Security organizations need their employees to think like adversaries — it could be the best form of defense.
As healthcare and election security collided this week, security researchers have been breaking down the Ryuk ransomware strain and its likely execution path. Reactionary response is usually too late when it comes to ransomware, and "pulling the plug" to stop a spread is an unrealistic tactic.
"A lot of these attack vectors are things you should be testing now," said Charles Henderson, global head of X-Force Red at IBM Security, while speaking on a webcast Monday. It's basic security hygiene.
Federal agencies issued an alert for Ryuk and threat group UNC1878 targeting healthcare organizations Oct. 28. Ryuk's dwell time is shrinking, targeting about 20 organizations per week, according to IBM.
But Ryuk is a commodity malware, available to anyone.
"It's very easy to point out that there are phishing deficiencies in healthcare organizations. But the truth is that phishing is a pretty effective attack vector across all industries," said Henderson.
After falling off the radar for the better half of 2020, Ryuk's infection strategy evolved. Here are the typical steps leading up to a Ryuk execution:
Initial access
Phishing and spearphishing remain king. The UNC1878 threat group typically relies on gaining access by leveraging and repurposing online marketing platform SendGrid. "Generally, they're going to make it through perimeter security devices, because they're not necessarily nefarious in nature, they're not going to be on spam block lists," said Chris Sperry, manager of X-Force Threat Research at IBM Security, while speaking on the webcast.
The emails, if sent with a Google Doc link for example, can make it past detection mechanisms. "It's very hard to protect against legitimate traffic with legitimate links sent through your premier devices," he said.
Even attachments with a double extension and ending in ".ext" can circumvent filters because they're not actually attached to the messages, said Sperry. "Otherwise, you would think a double extension attachment like that would likely be detected on the inbound ingress to the mail server with any basic security solution applied."
As soon as the link is clicked, the BazarLoader or BazarBackdoor will be dumped into a system and phone home. It's the central infiltration for UNC1878 and newer than Emotet and Trickbot.
The commodity malware uses EmerDNS, which is decentralized blockchain-based and rarely monitored, according to Sperry. "I'm not sure how many people are really detecting alternative DNS such as EmerDNS." It also uses alternative domains when communication with its C2.
When defending against an alternate DNS, companies could use egress filtering to prohibit the port used by EmerDNS. However, when using the egress filtering, some organizations "confuse deterrence and prevention," said Henderson.
"I think the general logging or blocking of this proprietary protocol is probably the most optimal way," said Sperry.
Cobalt Strike
Red teams and adversaries alike rely on Cobalt Strike. Cobalt Strike allows intruders to map out the environment, and use Mimikatz, LaZagne or Kerbrute for obtaining passwords.
The bad actors are "collecting the information that they need to essentially pre-populate a targeting file or a number of targeting files," said Sperry. These batch files help propagate Ryuk using Windows Management Instrumentation (WMI) or PowerShell.
It's "interesting with this group to see a crossover in terms of their tools, they're generally signed by certificate," which is indicative of the operators' intentions, said Sperry. IBM found overlap in code signing certificates between Cobalt Strike Beacon and Ryuk.
Until caught, bad actors can impersonate enough "legitimate company information" to obtain a code signing certificate, which provides them means to initiate the attack.
Where to focus
There is no universal solution for ransomware prevention, and even simulated phishing campaigns for employee awareness and deterrence fall short. Instead, companies should try to measure what percentage of failure they face while factoring in human error.
"The simple fact is, if you're relying on training to save you, eventually you're going to have a major issue," said Henderson. "I don't think many CISOs would claim to have solved the fishing problem just quite yet."
For backups, the DHS's CISA recommends the "3-2-1" rule, which says "three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline."
Even if a company has sufficient backups, ransomware evolved to data exfiltration, changing how companies respond to an attack.
Reacting to an attack shouldn't be a security organization's first taste of ransomware. Mitigation goes beyond pen testing and threat intelligence testing, and into red team testing. "It's a bit like playing whack a mole … As you hit one, three more will pop up," said Henderson.
Cyberattack simulations better prepare an organization to think like an attacker, otherwise the security organization remains reactionary. "Because most organizations have a high number of unpatched vulnerabilities, they're not going to get to zero vulnerabilities anytime soon," said Henderson. Organizations have to move beyond the "find a flaw, fix a flaw" mindset and think like an adversary, otherwise it becomes "a matter of IT controls rather than security controls."