What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Nov 30, 2022

TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)

Disrupting an Active Ransomware Attack Over the Course of Hours

8 minutes read
Speak With A Security Expert Now

Recently, eSentire’s Security Operations Center responded to a ransomware attack in progress. The attack was identified, triaged, and quickly escalated to our Tier 3 SOC team who engaged the Threat Response Unit (TRU) to assist.

Over the course of several hours, SOC and TRU worked to disrupt the attack by blocking the adversary’s tools, containing the impacted systems, and reversing the encryption process.

Overview of the Ransomware Attack

The cyberattack began with the use of compromised, privileged domain accounts from a compromised system where our endpoint agent wasn’t installed. We assess the adversary had remote access to this system and used it as a beachhead for attacks throughout the network. Due to lack of visibility into this host, we only detected the attack in its later stages once it affected assets where we had telemetry.

Using a combination of remote desktop (RDP), Windows Management Instrumentation (WMI) and PsExec, the adversary’s goal was the following on workstations and servers:

  1. Enable and configure Windows BitLocker to disable backup and recovery features.
  2. Use BitLocker to encrypt attached drives using a randomized password for each host.
  3. On file servers, copy Jetico’s BestCrypt Volume Encryption Manager software from the staging host and encrypt attached drives.
  4. Drop a ransom note (“readme.txt”) on the system.
  5. Disable all administrator accounts.

BitLocker Installation, Configuration and Encryption

Using compromised privileged accounts, the adversary copied and attempted to execute “test.bat” across over 250 workstations and servers (Figure 1).

Figure 1 "test.bat" batch file. Comments in green added for clarity.


The batch file performs the following actions:

  1. It deletes the existing registry subkey or entry without prompting for confirmation for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE (clears Group Policy settings for BitLocker).
  2. It modifies the BitLocker policy via several registry changes:
    1. Configures the BitLocker policy to require additional authentication at startup.
    2. Allows BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
    3. Disables backup to AD DS.
    4. Disables startup with TMP PIN.
    5. Uses a custom recovery message. In this case the message translates to “Effective core slanting, slanting, evil, slack, slack, core, threat, evil, writing evil salary, threatening, unloading, slack, slack”.
  3. It restarts the system in 120 minutes.
  4. Lastly, it registers cscript.exe as the default script host for running scripts and saves the current command-prompt options for the current user.

On a smaller subset of systems, PowerShell was used to install BitLocker and forcibly reboot the system:

Powershell -command install-windowsfeature bitlocker -restart
shutdown -r -t 0 -f

This was performed using a batch file named “copys.bat” or manually using the command prompt. Both “test.bat” and “copys.bat” were written to the c:\windows\ directory (Figure 2).

To initiate the BitLocker encryption, BitLocker’s Drive Encryption command-line tool manage-bde was used to encrypt volumes with a unique recovery password (replaced with xxxxxx… in the example) on each host:

manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -UsedSpaceOnly -sk C:\ -s

On workstations, this was done in an automated fashion using a script that attempts the command on all drive volumes. For servers, it appears the adversary manually executed a slightly different command which also removed volume shadow copies:

manage-bde -on C: -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -sk C:\ -s -used -RemoveVolumeShadowCopies

Figure 2 Sample of executed BitLocker commands.

BestCrypt Encryption

Jetico’s BestCrypt (MD5 hash: 8DFEAAF7351F695024ED3604A4985E98) software was only observed on a subset of Windows servers that appeared to be configured as file servers. On each host, a staging directory was created under c:\crypt\ then populated with the BestCrypt executable and drivers. The files were copied from the staging host over SMB (Figure 3).

Figure 3 BestCrypt files copied via SMB.


BestCrypt was executed via an RDP session and configured using the graphical interface. The success rate for this encryption method wasn’t immediately clear. The team identified BestCrypt rescue files on only a few hosts, possibly indicating successful encryption, although files on attached drives were still accessible via our endpoint agent.

In keeping with typical data extortion attacks, a ransom note titled “readme.txt” was left in several directories on a subset of impacted systems (Figure 4). The note simply provides a contact email and demands an unspecified amount from the victim to restore their files.

Figure 4 “readme.txt” ransom note.

Similarities to Known Ransomware Activity

The Tactics, Techniques and Procedures (TTPs) observed in this case generally align with several public observations that identify this threat as DeepBlueMagic, “UNRANSOMWARE” or KalajaTomorr. These include:

How did we find it?

The activity was first identified by MDR for Endpoint using detection content created by eSentire’s Threat Response Unit (TRU).

What did we do?

Our team of 24/7 SOC Cyber Analysts first identified the attack when detection content authored by our Threat Response Unit (TRU) identified unusual movement of encryption tools across several assets. Since tools such as BitLocker or BestCrypt can both be used legitimately to protect data, some analysis was needed to contextualize the signals and determine intent.

The encryption software was copied in a manner matching public mentions of ransomware activity, notably the use of the “c:\crypt\” folder for staging files (see Figure 3).

A critical alert was sent to the customer, along with a list of hosts where the activity was being observed. The incident was escalated to Tier 3 analysts and TRU was brought on to assist.

Working in coordination, team members quickly scoped the intrusion and identified the adversary’s activity across more than 250 workstations and servers. The team blocked the BestCrypt executable across all endpoints, and isolated impacted systems (where customer documentation permitted) from the rest of the network.

The team identified the adversary’s “test.bat” batch file, which was deployed to over 250 systems, then reduced that to a smaller number of systems where the batch file executed successfully. Fortunately, the batch file was configured to delay shutdown by 2 hours while BitLocker encryption was in progress, providing a window for the team to reverse the process. Using Live Response on endpoint agents, team members first executed commands on impacted hosts to abort the shutdown.

To reverse the BitLocker encryption action, team members used the manage-bde –off command to decrypt affected volumes and turn off BitLocker. While the recovery passwords were captured in our endpoint telemetry, it wasn’t required to decrypt the drives, likely given the system reboot had been aborted.

While BitLocker encryption was deployed using a combination of automated scripts and manual actions by the adversary, the BestCrypt software was deployed exclusively to a small subset of Windows servers manually using RDP and encrypted using the BestCrypt GUI utility. Of these assets, we assess only a handful were encrypted successfully.

Finally, the team joined a war-room with the customer to brief them on the scope of the intrusion, including compromised accounts and assets and actions taken by the team.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU) Team:

Ransomware deployment typically occurs in the final stages of attack once a privileged foothold is achieved in the target network. Stopping this from occurring requires a combination of preventative security controls and detection and response capabilities to identify and contain the threat as quickly as possible. Therefore, we recommend:

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.