Detecting and Responding to Ransomware Attacks By Using Free Tools

Mehmet Ergene
Jul 26, 2020 · 5 min read

After writing Defeating Ransomware by Using Sysmon and PowerShell, I continued my research on modern ransomware techniques and found new methods that can be applied for almost all kinds of ransomware. In this post, I’m going to explain modern ransomware techniques and how to detect and respond to them by using built-in Windows features and free tools. As a bonus, I’m going to use Binalyze AIR, a commercial product for incident response, to demonstrate acquiring a full forensics evidence in an event of ransomware on an endpoint.

Ransomware encryption methods

All modern ransomware use RSA + AES encryption to encrypt the files. They encrypt the RSA private key and delete the clear text RSA private key from the memory, making it almost impossible to recover the key which is required for decrypting the files. The steps for this part is basically as follows:

  1. The attacker generates its own RSA public-private key pair(A.private_key, A.public_key) and embeds the public key(A.public_key) into the ransomware.
  2. When ransomware runs on the victim machine, it generates RSA public-private key pair for the victim(V.public_key, V.private_key) in the memory. Nothing is written to a disk.
  3. Ransomware encrypts the V.private_key with A.public_key. Next, it removes the cleartext A.private_key from the memory. this way, it becomes almost impossible to recover the A.private_key in cleartext format, even from the memory.
  4. Ransomware starts encrypting the files using AES keys and it encrypts each AES key with the V.public_key.

To decrypt the file, you have to decrypt the AES key. To decrypt the AES key, you need V.private_key which is encrypted with A.public_key. So, you have to pay for the ransom. You can read more about all ransomware encryption methods here

Ransomware file encryption methods, detection, and response

After generating and encrypting the keys, ransomware starts encrypting the files. Based on my research, there are several ways to encrypt a file. These are:

  1. Read the file, create an encrypted version of the file, replace the original file with the encrypted one.
  2. Use raw disk access for encryption(I haven’t researched this).
  3. Open the file, encrypt the contents and save the file (no file deletion or creation).

Detection and Response

The first method can be detected and be responded using the same approach explained in my previous post.

The second method can be detected using Sysmon EventID 9, RawAccessRead, and be responded using the same approach explained already.

The last method can’t be detected using Sysmon as there is no file delete/create event because everything happens in the memory. Don’t worry, there is still hope!
Whatever you do, you have to access the file to encrypt it. This means that we can use file auditing policies that generate EventID 4656! Do you remember this famous EventID? It's the one you always filter out from your logs… Now it's here to save us!
Let’s see how it works!

Setup

Audit configuration

I used the same honeyfolder for this demo. I enabled the File System Auditing. Then I configured auditing for the honeyfolder as shown below:

File System Auditing
Audit setting for honeyfolder

Update on Audit Settings: You can select different permissions to monitor according to your needs (List folder / read data for example). I didn't play with the permissions too much to be honest. There is a very good post regarding the file system auditing here

Task Scheduler Configuration

I used a custom event filter for triggering the script as I didn’t want to trigger the task for every file. This reduces the false positive rate.

Task Trigger Configuration

If you want to copy/paste the XML query to use it, here it is:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4656)]][EventData[Data='C:\Users\IEUser\Downloads\honeyfolder\DAT3.csv']]</Select>
<Select Path="Security">*[System[(EventID=4656)]][EventData[Data='C:\Users\IEUser\Downloads\honeyfolder\DAT1.docx']]</Select>
<Select Path="Security">*[System[(EventID=4656)]][EventData[Data='C:\Users\IEUser\Downloads\honeyfolder\DAT1.pdf']]</Select>
<Select Path="Security">*[System[(EventID=4656)]][EventData[Data='C:\Users\IEUser\Downloads\honeyfolder\DAT2.pptx']]</Select>
<Select Path="Security">*[System[(EventID=4656)]][EventData[Data='C:\Users\IEUser\Downloads\honeyfolder\DATA.xlsx']]</Select>
<Select Path="Security">*[System[(EventID=4656)]][EventData[Data='C:\Users\IEUser\Downloads\honeyfolder\DAT.csv']]</Select>
</Query>
</QueryList>

PowerShell Script

I had to modify my original script to make it work for this scenario. Here is a snippet for the modified part:

Tip: you can exclude some known processes like word, excel to reduce false positives. Keep in mind that every exclusion brings its own security risk(e.g. process injection).

Demo Time!

Since I already covered the process memory dumping in my previous post, I wanted to show a better way to respond to this attack. Emre Tinaztepe contacted me to help with this and gave the opportunity to use his product B!nalyze AIR, a server-agent based application that you can trigger forensics acquisitions, analyze forensics evidence, and do other stuff using YARA, etc. Alternatively, you can use free/open-source tools like KAPE, FastIR, Skadi for acquisition.

In order to trigger forensics acquisition, I just needed to add an API request to tell B!nalyze AIR Console to trigger the acquisition on the selected endpoint as below(the console was installed on the local machine just for the demo purpose):

Invoke-WebRequest http://127.0.0.1/api/trigger/quick-local/MSEDGEWIN10?token=<token for the trigger type>

I ran the ransomware and waited for the encryption and acquisition to finish.

Encryption was started, the task was triggered, and the encryption was finished.
Encryption was finished.
Acquisition was started
The acquisition was finished.

The acquisition can be analyzed easily

Update: Deployment in an environment

This solution can be automatically deployed to endpoints in your environment.

  1. Create folder with files in it and place it on a share.
  2. Create a script that pulls the files into a specified folder, configures the audit settings for the machine and the folder, and creates the scheduled task.
  3. Deploy the script via GPO

That’s it! I hope you find this post useful for your active defense and cyber deception journey. In my next post, I’ll dive into threat hunting/detection using proxy logs.

The Startup

Get smarter at building your thing. Join The Startup’s +787K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +787K followers.

Mehmet Ergene

Written by

Cyber Defense Professional. @Cyb3rMonk ( Threat Hunting | Active Defense | Cyber Deception | SOC | SIEM )

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +787K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store