating that the TTR is on average between two and four days. The longer the TTR, the more opportunity there is for an organization to detect and respond to an attack prior to data destruction.

Methodology

Accenture Cyber Defense utilized data from over 10 recent cyber investigations, forensics and response (CIFR) ransomware incident response investigations, combined with Accenture’s Cyber Threat Intelligence’s (ACTI) dark web monitoring to identify popular pre-ransomware deployment network activities. Additionally, VMware Carbon Black leveraged data from the Carbon Black Cloud where the product suite can successfully prevent the execution of ransomware, as well as the pre-execution TTPs that were observed prior to ransomware payload execution.

Our threat research uses MITRE ATT&CK® – a comprehensive framework to document adversary TTPs – to focus on TTPs relevant to the initial stages of infection that precede a ransomware attack. We will also be focused on the TTR to help teams better create playbooks and responses when an infection occurs.

MITRE ATT&CK Stages

Initial Access

Accenture and VMware Carbon Black have identified remote desktop protocol (RDP) vulnerabilities as a primary initial access method for ransomware actors. RDP is exploited in roughly half of the documented attacks that are escalated to VMware’s Threat Analysis Unit (TAU). In many of these attacks there is a 48-to-92-hour period between the initial observed RDP access and the ransomware portion of the attack. Similarly, Accenture has found RDP vulnerabilities to be a preferred method for several ransomware groups.  For example, the ransomware group Avaddon appears to prefer exploiting RDP vulnerabilities as a breach methodology. This group has advertised specific interest in acquiring specialists who can develop network access through compromised RDP sessions or virtual private network (VPN) connections.

The second-greatest portion of the remaining cases studied by TAU initially start with a social engineering element like phishing emails. These emails will typically contain an initial dropper which is either an office document or an executable concealed in an archive format, like a zip file.  The initial dropper will either download a first-stage payload like IcedID, SdBot, Trickbot, or Emotet or leverage PowerShell to execute a Cobalt Strike cradle. These tools help the threat actor gain unauthorized access to the remote systems and can perform a variety of functions including, downloading and executing additional files, credential harvesting, and lateral movement operations.

The remainder are known vulnerabilities being exploited combined with lateral movement.

Execution

Accenture Security and VMware TAU continue to observe ransomware actors leverage living-off-the-land techniques in conjunction with off-the-shelf tools like Cobalt Strike, Koadic, PowerShell Empire, and Metasploit. Because of the effectiveness of tools like Cobalt Strike, as well as the anonymity that their popularity provides, many actors have adopted them into their overall attacker portfolios.

Prior to bans on ransomware advertisements by many forums, dark web findings indicated that at least Ragnar Locker and REvil operators had actively recruited hackers experienced with commodity tools including the Cobalt Strike platform; additionally, actors regularly sell or release cracked versions of Cobalt Strike, lowering the barrier to entry for this versatile tool. Cobalt Strike Beacon, a penetration testing product, provides vast functionality against the host, including privilege escalation, file transfer, command execution, port scanning and lateral movement, which is why it is an increasingly popular tool for ransomware operations.

Persistence

VMware TAU and the VMware Carbon Black Cloud identified attackers using PowerShell to modify windows registry and startup files as the predominate method of gaining persistence on endpoints observed in the bar graph below. This finding is consistent with observations by Accenture’s CIFR team. For easiest viewing, the graph below represents a two-week period, however, the trends have been consistent over time. Based on Windows Antimalware Scan Interface (AMSI) data that Carbon Black monitors, the two largest spikes are specifically from PowerShell modifying the startup folders, in purple, and PowerShell modifying different registry run keys, in green.

Source: Carbon Black AMSI data

When looking at non-AMSI data, the single largest persistence method is scheduled tasks; in green in the graph below.

Source: Carbon Black AMSI data

The commodity trojans prevalent in ransomware operations, like Trickbot, IcedID, and Emotet, have the capability to create scheduled tasks for persistence.

Privilege Escalation / Credential Access

Privilege escalation and credential access are priorities for ransomware operators, as these tactics often enable additional actions against the network, such as lateral movement or disabling endpoint monitoring software. Credential harvesting is one of the tactics used to ensure secondary extortion methods have higher efficacy. This allows attackers to gain access to business communication channels like email, Slack and Microsoft teams, which can make real-time response communications a challenge during an outbreak. 

Attackers are using Mimikatz predominately to harvest credentials.  The execution of signed Mimikatz binaries remains the highest detection related to credential harvesting that VMWare has historically observed. This is followed by PowerShell running Mimikatz and credential theft using NTDSutil. Commodity tools, such as Meterpreter, have built-in techniques to try to obtain system-level administration privileges.

Source: Carbon Black AMSI data

Lateral Movement

Lateral movement is a key component of an effective attack and ransomware groups can use port scans and the lateral movement capabilities embedded in commodity malware and tools. As the use of Cobalt Strike increases among ransomware operators, Accenture Security and Carbon Black have, in turn, observed attackers use Cobalt Strike Beacon capabilities, such as named pipes over Server Message Block (SMB) and WinRM to move laterally in targeted networks.

Source: Carbon Black AMSI data

Defense Evasion

Ransomware threat actors are keenly aware of being exposed through antivirus or other endpoint defense detections and would proactively try to nullify these tools with antivirus blocking tools or by uninstalling antivirus from a privileged account. 

Example of an Actor using PowerShell to try and uninstall Windows Defender

Carbon Black monitors numerous techniques that fall into the defense evasion category. The graph below is data solely from AMSI-based detections; historically attempting to unload AMSI via reflection is the most popular PowerShell defense evasion technique observed.

Source: Carbon Black AMSI data

In other cases, ransomware operators will try to work around endpoint defenses. For example, in one ransomware attack at a health and public services company, the threat actors executed a Cobalt Strike payload. However, the execution sequence was detected by Windows Defender and quarantined accordingly. After about two days of triggering Windows Defender detections, the threat actor pivoted to the use of another open-source tool called Koadic. This tool is also a Windows Post-Exploitation rootkit that utilizes Windows Script Host; however, it creates small payloads executed in memory which can be less noise-generating. Throughout the engagement, the threat actor continued to monitor the endpoint detections and would pivot to new tools or tactics in an attempt to avoid them.

Command and control

Often ransomware actors achieve command and control in one of two ways. First, the actor will leverage compromised credentials in combination with exposed RDP. Second, the attackers once again leverage the capabilities within Cobalt Strike to communicate externally. In one CIFR investigation, the ransomware actors used domain fronting to disguise the destination of their command and control.

Exfiltration

Ransomware groups have widely adopted double extortion as a core tactic to ensure profitability. In fact, nearly 40% of security professionals said double-extortion ransomware was the most observed new ransomware attack technique in 2020. By taking time to quietly exfiltrate sensitive information from the organization, cybercriminals gain incrementally significant leverage on their victim organizations, forcing organizations to not only pay to decrypt their content but also prevent potentially harmful data from being sold or otherwise publicly disclosed.

Ransomware groups will use a variety of methods to exfiltrate data, and this additional process will likely mean more TTR, leaving artifacts that can trigger detection and remediation efforts.

In one investigation, Accenture identified a ransomware gang use RClone to exfiltrate 2TB of data prior to executing Maze and Mountlocker ransomware. RClone is an open-source command line tool that allows the actors to sync files from the local disk to a cloud storage provider. During another investigation the ransomware actors downloaded and utilized curl.exe to maximize download capabilities and exfiltrate .bat files and a tmp.vbs file used to calculate disk space on the staging server.

Opportunities for Defenders

Accenture MDR Key Features:

  • Data Analysis: processing and analysis of log data from security controls, network infrastructure, and endpoints to identify events of interest.
  • 24/7 Alert Monitoring: 24×7 alert monitoring, analysis, identification, and escalation of incidents through industry-specific threat intelligence.
  • Highly Qualified Analyst Teams: client aligned specialists, including GIAC-certified Security Analysts, Service Delivery Leads, On-Boarding Engineers, and Senior Analysts
  • Customizable Service: a customizable set of processes, including client-specific security incident escalation and individualized incident severity tuning.
  • Anomaly Detection: anomalous traffic detection, data mining, and statistical analysis to identify known and previously unknown malicious activity.
  • Single Pane-of-Glass Customer Portal: a comprehensive view of all security incidents, devices, assets, and reporting through a self-service portal.
  • Threat Intelligence: visibility into threats impacting client specific industries and geographies, including specific attacker tools, tactics and procedures.
  • Rapid Proactive Response: active remediation based on pre-authorized actions for rapid response with access to incident response.

The above pre-ransomware tactics leave evidence that provides organizations with possible detection opportunities prior to the exfiltration of data and deployment of destructive malware. VMware and ACTI recommend implementing a managed detection and response (MDR) service like Accenture’s, which is a true multi-tenant, cloud-based service that provides extended threat detection and response via network monitoring, endpoint management, and remediation; security incident analysis; and escalation via a dedicated team of security experts. The Accenture MDR service helps secure the client’s endpoints, while leveraging their existing investments, with a managed endpoint detection and response service that provides an additional investigation of identified suspicious endpoint-based activities, and enhanced context, threat hunting and proactive responses.

Additionally, Accenture and VMware advise optimizing for the detection opportunities below:

MITRE ATT&CK Tactic MITRE ATT&CK Technique Detection Opportunity
Initial Access T1189: Drive-by Compromise T1566: Phishing  
T1133: External Remote Services  
T1078: Valid Accounts
Monitor antivirus and Intrusion Detection/Prevention detections.

Scrutinize PowerShell logs for obfuscated commands and command-line arguments.  

Prevent installation of legacy PowerShell versions as well as the execution of Base64-encoded commands.  

Monitor for anomalous log-in activity such as multiple log-in attempts, log-in outside of business hours, etc.    

Execution
T1059: Command and Scripting Interpreter T1569.002: Service Execution  
T1047: Windows Management Instrumentation  

T1559: Inter-Process Communication
Monitor for potentially suspicious command-line activity including parameters for security tool service modifications, anomalous process executions, or encoded commands.  

Monitor Windows event logs for service creation and modification, registry changes, and command-line parameters of files and processes.  

Monitor for host browser process anomalies including suspicious file writes and process injections.  

Review PowerShell logs to search for loading or execution of artifacts.  

Monitor network traffic for Windows Management Instrumentation (WMI) connections and investigate any suspicious connections.  

Review command-line arguments for use of “wmic” or other indicators of remote behavior.  

Track any unauthorized or unusual loading of DLL files.
Persistence T1078: Valid Accounts  

T1543: Create or Modify System Process
T1543.003: Windows Services  
T1053: Scheduled Task  

T1547: Boot or Logon Autostart Execution
T1547.001: Registry Run Keys / Startup Folders  

T1133: External Remote Services  

T1037: Boot or Logon Initialization Scripts T1037.003: Network Logon ScriptT1037.005: Startup Items  
Investigate parental processes to determine the process tree and identify binaries for subsequent analysis.

Audit system settings for potential unknown autostart execution configurations.  

Monitor systems for abnormal process behavior and processes loading malicious DLLs.

Monitor logon scripts for unusual access to accounts outside of regular or expected time periods.

Monitor for unexpected new system processes or changes that are unrelated to scheduled activity such as patches and software updates.

Monitor for suspicious activity relating to user accounts, such as the sharing of accounts or access outside of usual business hours.  
Privilege Escalation T1055: Process Injection T1055.001: Dynamic-link Library Injection
T1055.012: Process Hollowing

T1548: Abuse Elevation Control Mechanism T1548.002: Bypass UAC  

T1078: Valid Accounts  

T1543: Create or Modify System Process
T1543.003: Windows Service
Monitor events of files commonly used in process injection, such as DLLs and PEs, that are not recognized or normally loaded into processes.

Monitor for malicious PowerShell modules like PowerSploit (Invoke-Mimikatz).  

Monitor Active Directory for unusual changes or requests.  

Regularly check for system process modification using commands or executables in service file names, anomalous service creations, and unsigned binaries in image paths.  

Monitor for use of unsigned applications or those not from trusted repositories.

Monitor for suspicious activity relating to user accounts, such as the sharing of accounts or access outside of usual business hours.
Defense Evasion T1562: Impair Defenses T1562.001: Disable or Modify Tools  

T1550: Use Alternate Authentication Material T1550.002: Pass the Hash  

T1036: Masquerading  

T1112: Modify Registry  

T1553: Subvert Trust Controls T1553.002: Code Signing  

T1027: Obfuscated Files or Information
T1027.003: Steganography
T1027.005: Indicator Removal from Tools  

T1140: Deobfuscate/Decode Files or Information  

T1218: Signed Binary Proxy Execution
T1218.011: Rundll32
T1218.005: Mshta
T1218.010: Regsvr32
Monitor activity of processes and command-line arguments that may relate to disabling or terminating security tools and logging services, scripts, and system utilities used to deobfuscate/decode files and information, or activity indicating proxy execution of malicious files.  

Regularly audit and monitor account activity that may indicate unauthorized access or account sharing

Monitor files by their hashes to identify any suspicious changes to filenames that may indicate. masquerading.

Monitor the registry for unfamiliar changes such as newly added startup processes and modified binary paths.  

Analyze signing certificates of software to identify unusual certificates that may indicate malicious activity.

Use and configure antivirus and antimalware solutions to identify and analyze commands that may relate to obfuscating files or information.  

Investigate and analyze security events relating to file obfuscation for any malicious activity that may have gone undetected.  

Implement host and network rules to detect commonly used deobfuscation/decoding techniques.
Credential Access T1558: Steal or Forge Kerberos Tickets T1558.001: Golden Ticket
T1558.002: Silver Ticket
T1558.003: Kerberoasting

T1003: OS Credential Dumping
T1003.001: LSASS Memory
T1003.002: Security Account Manager
T1003.003: NTDS
T1003.006: DCSync  

T1552: Unsecured Credentials
T1552.001: Credentials in Files  
Monitor for suspicious activity on networks that may indicate the stealing or forging of Kerberos tickets.  

Monitor for suspicious LSASS.exe executions or unusual processes interacting with LSASS, SAM.

Monitor for malicious PowerShell modules like PowerSploit (Invoke-Mimikatz).  

Monitor command line activity for indications of password searches (for example, searching for keywords “password, pwd, login, credentials”).
Lateral Movement T1550: Use Alternate Authentication
Material
T1550.002: Pass the Hash
T1550.003: Pass the Ticket  
T1570: Lateral Tool Transfer  

T1072: Software Deployment Tools  

T1210: Exploitation of Remote Services  

T1021: Remote Services T1021.001: Remote Desktop Protocol
T1021.002: SMB/Windows Admin Shares
T1021.006: Windows Remote Management
Look for anomalous activity from non-privileged accounts, particularly monitoring for the use of LoLbins.  

Monitor remote logins, access patterns, and activity.

Investigate “impossible logins” – user logins from geographically dispersed IP addresses (although VPN use could cause false positives).  

Scrutinize command-line arguments associated with network share mounting and remote access tools.  

Intrusion prevention and detection systems should be used to identify file transfers through the network.
Command and Control T1102: Web Services  

T1573: Encrypted Channel

T1132: Data Encoding  

T1090: Proxy
T1090.004: Domain Fronting  

T1219: Remote Access Software  

T1105: Ingress Tool Transfer  

T1071: Application Layer Protocol
T1071.001: Web Protocols
T1072.004: DNS  
Monitor for uncommon data flows.  

Watch for processes that do not normally have network access.  

Monitor the SNI field of TLS headers and the host field in HTTP headers, check domains against a block/allow list, and identify beaconing activity.  

Use network intrusion detection and prevention systems that use network signatures to identify traffic.  

Monitor the use and activity of utilities such as FTP that are not typical in the network environment.  

Filter network traffic to prevent the accessing of anonymity networks and inspect traffic for indications of potential domain fronting.
Exfiltration T1029: Scheduled Transfer  

T1048: Exfiltration Over Alternate Protocol  

T1041: Exfiltration Over C2 Channel  

T1567: Exfiltration Over Web Service T1567.002 Exfiltration to Cloud Storage
Identify anomalies in network activity associated with known binaries, analyze uncommon data flows, and packet inspection for misuse of protocol to port behaviors.

Monitor environment and network activity for suspicious or unknown processes and scripts that appear to be traversing file systems or sending network traffic.  

Monitor for unusual network activity and analyze packet contents that do not use standard ports or expected protocol behavior.  

Analyze unknown network connections to the same destination that occur regularly at the same time of day.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.