Ransomware
By: Trent Bessell August 22, 2024 Read time: ( words)
Insights from the Report
- We highlight the rapid identification and containment of a Play ransomware attack by leveraging coordinated efforts from Trend Micro’s Managed Detection and Response (MDR) team.
- The Play ransomware syndicate utilized the malware tools SYSTEMBC, a proxy malware facilitating the delivery of ransomware and other payloads, and GRIXBA, a custom evasion tool against signature-based detections.
- During this incidence, the ransomware group was observed leveraging legitimate tools like PsExec and Remote Desktop Protocol (RDP) in their operations, showcasing a typical cybercriminal tactic known as “living-off-the-land,” allowing threat actors to conduct stealth operations to elude security mechanisms.
Backdrop
Ransomware threats have persisted as one of the most damaging cybercrimes. The Play ransomware syndicate, renowned for its aggressive tactics and impact on organizations, rose to prominence since June 2022.
Earlier this year, Trend Micro’s Managed Detection and Response (MDR) detected a sophisticated and coordinated incursion linked to the infamous Play ransomware syndicate. Through the Trend Micro Vision One platform, the MDR team promptly identified and countered the threat, effectively foiling the assault and preventing potential data loss or operational disruptions. This event underscores the vital need for robust cybersecurity measures to safeguard against evolving cyber threats.
Event Summary
TrendMicro MDR initially became aware of the breach when Vision One Workbench alerts were triggered following the discovery by the Apex One Endpoint Protection Platform (EPP) agent of a command-and-control tool identified as SYSTEMBC. This tool, found in the “C:UsersPublicMusic” directory of a Windows server, is a proxy malware utilizing SOCKS5 that can distribute additional payloads, including ransomware. Despite the EPP agent isolating the backdoor, the threat actor still managed to maintain access to the endpoint through valid login credentials. The originating host was traced back to an IP address within the victim’s VPN subnet.
The threat actor transferred the legitimate administrative tool PsExec from their attacking system via the VPN. PsExec, designed for running programs and executing commands on remote systems, was placed in the same directory where the previously discovered SYSTEMBC binary was staged.
The threat actor also modified the Remote Desktop Protocol (RDP) settings by changing a specific registry value, “fdenyTSConnections”, as outlined in the observed attack technique (OAT). This alteration enabled RDP accessibility on the host.
Another tool, GT_NET.exe, was introduced on the host and executed, leading to a series of network reconnaissance tasks to identify accessible hosts within the network. The list of endpoints generated was stored in a file and archived as data.zip. This file, named GRIXBA after malware analysis post-execution, is a custom tool utilized by the Play ransomware group. While the usage of custom tools is not novel, employing them provides advantages for both attackers and defenders:
- Advantages for Attackers
-
- Stealth and Evasion: Custom tools are often tailored to the intrusion or enveloped with obfuscation layers to evade signature-based detection systems. Quick adaptations can be executed to evade newly developed defensive methods.
- Modular Functionality: Custom tools are frequently modular, deploying only necessary functions based on the compromised environment.
Advantages for Defenders
-
- Attribution: The identification of custom tools can aid defenders in early attribution to the threat actor. This enables defenders to comprehend the unique tactics, techniques, and procedures employed, staying ahead of the adversary.
- Behavioral Analysis: With signature-based detections being less effective against custom tools, behavior-based detections like behavior monitoring (BM) or predictive machine learning (PML) help spot potential tooling changes by focusing on the intended aim and methods utilized by the tooling.
Subsequently, an effort was made to dump the active LSASS process memory using Task Manager. Nevertheless, this activity was effectively thwarted by the Apex One EPP agent’s Behavior Monitoring (BM) module. The BM module successfully recognized the suspicious behavior and intervened to avert the exposure of sensitive LSASS process artifacts.
Chronology of Events
By diligently and continually monitoring the victim organization’s environment, the Trend Micro MDR team meticulously reconstructed the threat actor’s actions. This thorough monitoring enabled the team to promptly execute response measures to contain the threat effectively. Furthermore, they promptly informed the victim organization, enabling immediate actions. This swift and coordinated response ultimately foiled the Play ransomware group’s attempts to carry out further objectives, such as data gathering, exfiltration, and encryption, which could have led to severe data breaches and considerable operational disruptions for the victim organization.
Countermeasures
The FBI, CISA, and ASD’s ACSC suggest that organizations implement multiple key countermeasures to mitigate potential adversarial exploitation of common system and network discovery techniques. These precautions are vital in minimizing the risk of falling victim to the Play ransomware. Below is a summary of some of the recommended tactics:
- Regularly Update and Patch Systems: Keep all systems and software current with the latest patches and updates. This helps close security loopholes that attackers might leverage.
- Implement Network Segmentation: Divide your network into sections to restrict the propagation of ransomware and other malicious activities. This division can help confine the damage in case of an intrusion.
- Utilize Multi-Factor Authentication (MFA): Enforce MFA for accessing critical systems and sensitive data. MFA boosts security by making it tougher for unauthorized access attempts to succeed.
- Monitor Network Traffic: Continually monitor network activity for unusual behavior signaling a potential breach. Employ advanced threat detection tools to discover and respond to anomalies efficiently.
- Stay alert to potential dangers in real-time.
- Keep Data Backed up Regularly: Create regular backups of essential data and keep them in a safe, remote location. Make sure the backups are not linked to the primary network to prevent ransomware from encrypting them.
- Utilize Endpoint Protection: Implement strong endpoint protection solutions to identify and stop malicious activities on individual devices. This involves using anti-malware and anti-ransomware tools.
Implementing these measures can greatly lessen the chances of falling victim to Play ransomware and other similar threats. For a detailed guide and recommendations, please see the #STOPRANSOMWARE Play Ransomware guide.
Summary
The successful identification and containment of the Play Ransomware breach underscore the crucial significance of proactive security measures in today’s digital environment. This occurrence emphasizes the necessity for organizations to remain vigilant and embrace comprehensive strategies, including Managed Detection and Response (MDR) services. By utilizing Trend Micro MDR service, organizations gain continuous monitoring and expert analysis 24/7/365. Moreover, deploying layered defenses, incorporating a variety of security tools and methods as mentioned in the #STOPRANSOMWARE guide, is essential to establish a robust defense against sophisticated and evolving cyber threats.
For more insights on the Play ransomware group, read Trend Micro’s Ransomware Spotlight article to discover some intriguing facts about the group.
Signs of Compromise (SoC)
|
Name/Detail |
Indicator |
Trend Micro Detection/OAT |
|
SYSTEMBC |
File Name: Socks32.dll |
Backdoor.Win32.COROXY.SMRTI |
|
GRIXBA |
File Name: GT_NET.exe |
Trojan.MSIL.GRIXBA.A |
|
PsExec |
File Name: PsExec.exe |
OAT: Suspicious File Creation in Uncommon Folder |
|
Registry Modification |
Process Command: “C:Windowssystem32reg.exe” add “<IP ADDRESS>HKLMSYSTEMCurrentControlSetControlTerminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f |
OAT: RDP Setting Modification Via Reg.exe |
|
LSASS Process Memory Dump |
Process File Path: C:WindowsSystem32Taskmgr.exe |
OAT: Dump LSASS Process Memory via Taskmgr |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
