What We Do
How We Do
Resources
Company
Partners
Get Started
Blog

TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)

Disrupting an Active Ransomware Attack Over the Course of Hours

BY eSentire Threat Response Unit (TRU)

November 30, 2022 | 8 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Recently, eSentire’s Security Operations Center responded to a ransomware attack in progress. The attack was identified, triaged, and quickly escalated to our Tier 3 SOC team who engaged the Threat Response Unit (TRU) to assist.

Over the course of several hours, SOC and TRU worked to disrupt the attack by blocking the adversary’s tools, containing the impacted systems, and reversing the encryption process.

Overview of the Ransomware Attack

The cyberattack began with the use of compromised, privileged domain accounts from a compromised system where our endpoint agent wasn’t installed. We assess the adversary had remote access to this system and used it as a beachhead for attacks throughout the network. Due to lack of visibility into this host, we only detected the attack in its later stages once it affected assets where we had telemetry.

Using a combination of remote desktop (RDP), Windows Management Instrumentation (WMI) and PsExec, the adversary’s goal was the following on workstations and servers:

  1. Enable and configure Windows BitLocker to disable backup and recovery features.
  2. Use BitLocker to encrypt attached drives using a randomized password for each host.
  3. On file servers, copy Jetico’s BestCrypt Volume Encryption Manager software from the staging host and encrypt attached drives.
  4. Drop a ransom note (“readme.txt”) on the system.
  5. Disable all administrator accounts.

BitLocker Installation, Configuration and Encryption

Using compromised privileged accounts, the adversary copied and attempted to execute “test.bat” across over 250 workstations and servers (Figure 1).

Figure 1 "test.bat" batch file. Comments in green added for clarity.


The batch file performs the following actions:

  1. It deletes the existing registry subkey or entry without prompting for confirmation for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE (clears Group Policy settings for BitLocker).
  2. It modifies the BitLocker policy via several registry changes:
    1. Configures the BitLocker policy to require additional authentication at startup.
    2. Allows BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
    3. Disables backup to AD DS.
    4. Disables startup with TMP PIN.
    5. Uses a custom recovery message. In this case the message translates to “Effective core slanting, slanting, evil, slack, slack, core, threat, evil, writing evil salary, threatening, unloading, slack, slack”.
  3. It restarts the system in 120 minutes.
  4. Lastly, it registers cscript.exe as the default script host for running scripts and saves the current command-prompt options for the current user.

On a smaller subset of systems, PowerShell was used to install BitLocker and forcibly reboot the system:

Powershell -command install-windowsfeature bitlocker -restart
shutdown -r -t 0 -f

This was performed using a batch file named “copys.bat” or manually using the command prompt. Both “test.bat” and “copys.bat” were written to the c:\windows\ directory (Figure 2).

To initiate the BitLocker encryption, BitLocker’s Drive Encryption command-line tool manage-bde was used to encrypt volumes with a unique recovery password (replaced with xxxxxx… in the example) on each host:

manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -UsedSpaceOnly -sk C:\ -s

On workstations, this was done in an automated fashion using a script that attempts the command on all drive volumes. For servers, it appears the adversary manually executed a slightly different command which also removed volume shadow copies:

manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -sk C:\ -s -used -RemoveVolumeShadowCopies

Figure 2 Sample of executed BitLocker commands.

BestCrypt Encryption

Jetico’s BestCrypt (MD5 hash: 8DFEAAF7351F695024ED3604A4985E98) software was only observed on a subset of Windows servers that appeared to be configured as file servers. On each host, a staging directory was created under c:\crypt\ then populated with the BestCrypt executable and drivers. The files were copied from the staging host over SMB (Figure 3).

Figure 3 BestCrypt files copied via SMB.


BestCrypt was executed via an RDP session and configured using the graphical interface. The success rate for this encryption method wasn’t immediately clear. The team identified BestCrypt rescue files on only a few hosts, possibly indicating successful encryption, although files on attached drives were still accessible via our endpoint agent.

In keeping with typical data extortion attacks, a ransom note titled “readme.txt” was left in several directories on a subset of impacted systems (Figure 4). The note simply provides a contact email and demands an unspecified amount from the victim to restore their files.

Figure 4 “readme.txt” ransom note.

Similarities to Known Ransomware Activity

The Tactics, Techniques and Procedures (TTPs) observed in this case generally align with several public observations that identify this threat as DeepBlueMagic, “UNRANSOMWARE” or KalajaTomorr. These include:

How did we find it?

The activity was first identified by MDR for Endpoint using detection content created by eSentire’s Threat Response Unit (TRU).

What did we do?

Our team of 24/7 SOC Cyber Analysts first identified the attack when detection content authored by our Threat Response Unit (TRU) identified unusual movement of encryption tools across several assets. Since tools such as BitLocker or BestCrypt can both be used legitimately to protect data, some analysis was needed to contextualize the signals and determine intent.

The encryption software was copied in a manner matching public mentions of ransomware activity, notably the use of the “c:\crypt\” folder for staging files (see Figure 3).

A critical alert was sent to the customer, along with a list of hosts where the activity was being observed. The incident was escalated to Tier 3 analysts and TRU was brought on to assist.

Working in coordination, team members quickly scoped the intrusion and identified the adversary’s activity across more than 250 workstations and servers. The team blocked the BestCrypt executable across all endpoints, and isolated impacted systems (where customer documentation permitted) from the rest of the network.

The team identified the adversary’s “test.bat” batch file, which was deployed to over 250 systems, then reduced that to a smaller number of systems where the batch file executed successfully. Fortunately, the batch file was configured to delay shutdown by 2 hours while BitLocker encryption was in progress, providing a window for the team to reverse the process. Using Live Response on endpoint agents, team members first executed commands on impacted hosts to abort the shutdown.

To reverse the BitLocker encryption action, team members used the manage-bde –off command to decrypt affected volumes and turn off BitLocker. While the recovery passwords were captured in our endpoint telemetry, it wasn’t required to decrypt the drives, likely given the system reboot had been aborted.

While BitLocker encryption was deployed using a combination of automated scripts and manual actions by the adversary, the BestCrypt software was deployed exclusively to a small subset of Windows servers manually using RDP and encrypted using the BestCrypt GUI utility. Of these assets, we assess only a handful were encrypted successfully.

Finally, the team joined a war-room with the customer to brief them on the scope of the intrusion, including compromised accounts and assets and actions taken by the team.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU) Team:

Ransomware deployment typically occurs in the final stages of attack once a privileged foothold is achieved in the target network. Stopping this from occurring requires a combination of preventative security controls and detection and response capabilities to identify and contain the threat as quickly as possible. Therefore, we recommend:

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire