Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)
BY eSentire Threat Response Unit (TRU)
November 30, 2022 | 8 MINS READ
Recently, eSentire’s Security Operations Center responded to a ransomware attack in progress. The attack was identified, triaged, and quickly escalated to our Tier 3 SOC team who engaged the Threat Response Unit (TRU) to assist.
Over the course of several hours, SOC and TRU worked to disrupt the attack by blocking the adversary’s tools, containing the impacted systems, and reversing the encryption process.
The cyberattack began with the use of compromised, privileged domain accounts from a compromised system where our endpoint agent wasn’t installed. We assess the adversary had remote access to this system and used it as a beachhead for attacks throughout the network. Due to lack of visibility into this host, we only detected the attack in its later stages once it affected assets where we had telemetry.
Using a combination of remote desktop (RDP), Windows Management Instrumentation (WMI) and PsExec, the adversary’s goal was the following on workstations and servers:
Using compromised privileged accounts, the adversary copied and attempted to execute “test.bat” across over 250 workstations and servers (Figure 1).
The batch file performs the following actions:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
(clears Group Policy settings for BitLocker).On a smaller subset of systems, PowerShell was used to install BitLocker and forcibly reboot the system:
Powershell -command install-windowsfeature bitlocker -restart
shutdown -r -t 0 -f
This was performed using a batch file named “copys.bat” or manually using the command prompt. Both “test.bat” and “copys.bat” were written to the c:\windows\ directory (Figure 2).
To initiate the BitLocker encryption, BitLocker’s Drive Encryption command-line tool manage-bde was used to encrypt volumes with a unique recovery password (replaced with xxxxxx… in the example) on each host:
manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -UsedSpaceOnly -sk C:\ -s
On workstations, this was done in an automated fashion using a script that attempts the command on all drive volumes. For servers, it appears the adversary manually executed a slightly different command which also removed volume shadow copies:
manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -sk C:\ -s -used -RemoveVolumeShadowCopies
Jetico’s BestCrypt (MD5 hash: 8DFEAAF7351F695024ED3604A4985E98) software was only observed on a subset of Windows servers that appeared to be configured as file servers. On each host, a staging directory was created under c:\crypt\ then populated with the BestCrypt executable and drivers. The files were copied from the staging host over SMB (Figure 3).
BestCrypt was executed via an RDP session and configured using the graphical interface. The success rate for this encryption method wasn’t immediately clear. The team identified BestCrypt rescue files on only a few hosts, possibly indicating successful encryption, although files on attached drives were still accessible via our endpoint agent.
In keeping with typical data extortion attacks, a ransom note titled “readme.txt” was left in several directories on a subset of impacted systems (Figure 4). The note simply provides a contact email and demands an unspecified amount from the victim to restore their files.
The Tactics, Techniques and Procedures (TTPs) observed in this case generally align with several public observations that identify this threat as DeepBlueMagic, “UNRANSOMWARE” or KalajaTomorr. These include:
The activity was first identified by MDR for Endpoint using detection content created by eSentire’s Threat Response Unit (TRU).
Our team of 24/7 SOC Cyber Analysts first identified the attack when detection content authored by our Threat Response Unit (TRU) identified unusual movement of encryption tools across several assets. Since tools such as BitLocker or BestCrypt can both be used legitimately to protect data, some analysis was needed to contextualize the signals and determine intent.
The encryption software was copied in a manner matching public mentions of ransomware activity, notably the use of the “c:\crypt\” folder for staging files (see Figure 3).
A critical alert was sent to the customer, along with a list of hosts where the activity was being observed. The incident was escalated to Tier 3 analysts and TRU was brought on to assist.
Working in coordination, team members quickly scoped the intrusion and identified the adversary’s activity across more than 250 workstations and servers. The team blocked the BestCrypt executable across all endpoints, and isolated impacted systems (where customer documentation permitted) from the rest of the network.
The team identified the adversary’s “test.bat” batch file, which was deployed to over 250 systems, then reduced that to a smaller number of systems where the batch file executed successfully. Fortunately, the batch file was configured to delay shutdown by 2 hours while BitLocker encryption was in progress, providing a window for the team to reverse the process. Using Live Response on endpoint agents, team members first executed commands on impacted hosts to abort the shutdown.
To reverse the BitLocker encryption action, team members used the manage-bde –off
command to decrypt affected volumes and turn off BitLocker. While the recovery passwords were captured in our endpoint telemetry, it wasn’t required to decrypt the drives, likely given the system reboot had been aborted.
While BitLocker encryption was deployed using a combination of automated scripts and manual actions by the adversary, the BestCrypt software was deployed exclusively to a small subset of Windows servers manually using RDP and encrypted using the BestCrypt GUI utility. Of these assets, we assess only a handful were encrypted successfully.
Finally, the team joined a war-room with the customer to brief them on the scope of the intrusion, including compromised accounts and assets and actions taken by the team.
Ransomware deployment typically occurs in the final stages of attack once a privileged foothold is achieved in the target network. Stopping this from occurring requires a combination of preventative security controls and detection and response capabilities to identify and contain the threat as quickly as possible. Therefore, we recommend:
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.