Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire will be a Sponsor at the NetDeligence Cyber Risk Summit in Fort…
eSentire will be a Sponsor at the NetDeligence Cyber Risk Summit in…
eSentire is an exhibitor at RSAC 2023. Visit us at Booth 0535.
Recently, eSentire’s Security Operations Center responded to a ransomware attack in progress. The attack was identified, triaged, and quickly escalated to our Tier 3 SOC team who engaged the Threat Response Unit (TRU) to assist.
Over the course of several hours, SOC and TRU worked to disrupt the attack by blocking the adversary’s tools, containing the impacted systems, and reversing the encryption process.
The cyberattack began with the use of compromised, privileged domain accounts from a compromised system where our endpoint agent wasn’t installed. We assess the adversary had remote access to this system and used it as a beachhead for attacks throughout the network. Due to lack of visibility into this host, we only detected the attack in its later stages once it affected assets where we had telemetry.
Using a combination of remote desktop (RDP), Windows Management Instrumentation (WMI) and PsExec, the adversary’s goal was the following on workstations and servers:
Using compromised privileged accounts, the adversary copied and attempted to execute “test.bat” across over 250 workstations and servers (Figure 1).
The batch file performs the following actions:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE(clears Group Policy settings for BitLocker).
On a smaller subset of systems, PowerShell was used to install BitLocker and forcibly reboot the system:
Powershell -command install-windowsfeature bitlocker -restart
shutdown -r -t 0 -f
This was performed using a batch file named “copys.bat” or manually using the command prompt. Both “test.bat” and “copys.bat” were written to the c:\windows\ directory (Figure 2).
To initiate the BitLocker encryption, BitLocker’s Drive Encryption command-line tool manage-bde was used to encrypt volumes with a unique recovery password (replaced with xxxxxx… in the example) on each host:
manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -UsedSpaceOnly -sk C:\ -s
On workstations, this was done in an automated fashion using a script that attempts the command on all drive volumes. For servers, it appears the adversary manually executed a slightly different command which also removed volume shadow copies:
manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -sk C:\ -s -used -RemoveVolumeShadowCopies
Jetico’s BestCrypt (MD5 hash: 8DFEAAF7351F695024ED3604A4985E98) software was only observed on a subset of Windows servers that appeared to be configured as file servers. On each host, a staging directory was created under c:\crypt\ then populated with the BestCrypt executable and drivers. The files were copied from the staging host over SMB (Figure 3).
BestCrypt was executed via an RDP session and configured using the graphical interface. The success rate for this encryption method wasn’t immediately clear. The team identified BestCrypt rescue files on only a few hosts, possibly indicating successful encryption, although files on attached drives were still accessible via our endpoint agent.
In keeping with typical data extortion attacks, a ransom note titled “readme.txt” was left in several directories on a subset of impacted systems (Figure 4). The note simply provides a contact email and demands an unspecified amount from the victim to restore their files.
The Tactics, Techniques and Procedures (TTPs) observed in this case generally align with several public observations that identify this threat as DeepBlueMagic, “UNRANSOMWARE” or KalajaTomorr. These include:
The activity was first identified by MDR for Endpoint using detection content created by eSentire’s Threat Response Unit (TRU).
Our team of 24/7 SOC Cyber Analysts first identified the attack when detection content authored by our Threat Response Unit (TRU) identified unusual movement of encryption tools across several assets. Since tools such as BitLocker or BestCrypt can both be used legitimately to protect data, some analysis was needed to contextualize the signals and determine intent.
The encryption software was copied in a manner matching public mentions of ransomware activity, notably the use of the “c:\crypt\” folder for staging files (see Figure 3).
A critical alert was sent to the customer, along with a list of hosts where the activity was being observed. The incident was escalated to Tier 3 analysts and TRU was brought on to assist.
Working in coordination, team members quickly scoped the intrusion and identified the adversary’s activity across more than 250 workstations and servers. The team blocked the BestCrypt executable across all endpoints, and isolated impacted systems (where customer documentation permitted) from the rest of the network.
The team identified the adversary’s “test.bat” batch file, which was deployed to over 250 systems, then reduced that to a smaller number of systems where the batch file executed successfully. Fortunately, the batch file was configured to delay shutdown by 2 hours while BitLocker encryption was in progress, providing a window for the team to reverse the process. Using Live Response on endpoint agents, team members first executed commands on impacted hosts to abort the shutdown.
To reverse the BitLocker encryption action, team members used the
manage-bde –off command to decrypt affected volumes and turn off BitLocker. While the recovery passwords were captured in our endpoint telemetry, it wasn’t required to decrypt the drives, likely given the system reboot had been aborted.
While BitLocker encryption was deployed using a combination of automated scripts and manual actions by the adversary, the BestCrypt software was deployed exclusively to a small subset of Windows servers manually using RDP and encrypted using the BestCrypt GUI utility. Of these assets, we assess only a handful were encrypted successfully.
Finally, the team joined a war-room with the customer to brief them on the scope of the intrusion, including compromised accounts and assets and actions taken by the team.
Ransomware deployment typically occurs in the final stages of attack once a privileged foothold is achieved in the target network. Stopping this from occurring requires a combination of preventative security controls and detection and response capabilities to identify and contain the threat as quickly as possible. Therefore, we recommend:
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.