Open in app

Sign in

Write

Sign in

Prevention, Detection, and Hunting Strategies for Ransomware

Mehmet Ergene
Blu Raven
Published in
4 min readNov 8, 2020

The recent spread of Ryuk ransomware in October showed that even big companies had critical issues with their defenses. What surprised me is that everyone started to talk only about detection as if there could be no prevention at all. In this post, I’ll go through some common steps of the attacks and provide some tactical strategies for prevention, detection, and hunting. These strategies are not only applicable to ransomware attacks, they can be applied to many types of attacks.

User Opens a Malicious attachment and clicks a link

Prevention

If extracting URLs from attachments is possible, an email sandbox may prevent the attack by opening the URL, downloading the file, and analysing it. I think the current solutions don’t have this capability yet.

Detection & Hunting

When a user clicks a link on a document or in an email, the application (MS Office/PDF reader) creates a new web browser process that has the URL in its command line. You can hunt for web browser processes that have “HTTP”(case insensitive) in the command line and MS Office/PDF reader applications as parent. One thing to take into account is that if you use Chrome for viewing PDF files, you don’t see a process having the URL in the command line. More details are here.

In the case of template injection attacks, Office applications make an unusual/rare network connection. As an example, MS Word connecting to Google Drive can be suspicious.

Clicking on a link makes a network connection (Google Drive), and a file (.exe, .dll, etc.) is downloaded

Prevention

Web Content Gateways apply filtering policies to users or IPs. If there is no authentication and the gateway allows access without authentication, a policy is enforced on the IP. Otherwise, a policy is enforced on the user.

Block .exe, .dll, and other potentially malicious file downloads for all web categories — except the ones required for business purposes (windows update, adobe update, etc.). Apply exceptions where needed (IT personnel, for example).

Block unauthenticated internet access except for the specific destinations/web categories. Some applications don’t have proxy support, and you need to apply authentication exceptions for particular destinations.

This is the most crucial part of prevention. Even if a user downloads a malicious Word document, you can block the .exe file download performed by a process that is spawned from the MS Word. If the process performs authentication, then the web content filtering policy blocks the file download by enforcing the content filtering policy to the user.

In short, create and maintain a strict web content filtering policy in your environment. Analyse business requirements and create several profiles. Then assign profiles to the computers/users based on business requirements.

Detection & Hunting

Investigate blocked web traffic periodically. It can be time-consuming, but if you keep investigating and excluding non-malicious blocked traffic, the time you spend on the investigation will eventually decrease.

Payload (Cobalt Strike) is dropped as a file (.exe, .dll, etc.)

Prevention

Same approach for the .exe file download. Enforce a comprehensive and strict web content filtering policy.

Detection & Hunting

You can hunt for “file create” events that take place after a network connection by the same process. Example: .dll file creation in 1 minute after the process makes a network connection.

Indirect Execution of the Payload (rundll32 executes Cobalt Strike DLL)

Prevention

N/A

Detection & Hunting

When Cobalt Strike or any other C2 framework binary is run, it makes a network connection. You can hunt for anomalies in process network connections based on connection count, traffic size, duration or destination.

Examples:

  • Explorer.exe or cmd.exe has a connection to an unusual destination. Correlate with network traffic logs or firewall logs to see the duration/size of the traffic, analyse the IP/URL.
  • A process on a device that makes too many network connections compared to the same process on other devices in the network.

Lateral Movement (via Cobalt Strike)

Prevention

N/A

Detection & Hunting

The target is DC or backup servers in ransomware attacks or, the servers that can access everywhere (MS SCCM, MS Endpoint Manager, automation servers, etc.). These servers are usually accessed by certain people(SysAdmins) from specific devices. A logon to these servers using admin accounts from a device that is not seen before should be investigated.

Example:

Get SysAdmins’ workstation names and IPs. Alert on admin login to a DC from a device that is not a SysAdmin workstation. If there is a Terminal server used for administrative tasks, treat it as a DC and alert on suspicious login activities. Besides, a similar approach can be used for admin and/or service accounts whether a DC is involved or not.

I skipped some steps like user enumeration, checking domain trusts, etc. as they are quite easy to detect.

Happy hunting!

Ransomware
Cybersecurity
Threat Hunting
Prevention
Cybercrime

--

--

Mehmet Ergene
Blu Raven

Written by Mehmet Ergene

1.4K Followers
Editor for

🚀 Master KQL at https://academy.bluraven.io for Threat Hunting, Detection Engineering, and Incident Response | Threat Researcher | DFIR | SIEM | @Cyb3rMonk

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams