Ransomware-Centric Collection and Threat Profiling
Conducting a behavioral profile of ransomware attackers will give you a better understanding of who is behind the attacks threatening your organization. Behavioral profiling adds value to defenders who can use it to identify an attacker and negotiators who will know the motivations and beliefs of the human being they are dealing with.
The Evolved Threat Profile
Profiling an adversary is an essential component of threat research that defenders and analysts can use to identify and attribute advanced threats. Traditionally, threat profiles center around attack data alone. However, ransomware has changed the way we defend and approach attacks. To put it mildly, organizations struggle to protect against and mitigate ransomware attacks. Companies and governments that fall to ransomware attacks dominate news and media headlines daily. These attacks affect the private sector and impact governments. This year alone, 36 local governments in the United States have become victims of ransomware attacks. Now, more ransomware attacks are successful than ever. Due to this, you must change your approach and mindset on handling today’s modern attacks.
One of the driving factors behind the success of ransomware attacks is the human interaction in which individual criminals participate in executing the compromise itself, as opposed to relying on malware alone to automate the attack, as seen in the past. Now, ransomware criminals patiently operate and drive the attacks, giving the fluidity to change behaviors and tactics on the fly, which is necessary to defeat automated defenses. Making the situation worse, ransomware attackers often must spend days to weeks in victim networks to breach and stage the environment before stealing data and executing the ransom payload.
Ransomware criminals patiently operate and drive the attacks, changing behaviors and tactics on the fly, which is necessary to defeat automated defenses.
Another reason you need to profile the human behaviors and traits associated with a ransomware adversary is the post-attack phase in which victims interact with their attacker. In the past, it was unheard of to communicate with an adversary after a cyberattack. Yet, today, victims must directly interact with ransomware attackers who demand an open line of communication to discuss the ransom payment and to facilitate the decryption key necessary to regain access to their data. Often, victims must negotiate a second ransom to prevent their stolen data from being published or auctioned off to other criminals. In some cases, ransomware criminals call the victim directly using VoIP phone numbers and modulators to alter their voice. In other situations, ransomware criminals have issued press releases to publicly threaten victims. The point is that you need to better understand the human adversary you are dealing with. To do this, you must begin tracking the attackers’ behavioral traits and human characteristics behind ransomware operations. This evolved threat profile can aid defenders, negotiators, and assist decision-makers within the victim organization when dealing with a ransomware attacker.
What Is a Threat Profile?
Today, there are far too many threat actors for an analyst to keep up with on their own. Even a team of analysts would find themselves challenged with such a task. One way to address this problem is to create profiles that you can use to become familiar with the relevant details surrounding an attacker. If done correctly, the profile you construct will present a digital fingerprint, unique and specific to an adversary. A threat profile should include distinctive characteristics of an attacker, such as their preferences for tools, malware, and other attack elements.
Additionally, when profiling a ransomware attacker, their persona, and any known human characteristics or behaviors that could prove helpful during ransom negotiation should be included. Historically, analysts have not included a behavioral assessment in profiles. This is mainly because it simply did not matter.
Ransomware criminals directly communicate and interact with their victims.
For example, you would not have the means or access to communicate with a nation-state attacker. Yet, as I previously mentioned, unlike any attacker seen to date, ransomware criminals directly communicate and interact with their victims, which is why you need to update how you track and collect intelligence on ransomware adversaries.
Further, even when not approached, many ransomware criminals participate in dark web forums and interact in a brash vocal manner across the criminal community. This includes their personal opinions, political views, and even inside aspects of their ransomware operations. Additionally, operators from many top ransomware gangs are accessible and will respond to requests and questions from media, security researchers, and other criminals. This allows analysts the opportunity to capture a view of the human operators behind attacks and obtain inside information on the ransomware operation.
How Do We Use Threat Profiles?
You can create threat detection profiles to suit your organization’s specific needs. For example, a private sector company will have different needs than a government agency. However, the primary reason to develop and use a profile is to quickly bring analysts, defenders, and decision-makers up to speed on an adversary. The profile should be a roadmap of the attacker’s preferred resources, methods, tactics, and behaviors. It will also help keep defenders familiar with advanced attackers relevant to their vertical or industry and assist ransom negotiators, law enforcement, and intelligence agencies in understanding the person on the other side of the screen whom they are dealing with.
Data Collection for Threat Profiles
Since we are revising the information included in a profile, we also must expand the data sources in which we collect information. Figure 1 displays my ransomware collection model depicting the type of information necessary to gather in preparation for creating a threat intelligence platform profile.
The attack data category should include any information collected around the time of known attacks from the adversary of interest. You should collect data such as hacktools/malware, exploits, infrastructure, phishing email info, targeting, etc., and use that information as the base for your profile. A single event will make it difficult to identify patterns and preferred tactics used by the adversary. When possible, it is always better to use data across several attacks as opposed to a single event. If you find yourself with an insufficient volume of data to make an assessment, expand your window of time from six months to one year, but remember, you want the information to be as current and relevant as possible. I would not recommend using data older than one year for a profile.
Next, I would go through the activity and identify any evidence you can use to attribute to the attacker. Often you will have enough evidence to make an attribution assessment. In some situations, you may not feel there is strong evidence to make an attribution but have some evidence suggesting an attack originates from a specific adversary or region. It’s OK to make an assessment even when it’s low confidence as long as you qualify the attribution with a confidence rating. You should discuss the qualifiers for making confidence assessments within your organization to ensure consistency from one analyst to the next. However, remember to only use well-sourced and attributed data to create your threat profile. If the data is from another actor, you will cause more harm than good by producing misleading information due to poor attribution.
Note: You can find additional information on how to conduct proper attribution and qualify your assessment with confidence bands in the “Adversaries and Attribution” chapter of “The Art of Cyberwarfare” by No Starch Press.
You will also find yourself in situations where you want to profile an adversary but have insufficient attack data. Fortunately, you don’t need to wait for an adversary to target your organization before creating a profile. In this situation, you can use publicly available information, such as published threat research or third-party for-pay threat intelligence reporting. Both provide an insight into an attacker and often include much of the data you need to create a profile. Remember, a threat profile with outsourced information is still better than nothing and can provide value to your analysts.
When I began my career as an analyst, far fewer tools and resources were available than today, making data collection and analysis more time-consuming and cumbersome. Back then, I had to run SQL queries and manually parse through data. I then transferred the relevant data points to spreadsheets. Today, there are many other resources available. Both for-pay and free resources exist, which you can leverage to make collection and analysis more accessible and faster. In my current role, I use Analyst1 to manage my threat data for my investigations and research. You can see my dashboard for the REvil ransomware operation within the Analsyt1 platform in Figure 2.
I use the dashboard to visualize activity volume, targeted industries, MITRE ATT&CK Framework attack patterns, and other useful information. I can use these data points when I create a profile for an adversary. You still need an analyst to analyze the data and profile the attacker, but making the information quickly accessible and easily understood by a human has never been easier.
Next, you will need to collect data surrounding the adversary’s infrastructure. Like most attacks you investigate, you want to cover the basics and identify the infrastructure used to download malware and hack tools in addition to their command and control. In addition to this, it’s important to remember ransomware attackers are unique and often have their own infrastructure used to facilitate their operation for ransom-specific purposes. The following are unique infrastructure components associated with ransomware attacks. Whenever you identify these types of websites, you will want to collect as much information as possible.
Data Leak/Auction Site
This is the primary website the adversary will use to leak victim data intended to pressure the targeted organization into paying the ransom. They will often include details about the victim and a time indicating how long the victim has to pay before their data is either made public or sold to other criminals. Usually, the ransomware gang behind the attack will host this infrastructure on the dark web. However, many adversaries will mirror the site on the traditional internet to make it easier for the general public or the news media to access.
Press Release and Affiliate Rules
The press release and affiliate rules pages are also valuable components of the data leak site. Attackers will use the press release section to make announcements regarding their operation or to communicate with journalists and the general public. Not all ransomware gangs publish the affiliate rules page, but many will include this component. When they do, it will contain valuable information about the requirements and qualifications necessary to work for the ransomware gang. It also has information on how the core gang shares and distributes profit with affiliate hackers for hire who support the operation.
Victim Negotiation Chat Portal
Before 2020, most attackers relied on publicly available email services to facilitate ransom negotiations with their victims. This allowed law enforcement organizations to subpoena email data associated with the account and monitor the attacker’s communications with victims.
Attackers bypass email communication risks by using a chat.
Many attackers have transitioned to using a chat portal hosted on their infrastructure to bypass the risk associated with email communication. This allows victim communication to take place on infrastructure the adversary controls.
To access the chat portal and begin ransom negotiation, the victim must obtain a link to the chat portal and a unique key included in the ransom note. In the ransom note, the victim receives their own unique key necessary to log into the chat portal. Since the key is unique and used to establish the communication session, the attacker can also use it to track each victim across their operation. Sometimes the negotiation/chat portal is not a stand-alone site but instead hosted as a web page of the attacker’s data leak site. Whichever scenario you find, you will want to obtain as much information on the infrastructure as possible.
Figure 3 below displays several examples of ransomware infrastructure, such as data leak, chat/negotiation portals, affiliate rules, and other infrastructure owned and managed by ransomware groups.
Forums and Markets
A unique aspect associated with ransomware adversaries is that the operators and affiliates behind the attacks will participate and communicate on dark web forums and markets. Criminal markets and forums have different functions and purposes. Yet, many of these sites are difficult to find and access. Further, many of them come and go over time or are taken down by law enforcement operations. Still, the information you can obtain by gaining admission to these sites far outweighs the work and time that go into finding and acquiring access to them. Figure 4 displays images of various marketplaces used over the past several years by ransomware gangs:
In some markets, criminals will sell malware, hacktools, botnets, and other malicious resources used in attacks. Access brokers will even sell entry into compromised environments that criminals can purchase and exploit as they see fit without spending time conducting the initial breach.
Often the information on these forums can provide solid insight into an attacker’s operation. For example, ransomware gangs will post affiliate ads to forums to recruit other criminals to support their attacks. These ads will often contain detail of the skills, technologies, and overall attack requirements desired.
In the recruitment ad shown, the attacker wants an adult male skilled in OSINT, VoIP, and spam campaigns involving documents and PDFs (likely used to deliver malware) and is an experienced negotiator. They also want to hire someone who can exploit Pulsar, Citrix, and SolarWinds, has used Trickbot malware and has experience with attacks involving MSPs. This account that posted the recruitment ad was a senior member of the REvil ransomware gang. While the post is dated, later, REvil went on to attack the MSP Kaseya and infected over 1,500 companies. While no one can tell the future, by gaining access to these forums and interacting with criminals to extract information, you can gain insight into an attacker’s operation.
In another example, earlier this summer, I was monitoring a dark web forum and came across an interesting post seen in Figure 6.
You can see the conversation in which an individual was looking for a pentester, exploits, access, and a ransomware builder. When I saw this post, I asked myself, what do you have when you put these elements together? Answer: A ransomware attack.
Eventually, this evolved into a full-scale Ransomware as a Service (RaaS) program. Remember, you don’t always have to interact with criminals to gain insight into upcoming attacks. If you look in the right places and interact with the relevant criminals, you gain intelligence and sometimes identify an attack before it happens. Sometimes, simply gaining access and finding the applicable accounts surrounding ransomware is enough to fulfill intelligence-collection needs.
Open-source intelligence, also known as OSINT, is derived from open-source data. While OSINT may not be your own data, it can provide insight into what other organizations are seeing from the same attacker and should not be overlooked. Open-source resources such as security blogs and social media can give details on an attacker you may not see in your data. For example, security researchers often post on Twitter when discovering new and novel findings. Other times, you can uncover samples of new variants of ransomware submitted to malware repositories and analyze the binary to learn about new features and associated infrastructure. I cover this in greater detail in “The Art of Cyber Warfare” and provide various resources and examples, but the takeaway is that you should not ignore open-source information. It is often simply out there waiting for you to find it and can produce great results when done well.
One area you should certainly pay attention to in the public domain is when ransomware criminals conduct interviews. For reasons I will never understand, ransomware criminals can’t help but talk about themselves. For example, senior members of the Lockbit ransomware gang have conducted several interviews to date. These interviews provide information on the humans behind the criminal organizations conducting ransomware attacks.
Earlier this year, I participated in an interview in which one of the gang members discussed Lockbit Black, their latest ransomware variant. At that time, Lockbit Black was still in beta testing, but the criminal operator provided information and screenshots uncovering new features and content that we would never have known. Later, Lockbit did another interview and discussed it on a dark web forum where they spoke about the area in which they lived and discussed technical details of their internal organization. During interviews, attackers discuss their political beliefs, way of life, and details about their past in addition to internal aspects of their ransomware programs. When put together and analyzed, you can identify the human characteristics of an adversary and incorporate the information into a threat profile.
Creating a Ransomware-Centric Threat Profile
The most common mistake analysts make when creating a threat profile is developing the profile without putting in the work to ensure proper data collection and analysis. The second mistake is not conducting proper attribution. If you have attack data and tactics from another adversary mixed into your data and then use it to create a profile, it will be useless. In addition to attribution, you must adequately review, analyze, and access the adversary you are researching.
Remember, there is no point in writing a threat profile if you skip the profiling phase of the effort. You are not just writing information down. It is your analysis that makes the profile valuable. The data needs to be collected, sourced, and analyzed. Only then should you write a profile. Writing should be easy if you have spent adequate time developing the profile because you will know the adversary and its operation well.
I created the Ransomware-Centric Threat Profile model to help you understand the threat profile development lifecycle. I intend for you to use this as a high-level guide to ensure you have the essential elements necessary to create a detailed profile. The Ransomware-Centric Threat Profile model only includes four top-level sections:
I intentionally kept the top-level components brief for learning purposes; however, don’t confuse this model as a template for your profile. You will want to develop and break out sections to make the most relevant information stand out. Let’s discuss each section next.
The summary should include a description summarizing the threat actor and current operations, highlighting any new or relevant findings that would be significant to your audience. It is also good to include the first and last known dates of activity associated with the attacker. I would recommend that you document the adversary’s motivation in the summary as well. For example, common attack motivations I frequently include are financial, espionage, hacktivism, and sabotage. Whatever the end goal or motivation driving the attack, you will want to qualify that upfront.
I also like to classify the threat upfront when known. While it does not happen often, some actors may fall within more than one category. I typically use threat classification categories, including nation-state, cybercrime, hacktivism, and unknown.
TIP: Don’t confuse actor motivation with threat classification. Years ago, you could consistently map a threat classification based on the attacker’s motivation. If you found the attacker was motivated by financial gain, you would place them into the cybercrime category. That is no longer the case. Today, nation-state actors like North Korea and Iran conduct state-backed operations to perform espionage and financial gain operations. The specific campaign you are tracking may result in financial theft. Still, the operators behind the attack are government or state-backed and use the stolen funds to support other espionage- related attacks conducted by the same threat actor. In a situation like this, you would classify the threat as a nation-state and select financial crime and espionage as their motivations. Further, within the profile, you would detail and explain the operations making it clear why you made the assessment. The same could apply if you came across a ransomware attacker with state-backed associations, like these discussed in Analyst1s Nation State Ransomware research paper.
You will also want to include any known names associated with the actor you are profiling. Often a single actor will be known by several names. This is usually due to security vendors referring to the same attacker by their unique identifier. They do this so they are not using the term a competitor created for the threat actor.
Today, I use Analsyt1 to capture and index much of the information discussed in the summary section.
While this makes sense from a business and marketing perspective, it adds confusion for analysts who must keep up with all the names. Make your fellow analysts’ job easier and document all known names of the adversary you are profiling. I also find it helpful to record the naming organization (i.e., CrowdStrike, Mandiant, Symantec, etc.) mapped to each name for reference.
The identification section is self-explanatory. I use this profile section to include information and details that will help an analyst identify the adversary. When known, I will include the region or country I believe the attacker originates, any government, military, or criminal association, and include or reference the supporting evidence. The identification section is where I document my attribution and confidence assessment. Again, if you need to learn how to conduct attribution or perform a confidence assessment, I wrote an entire chapter in my book, “The Art of Cyberwarfare,” which will teach you the proper way to do both.
In addition to documenting your attribution assessment, you will need to provide the evidence used to make your determination. Sometimes, a lot of information and analysis goes into an attribution assessment. You want to make your profile efficient and easy to understand. If you have a lot of evidence or your analysis is complex and lengthy, document the information elsewhere and provide a brief, high-level summarization instead. Remember, when summarizing, ensure you reference is where other analysts can review the supporting evidence when not included in your profile. Now, if you make a mistake or new conflicting evidence presents itself later, other analysts will be able to understand why you made the attribution. More importantly, peer analysts can review the evidence and make their own conclusion.
While I have discussed including attribution details in the identification section, its purpose is broader than attribution alone. Remember, the identification section aims to help analysts become familiar with the attacker and provides details on anything unique that will help them to recognize the threat, such as the ransom note filename or if there are unique random characters appended to files after encryption. Often these traits are unique to a specific group and can assist in identification.
I mentioned earlier that ransomware attacks are the only attackers where victims have to communicate with an adversary. Over the past several years, I have interacted with several ransomware adversaries. Some, I have felt like I understood and got to know well, while others never really trusted me. Most times, I engage with fake personas to extract information in order to maintain my anonymity.
Ransomware attackers present themselves as a security-based solution.
Once, I even participated in ransom negotiations, and sometimes, after I write a report and the bad guys figure out the fake persona they knew as a peer criminal was me, I engage directly as myself. Despite not liking security researchers, most ransomware attackers understand we are just doing our job unless you are working with law enforcement or trying to dox them. One reason I think they feel is way is because they view themselves similarly.
For example, ransomware attackers present themselves as a security-based support solution. They see their attack as a pretesting exercise to reveal the security flaws in a target’s corporate infrastructure. The ransom they demand is simply a fee for helping the victim secure their environment. This is complete crap, but it is how many ransomware adversaries rationalize their actions.
Due to their approachability, Ransomware attackers give us a unique opportunity to observe and document their behaviors. This section aims to create a behavioral fingerprint based on human (attacker) preferences, opinions, views, and adversary personas. The goal is to collect information on human traits to better understand the adversary. There are two behavioral categories I track, attack and persona-related behaviors.
This category represents attack-related events or details associated with a human decision or preference. Often this category is based on attack elements seen in the staging phase after a human attacker obtains initial access and is present within your network. The attacker may work days to weeks to escalate privileges, gain administrative access, and disable security defenses before executing the ransom payload. During this time, the adversary creates attack elements that demonstrate a preference by the human attacker. This may include filenames and scripts they developed, their preferred tools, resources, and the sequence of attack events.
Remember, in the behavioral section, you only identify attack behaviors related to a human attacker. It’s important not to confuse attacker behavioral traits with attributes from the attack data itself. For example, in the Identification section, I recommended capturing the filename of the ransom note and unique post-encryption details. Those examples are elements derived from the ransomware payload, not a human attacker. However, if there were a pattern in how the adversary names custom scripts they wrote that you found in your environment during an attack, you would want to capture the information in the behavior section of your profile.
For example, once, I found an attacker using the Gogalocker ransomware payload liked to name bat files with three letter names beginning with the letter “X.” In another unrelated ransomware attack, I noticed similarly named bat files in addition to other unique behavioral-related traits almost a year later. Eventually, with additional evidence, I determined that an affiliate hacker had worked for both ransomware programs, and their preference was to use this format to name files. I did not incorporate behavioral traits into my threat profiles at the time, but I remembered the behavior. Nevertheless, if I had not worked on both investigations, it’s unlikely anyone would have linked the affiliate to both attacks, which is why it’s important to incorporate the information into your profile.
In the collection process, you identified accounts on dark web forums and markets in which ransomware criminals participate. Information you collected during that process should be summarized in the behavioral profile. This information can be especially useful for law enforcement and government intelligence agencies. It can also help ransom negotiators better understand the criminal’s beliefs, customs, and personal motivations.
It’s easy to misunderstand what you should depict in a threat profile related to the information you gathered and analyzed in the collection process. Behavioral analysis is a relatively new practice concerning cyberattacks, and you may not understand the benefit or what type of information should go into your assessment.
To clarify, when I use the term personal behaviors, I refer to the behavioral traits specific to the human attacker’s personal beliefs, not traits associated with the attack itself. This includes the adversary’s religious and political beliefs, fear, insecurities, and ethics.
Knowing the adversary’s political beliefs or if they are patriotic can be useful. For example, the Conti ransomware gang’s demise was due to a press release, seen in Figure 9, in which they claimed allegiance to Russia when the conflict against Ukraine began.
Conti must have forgotten that some of the best hacker affiliates who supported their ransomware operation were Ukrainian. Shortly after, a Ukrainian researcher breached and leaked sensitive internal data related to Conti’s operation. This led to a divide between hacker criminals with varying political beliefs. If the leak had not occurred, the FBI could have leveraged this information and played on the strong patriotic roots of both parties.
They could have started threads, posts, and conversations within criminal forums using fake personas to amplify and divide other patriotic criminals. This also would likely have resulted in the operation’s demise.
In another example, as discussed in my “History of REvil” research paper, one of the core members of the Lockbit gang posted about their concerns that the FBI had infiltrated the REvil operation and now had access to their infrastructure, source code, and affiliate program. You can read their commentary in Figure 10, in which Lockbit discusses their concerns and recommends new procedures to identify and mitigate the FBI’s infiltration.
At the time, the FBI or an intelligence agency could have leveraged Lockbit’s concern. For example, they could have used personas to spread propaganda. This would add to the conversation and amplify the criminal’s fear by voicing further concerns, encouraging other criminals to engage in the conversation. The FBI could use this fear to plant a seed that they were closely moving in and leveraging ransomware affiliates who worked for multiple RaaS programs to get to the senior members of these gangs. Regardless of its validity, based on Lockbit’s call to action, this would have added additional time and money to the operation and resulted in greater distrust within the ransomware community. Now, there would need to be code audits of ransomware and hack tools, additional vetting procedures for affiliates, and other procedures that would require time and money for the attackers.
In the “Attack Data” section discussed earlier, you collected all known threat data from related attacks with similar attributes, which you believed to be from the same attacker. Now you need to document the output of your analysis. One method popular with analysts to communicate attack data is breaking the information into phases within the “kill chain” model. This breaks the attack components into stages in which you can detail the entire lifecycle of the attack. Still, the method chosen depends on your organizational requirements and how you will use the information. Is the information for analysts, threat hunters, and incident responders, or do you have a broader audience, such as senior leadership and other stakeholders, who will use the profiles when making security-related decisions during an attack? The answer to questions like these will dictate how you convey the information. The level of experience and knowledge of your analysts who run your defenses and respond to attacks will also play a role.
Regardless of the model or format you choose to use to convey the attack elements, sometimes, I find creating an infographic or visual representation of the malware and resources an adversary uses can be helpful. For example, Figure 11 is an infographic I created to detail the malware resources used by Wizard Spider (named by Crowd Strike) from profiling work I conducted during the Ransom Mafia research I did in 2021:
You still want to provide written information about the relevant data points in this section, but a visualization creates a quick, efficient, and accessible format to convey the information.
Next, you should detail known exploits, attack patterns, phishing email attributes, or any information on the attack vector used by the adversary. You will also provide information about the type of infrastructure used by the attacker, as I discussed in the collection process earlier. The information you found relating to those categories should be included in the Attack Elements section of your profile. Again, I like to work smarter, not harder. I use resources like Analyst1 to provide me with this type of information, automatically collected from attack evidence. I still must validate the output and ensure there is no false positives or inaccuracies, but it is faster than manually extracting and documenting the information on my own. Figures 12 and 13 are examples of attack patterns and CVEs associated with Wizard Spider. For visual purposes, I only include a partial view of the information.
I also find it useful to create a flow chart of the attack chain with commentary describing the sequence of events. Figure 14 is an example of an attack chain I created that is associated with the Ragnar Locker ransomware operation.
This can be especially useful when an active ransomware attacker is engaged on a network you are defending. Again, you may not always have the information, but when you do, and it’s unique, a flow chart can be helpful.
Now that we have covered the collection, analysis, and documenting of threat profiles, let’s discuss a real-world example from 2019 involving a security analyst armed with a threat profile and his experience with one of the worst ransomware attackers to date.
In August 2019, a security analyst who we will call “John” sat quietly at his desk reviewing alerts generated by his organization’s endpoint security solution. John’s responsibilities as a security analyst were to review logs, investigate malicious activity, and escalate as needed. John was a curious analyst, and while not part of his daily responsibilities, he made it a regular practice to look beyond malicious alerts.
John enjoyed looking through events logs for non-malicious but suspicious events seen within his environment. This included irregularly timed logins, failed access attempts, administrative tool use, and instances where someone used resources not typical for their job function. Since many threat actors today use legitimate resources to go undetected during the early stages of an attack, John believed reviewing legitimate activity could be worthwhile.
As John reviewed the day’s events, he noticed one of their corporate systems within their environment generated a base64 encoded PowerShell command. Sometimes legitimate applications or scripts use encoding to obfuscate commands within a computing environment, so the event itself was not malicious but seemed out of place.
To determine if further action was needed, John used a publicly available analytical tool called CyberChef, and successfully decoded the data seen in the activity. The output showed the system ran the PowerShell command to call Microsoft Windows native API functions “VirtualAlloc” and “CreateThread.” Using the resources, PowerShell instructs the system to open a port and “listen” for commands or input sent from the following IP address:
John knew he was on to something. The system in which the command ran had no need to run this query. Still, John needed more evidence to determine the full scope of what he had discovered and collected network activity originating from the same host around the time of the event. He found the external IP address 5.101.0[.]202, seen in the original encoded command, sent additional shell code back to the internal system. Interestingly, once compiled, the downloaded shell code formed a tool used for penetration testing called Cobalt Strike. Today, most ransomware attackers use Cobalt Strike in their attacks but at the time, it was a relatively new tactic.
As a diligent analyst, John frequently reviews threat profiles detailing the top adversaries posing a risk to his organization. Due to this, John recognized that in addition to its use as a legitimate penetration testing tool, organized cybercrime gangs use Cobalt Strike to facilitate ransomware attacks within a victim network. John now had sufficient evidence to support his instinct that something was not quite right with the events seen within his organization’s infrastructure.
He had evidence someone wanted to hide the command and had used base 64 encoding to mask its true purpose. He also had evidence that a corporate host connected to an unknown external IP address and opened a listening port, which it used to download second-stage shell code that, when compiled, was a hacktool seen used in a string of corporate ransomware attacks.
John reported the discovery and referenced the technique, which he remembered from a threat profile about a ransomware attacker known today by the name REvil. At the time of discovery, the attacker was in the environment, stealthy, working to gain further access, disabling security resources, and strategically staging ransomware payloads. The discovery led to a full-scale threat hunting and mitigation exercise lasting around the clock for over a week. In this situation, the good guys won, and the ransomware attack failed.
Now, suppose John had not been familiar with the tactic and had not read the attacker profile indicating the severity of the attack. He may have believed he had identified and mitigated the threat by removing Cobalt Strike and cleaning the infected system. Most day-to-day attacks only involve malware; therefore, John may have felt this was a lone incident mitigated by cleaning up that infected host.
The situation ended well, but often that is not the case.
He would not have known he had a persistent human attacker on his network, and the ransomware adversary would have encrypted and stolen his organization’s data and extorted John’s employer for millions.
This situation ended well, but often that is not the case. Remember, time and action are critical when dealing with an advanced threat. Since a human with a specific objective is behind the threat, they will not go away if you simply block the attempt and move on. Instead, with threat profiles, you know the attacker’s modus operandi. You have insight into their attack playbook and the tools and malware they will likely use in later stages of the operation. More importantly, analysts will be familiar with an attacker’s digital fingerprint to escalate the situation sooner.
Conducting a behavioral profile of ransomware attackers will give you a better understanding of who is behind the attacks threatening your organization. Behavioral profiling adds value to defenders who can use it to identify an attacker and negotiators who will know the motivations and beliefs of the human being they are dealing with. Fortunately, the information is easy to obtain if you have a skilled analyst and are willing to do the legwork to gain access to the forums and markets in which ransomware attackers spend their time. Often, simply by profiling an attacker’s presence and interactions on dark web forums, you can learn about the human characteristics behind the facade of an organized cybercriminal. More importantly, through profiling, I have learned about the technologies and resources an attacker plans to use before the attack occurs on several occasions.
After years of investigating, interacting with, and defending against ransomware-centric adversaries, I found that traditional threat profiles lacked the critical information necessary to deal with ransomware attacks. Today, ransomware attackers live on the dark web, interacting with criminals, security researchers, and the media. Yet, most organizations do not take advantage of the opportunity to understand the adversaries behind these attacks. Organizations will spend hundreds of thousands to millions on security solutions and intelligence they believe will keep them safe from ransomware attacks. Yet, the second you mention an analyst going on the dark web, they shut down the entire idea. Certainly, this change to collection practices and analysis of behavioral traits of ransomware will not level the playing field on its own. However, it is one of many changes necessary to better defend and address these types of attacks.