Detecting and Responding to Ransomware Attacks By Using Free Tools
After writing Defeating Ransomware by Using Sysmon and PowerShell, I continued my research on modern ransomware techniques and found new methods that can be applied for almost all kinds of ransomware. In this post, I’m going to explain modern ransomware techniques and how to detect and respond to them by using built-in Windows features and free tools. As a bonus, I’m going to use Binalyze AIR, a commercial product for incident response, to demonstrate acquiring a full forensics evidence in an event of ransomware on an endpoint.
Ransomware encryption methods
All modern ransomware use RSA + AES encryption to encrypt the files. They encrypt the RSA private key and delete the clear text RSA private key from the memory, making it almost impossible to recover the key which is required for decrypting the files. The steps for this part is basically as follows:
- The attacker generates its own RSA public-private key pair(A.private_key, A.public_key) and embeds the public key(A.public_key) into the ransomware.
- When ransomware runs on the victim machine, it generates RSA public-private key pair for the victim(V.public_key, V.private_key) in the memory. Nothing is written to a disk.
- Ransomware encrypts the V.private_key with A.public_key. Next, it removes the cleartext A.private_key from the memory. this way, it becomes almost impossible to recover the A.private_key in cleartext format, even from the memory.
- Ransomware starts encrypting the files using AES keys and it encrypts each AES key with the V.public_key.
To decrypt the file, you have to decrypt the AES key. To decrypt the AES key, you need V.private_key which is encrypted with A.public_key. So, you have to pay for the ransom. You can read more about all ransomware encryption methods here
Ransomware file encryption methods, detection, and response
After generating and encrypting the keys, ransomware starts encrypting the files. Based on my research, there are several ways to encrypt a file. These are:
- Read the file, create an encrypted version of the file, replace the original file with the encrypted one.
- Use raw disk access for encryption(I haven’t researched this).
- Open the file, encrypt the contents and save the file (no file deletion or creation).
Detection and Response
The first method can be detected and be responded using the same approach explained in my previous post.
The second method can be detected using Sysmon EventID 9, RawAccessRead, and be responded using the same approach explained already.
The last method can’t be detected using Sysmon as there is no file delete/create event because everything happens in the memory. Don’t worry, there is still hope!
Whatever you do, you have to access the file to encrypt it. This means that we can use file auditing policies that generate EventID 4656! Do you remember this famous EventID? It's the one you always filter out from your logs… Now it's here to save us!
Let’s see how it works!
I used the same honeyfolder for this demo. I enabled the File System Auditing. Then I configured auditing for the honeyfolder as shown below:
Update on Audit Settings: You can select different permissions to monitor according to your needs (List folder / read data for example). I didn't play with the permissions too much to be honest. There is a very good post regarding the file system auditing here
Task Scheduler Configuration
I used a custom event filter for triggering the script as I didn’t want to trigger the task for every file. This reduces the false positive rate.
If you want to copy/paste the XML query to use it, here it is:
<Query Id="0" Path="Security">
I had to modify my original script to make it work for this scenario. Here is a snippet for the modified part:
Tip: you can exclude some known processes like word, excel to reduce false positives. Keep in mind that every exclusion brings its own security risk(e.g. process injection).
Since I already covered the process memory dumping in my previous post, I wanted to show a better way to respond to this attack. Emre Tinaztepe contacted me to help with this and gave the opportunity to use his product B!nalyze AIR, a server-agent based application that you can trigger forensics acquisitions, analyze forensics evidence, and do other stuff using YARA, etc. Alternatively, you can use free/open-source tools like KAPE, FastIR, Skadi for acquisition.
In order to trigger forensics acquisition, I just needed to add an API request to tell B!nalyze AIR Console to trigger the acquisition on the selected endpoint as below(the console was installed on the local machine just for the demo purpose):
Invoke-WebRequest http://127.0.0.1/api/trigger/quick-local/MSEDGEWIN10?token=<token for the trigger type>
I ran the ransomware and waited for the encryption and acquisition to finish.
The acquisition can be analyzed easily
Update: Deployment in an environment
This solution can be automatically deployed to endpoints in your environment.
- Create folder with files in it and place it on a share.
- Create a script that pulls the files into a specified folder, configures the audit settings for the machine and the folder, and creates the scheduled task.
- Deploy the script via GPO
That’s it! I hope you find this post useful for your active defense and cyber deception journey. In my next post, I’ll dive into threat hunting/detection using proxy logs.