Security Market Segment LS
Monday, 10 August 2020 10:20

Windows ransomware attackers have upped their game in recent months: Sophos Featured

Windows ransomware attackers have upped their game in recent months: Sophos Pixabay

The tactics employed by cyber criminals who deploy Windows ransomware on systems for monetary gain have changed over the last 10 months in order to evade detection by endpoint security that has improved markedly, a researcher from the global security firm Sophos claims.

Principal researcher Andrew Brandt (below, right) said, in a detailed study titled Ransomware's evasion-centric arms race, that nearly every ransomware attack involved live engagement by the attackers, who first surveilled and took inventory of the intended victim's network before focusing attention on closing down or disabling existing layers of protection.

This is the second in a series of five studies on ransomware published by Sophos; iTWire reported on the first, a detailed study of WastedLocker, last week.

Brandt said at the same time that these evasive tactics had grown, the average ransom demanded had also increased and the gangs had widened their attacks to include data that was exfiltrated from a target's network at an early stage of the attack.

Gangs that stage ransomware attacks on companies exfiltrate data from the victims' website using scripts written in PowerShell, a scripting language created by Microsoft.


They then use this data to put pressure on the victim as it provides them with a double-edged sword: the victim's data is encrypted and not accessible and the threat of data being leaked to world+dog also exists.

After the process of encrypting the victim's files on-site is completed, the ransomware generates a ransom note which shows up on the victim's system, stating the amount of ransom demanded, the deadline for payment and the method of payment, usually through cryptocurrency to a designated wallet.

The gangs release the data in drips and drabs and if the victim resists, then the entire data dump is leaked on dark Web forums frequented by people who use data from these sites to stage phishing attacks or else steal people's identities. Data that can embarrass people is used in extortion attempts.

Brandt said the theft of data increased the chances that a victim would pay a ransom, even if they had back-ups and could restore their data from those back-ups right away.

andrew brandt sophos"These two factors — the need to evade detection and the need to strengthen the criminal’s hand in ransom negotiations — have been the dominant factors driving the most dramatic behaviour changes, some of which we’ll discuss," he said.

"They also indicate the increasingly strenuous degree of effort it now requires to pull off a successful attack, a positive sign that the work defenders do has measurable effect on the attackers’ workloads."

He said the study had concentrated on some escalations by attackers that had been found to be interesting. " We think these indicate a level of frustration on the part of the ransomware criminals at their inability to terminate or disable these security controls," he duo said.

Brandt cited the case of the ransomware named Snatch which had begun rebooting infected computers into Windows Safe Mode and then begin the process of encrypting hard drives in the Western autumn of 2019.

He pointed out that rebooting into Safe Mode - which is used for troubleshooting as it brings up a Windows system with a minimal set of drivers and programs - could inhibit the operation of endpoint protection as that form of protection doe not normally operate in Safe Mode.

"There are certain situations where a PC needs a specific driver or file to run, even during Safe Mode, in order to do something critical (for example, have a working display)," the Sophos researcher said.

"Snatch unexpectedly took advantage of this intentional feature of Safe Mode. During its infection process, the malware sets the registry keys that need to be there in order to run a particular file in Safe Mode. It plants its payload (the encrypting component), points the registry keys at it, and reboots the machine."

In another case, that of ransomware known as Robbinhood, attackers were found to have installed an otherwise harmless third-party driver to leverage a flaw in that driver. This driver then provided an entry point for the remainder of the attack.

"The attackers behind Robbinhood loaded a long-disused motherboard driver digitally signed by Gigabyte, the hardware manufacturer. Recent updates to Windows 10 mean that only these kinds of digitally signed drivers can run under normal circumstances," Brandt explained.

sophos part two

"The attackers use the Gigabyte driver, ironically, to turn off this feature in Windows that prevents the installation of hardware drivers that haven’t been cryptographically signed. Gigabyte withdrew the driver several years ago and replaced it with newer software that isn’t vulnerable to the same types of abuse. But the Robbinhood operators found a copy and used it anyway."

Once the Driver Signature Enforcement feature had been disabled, the attackers them uploaded another driver, this time an unsigned component, to the victim's PC.

"The ransomware then used this second driver to load itself at an operational level low enough that, the attackers believed, they were able to make an end-run around endpoint protection tools. Using the cover of this driver, the Robbinhood attackers attempted to either terminate or hobble a large number of files and processes associated with a wide variety of security software."

Brandt said extortion had become a secondary way for ransomware attackers to make money, with the exfiltration of data taking place at early stages of an attack as detailed earlier.

"As novel ransomware tends to appear at a regular pace, we’ve observed that most ransomware creators, who launch a new ransomware family go through a similar set of growth stages over the first six to nine months of operation, slowly escalating the feature set to incorporate a variety of techniques the attackers use to establish their persistence and move undetected within the network. Extortion is just the latest additional behaviour we see from the more mature ransomware families," he noted.

He said an additional feature employed by ransomware known as Lockbit was to not only delete its own executable binaries, but also overwrite the space occupied by those binaries so that they were not recoverable by using data recovery software.

An outstanding evasion technique was found in the case of ransomware known as Ragnar Locker.

Said Brandt: "The malware could not perform its encryption while Intercept X was loaded, so the attackers built a headless Windows image for a VirtualBox hypervisor, and put the VM on every box they wanted to attack.

"It was a devious ploy, since it appeared that any actions taken by the ransomware running inside the guest operating system had been taken by the process running the hypervisor. Since this is a trusted application, endpoint protection didn’t immediately kick in when the attackers executed all their commands from inside the VM guest."

He said the VM in this case was relatively huge, with an installer that was bigger than 122MB; ransomware binaries are usually less a few MB in size.

"This was a real chunk. The attackers bundled an installer for an old copy of VirtualBox and the guest operating system disk image into an MSI file then tried to download a copy and launch it on every infected endpoint.

"Only when the virtual environment was set up, did the malware begin attempting to prepare its environment and then begin encrypting the hard drive. Initially, it appeared that the trusted VirtualBox process was the origin of the ransomware’s file encrypting behaviour on the host computer, which was confusing for a number of reasons."

Brandt said the discovery of the malware repository used by attackers who used the Netwalker ransomware gave them insight into planning and techniques that these gangs used to carry out an attack.

He said these attackers had in their possession an exhaustive set of tools used to spy, escalate privileges, steal, sniff, or stage brute-force attacks on Windows systems.

"We [research team] also found a nearly complete set of the Microsoft SysInternals PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and anti-virus tools from a computer.

"Once inside the network of their target, the attackers apparently use the SoftPerfect Network Scanner to identify and create target lists of computers with open SMB ports, and subsequently may have used Mimikatz, Mimidogz, or Mimikittenz to obtain credentials.

"The files we recovered also revealed their preferred collection of exploits. Among them, we found variations on the EternalDarkness SMBv3 exploit (CVE-2020-0796), a CVE-2019-1458 local privilege exploit against Windows, the CVE-2017-0213 Windows COM privilege escalation exploit published on the Google Security Github account, and the CVE-2015-1701 'RussianDoll' privilege escalation exploit," Brandt said.

Attacks using the WastedLocker ransomware this year had focused attention on the newcomer, Brandt said.

"The malware has already been implicated in some serious attacks, including against GPS device manufacturer Garmin, who reportedly paid a hefty ransom in order to re-enable business operations. WastedLocker has taken a different approach to the ransomware detection-evasion playbook by performing most of its malicious operations within volatile system memory. The technique is called memory mapped I/O," he said.

"This behaviour has some benefits. With 'traditional' ransomware, the behaviour is observable because a binary executable makes a large number of file reads and writes as it encrypts the victim’s important data. Behavioural detection engines that look for this type of unusual activity would otherwise alert the user and/or halt the operation, limiting the damage. Because WastedLocker reduces the number of detectable reads and writes by a significant percentage, it may fall below the threshold that governs suspicious activity in some behavioural detection rules.

"In addition, WastedLocker takes advantage of an unintended consequence of how Windows manages memory, using a component called the Cache Manager. The Cache Manager is a kernel component that sits between the file system and the Memory Manager. The Memory Manager keeps an eye on memory that has been modified (known as 'dirty pages').

"If a process encrypts the mapped memory, the Memory Manager knows which pages need to be written back to disk. This writing is done by the Cache Manager’s 'Lazy Writer' component; dirty pages are allowed to accumulate for a short time, and are then flushed to disk all at once, reducing the overall number of disk I/O operations."

Brandt said as a secondary unintended consequence of this, the writing of the modified files from their 'dirty pages' back to the filesystem was done in the context of the system (PID 4), rather than the ransomware process, which then further complicated behavioural detection.

"After all, nobody wants to cause a victim’s computer to crash because an anti-malware utility decided that the operating system itself was harming the computer," he said. "This technique also can hamstring less well-qualified behavioural detection."

Brandt had the following advice for security professionals. "If you work in IT security, your organisation is relying on you to close the most obvious loopholes and backdoors into the network," he said. "Basic PC hygiene, including installing all the latest patches, shutting down Remote Desktop entirely (or putting it behind a VPN), and applying multi-factor authentication to services hosting the most sensitive data in the organisation are just some of these fundamental steps you can take to protect yourself and your network today.

"If endpoint protection tools are the metaphorical net below the high wire act, applying patches and shutting down unnecessary holes in the firewall are the daily practice routines that will keep you out of the net when it matters most."

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous