Ransomware Detection: How to detect Ransomware using Network Detection and Response
Learn what ransomware detection is, the tactics malicious actors use to gain access and move inside your network, and the techniques and tools you need to detect and stop the ransomware threat.
What is ransomware?
The term “ransomware” can refer to two things:
- The act of using software to cripple an organization’s computer systems, then demanding a payment (ransom) to stop the interference and return things to normal.
- A specific piece of malware used in the act.
Buoyed by the rise of cryptocurrencies which enable the mostly anonymous payment of ransoms without interference from banks or regulatory authorities, ransomware has become one of the top threats to organizations’ ability to maintain business continuity.
What is ransomware detection?
Ransomware detection is the process of identifying ransomware threats as early as possible. Early detection allows organizations to limit the attack’s scope and mitigate potential damage to systems and data.
Ransomware and exfiltration: two for the price of one.
Since some organizations elect not to pay the ransom and instead just attempt to recover their systems via their disaster recovery/business continuity plans, some ransomware groups have taken up a second form of extortion: Before blocking access to the network and computer systems, they exfiltrate sensitive information from the network and store it. Then, if the organization disregards the ransom, the ransomware group can threaten to publicize the stolen information and attempt to extort a payment from the organization in exchange for the ransomware group’s silence about the incident.
To detect ransomware, it helps to dive deeper into the ways that malicious actors can gain access to organizations’ networks, and how they behave once inside in order to accomplish their goals.
Initial access
Ransomware actors have often used the following tactics to gain access to an organization’s network:
- Exploiting vulnerabilities in Internet-facing applications
- Spearphishing and spam messages with malicious attachments or links, including documents with malicious macros
- Advertisements for popular software or services that actually lead to malicious sites or links
- Purchasing legitimate credentials from a user on the inside and then using these credentials with exposed Remote Desktop Protocol (RDP) servers, Virtual Desktop Infrastructure (VDI), or Virtual Private Networks (VPNs)
- Guessing credentials for any of the above services
- Re-using credentials leaked in a previous breach for any of these services
- Paying a user on the inside to execute software on one or more devices
- Purchasing access from an initial access broker who has already done one or more of the above.
Persistence
Like all skilled intruders, ransomware actors look to establish methods of persistence to be able to regain access to the network in case their original access methods are cut off or shut down. One persistence method is to install legitimate remote access software that uses a third-party server to establish a tunnel so that the device doesn’t need to be exposed to incoming connections from the internet to be remotely accessible. Such software includes TeamViewer, AnyDesk, Splashtop, and GoToMyPC, among many other options.
Lateral movement
Once inside the network, the ransomware actor’s primary goal is to deploy the software to as many computers as possible before the organization can detect the ransomware. Some ransomware exhibits worm-like behavior, using exploits to spread laterally from machine to machine, or place copies of itself in shared folders for users to execute accidentally. Since these behaviors are noisy, ransomware actors have recently adopted a more strategic approach: abusing centralized administration systems.
It’s no surprise that ransomware actors would target these systems, since it is the most seamless and efficient way to deploy software widely across an organization at scale. In an assessment conducted and documented by CISA, a red team mimicked these types of takeovers because it offered them relatively complete control over the endpoints in the networks they were attacking:
“Approximately two weeks after gaining initial access, the red team compromised a Windows domain controller. This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization…To gain access to the [sensitive business systems], the team first gained access to Microsoft System Center Configuration Manager (SCCM) servers, which managed most of the domain’s Windows systems. With access to the SCCM server, the red team utilized their Preferred Lateral Movement Technique to gain access to each admin workstation target.”
Ransomware actors have several options for automating the installation of their ransomware. One is to compromise a user account that has permissions to make changes to Group Policy Objects (GPO) for a Microsoft Active Directory (AD) system. With this privilege, they can edit an existing GPO or create a new one, which will copy an executable file to each endpoint managed by the GPO and then execute it. These changes can be made remotely, or from within a domain controller (DC). Ransomware actors tend to favor RDP sessions to remotely access a DC from an existing compromised workstation.
Ransomware actors can also use any existing configuration management system to deploy software. In the CISA red team assessment, the existing Microsoft SCCM infrastructure allowed the attack simulators to spread laterally within the environment, but any widely deployed management solution, including Microsoft Intune, SolarWinds, Ivanti LANDESK, SaltStack, Tanium, BigFix, and many, many others, can be used to spread ransomware.
The rule of thumb is: if you can use a platform to make changes to your endpoints and/or servers at scale, so can a ransomware actor once they have gained access to it.
How to detect ransomware before it’s too late.
The groups and individuals behind ransomware typically do not have physical access to the sites, devices, and networks that an organization owns, so they have to conduct all of their activities remotely via networks and the Internet. Knowing this, and understanding the network behaviors they exhibit, allows you to instrument your network to look for these behaviors, so you can get early warning signals that something is wrong and detect ransomware before it is too late.
Before diving into the details of what to monitor and how, remember that ransomware actors engage with your network via internet ingress/egress points (“north-south”) but also by taking actions across the network internally (“east-west”). For this reason, any network instrumentation approach should consider tapping both north-south and east-west traffic, with a primary focus on the east-west boundaries that ransomware actors are most likely to cross, such as:
- Boundaries between the internal network and the demilitarized zones (DMZs) where internet-facing infrastructure is hosted
- Boundaries between VPN concentrators and the internal network
- Boundaries surrounding privileged assets such as bastion hosts, DCs and asset configuration management infrastructure
- Boundaries between users and the data center
- Boundaries surrounding VDI
Close the case on ransomware
In high stakes ransomware investigations, many security teams are unable to answer key questions and default to worst-case assumptions. With complete visibility from Corelight, teams can avoid costly overreactions. One customer, when confronted with a $10 million ransomware demand, used Corelight to prove the exfiltrated data being held for ransom had no real value while providing legal aircover for refusing to pay the ransom.
Ransomware detection techniques
Ransomware detection often begins with a good Intrusion Detection System (IDS) that observes network traffic and incorporates new and emerging signatures from reputable threat intelligence providers. For example, Corelight sensors use the open source Suricata IDS engine, and can load feeds from any provider of IDS signatures, such as ProofPoint Emerging Threats, the Corelight feed, signatures from CrowdStrike, and others. An IDS can automate the process of looking for known signs of intrusion attempts on Internet-facing applications, callbacks to known malicious command and control infrastructure, and the presence of malware and/or lateral movement within the network.
Security teams should also monitor network traffic for signs that remote access software (see examples above) has been installed. These can be observed in DNS queries for domains associated with remote access software, as well as SSL connections or X509 certificates involving these domains. If SOCs find evidence of an installation, SOC teams need to make sure that the use is legitimate and allowed by policy, and that the individual responsible for the system can confirm they initiated this action.
Since ransomware actors may wish to make changes to GPO, and can do so by making changes to files in the SYSVOL share on any DC, monitoring and logging Server Message Block (SMB) traffic to DCs and looking for writes in the SYSVOL share can be an effective way to document potential changes. Next, analysts should investigate each change to the SYSVOL share and locate the source of the change, and compare the change to the documentation from the change control process to make sure the changes are authorized and planned. Any unplanned changes should be heavily scrutinized as a potential ransomware detection, especially if they distribute executable files or scripts such as PowerShell, VBS, or JavaScript files, all of which can be natively run on Windows systems.
We’ve already established that centralized configuration management systems, like DCs, SCCM and others, will often be targeted by ransomware actors due to their ability to quickly and efficiently distribute ransomware at scale. Therefore, systems with this much power should be contained to specific areas of the network; access to them should be tightly controlled and monitored for any lateral movement or remote administration. All administrators should be required to use strong forms of authentication to access or make changes to these systems. All network traffic to and from these systems should be logged, and organizations should regularly execute proactive threat-hunting exercises in these logs and look for signs of misuse or abuse. Regularly looking at this traffic will help the organization understand and create a baseline that can be used to look for changes in behaviors over time, and which may in turn assist in ransomware detection and prevent incidents.
We’ve already established that centralized configuration management systems, like DCs, SCCM and others, will often be targeted by ransomware actors due to their ability to quickly and efficiently distribute ransomware at scale. Therefore, systems with this much power should be contained to specific areas of the network; access to them should be tightly controlled and monitored for any lateral movement or remote administration. All administrators should be required to use strong forms of authentication to access or make changes to these systems. All network traffic to and from these systems should be logged, and organizations should regularly execute proactive threat-hunting exercises in these logs and look for signs of misuse or abuse. Regularly looking at this traffic will help the organization understand and create a baseline that can be used to look for changes in behaviors over time, and which may in turn assist in ransomware detection and prevent incidents.
Ransomware actors use the same methods to move laterally on networks as legitimate administrators do: remote administration protocols such as DCE-RPC, RDP, and SSH. Since there should be a reasonable (read: not so much you can’t investigate it) amount of administrative traffic happening inside of a network, one good strategy is to document remote administrative sessions, then investigate them to make sure the sources and destinations are expected and/or reasonable, and also to spot check with the individuals and application owners to make sure that they were legitimate sessions. This also serves as a good place for threat hunters to regularly hunt for illegitimate sessions.
Some ransomware variants have also attempted to encrypt files on remote file shares that were mapped as drives on a workstation. In this case, there will be evidence in the outbound SMB traffic from the workstation to the file server that indicates a file write and then a rename — and this often includes a ransomware-specific file extension. To look for this, watch SMB traffic for strange filenames or elevated volumes of activity.
Tracking complex and persistent attackers requires going beyond signatures by also using advanced detection techniques such as Machine Learning (ML) and anomaly detection. These tools can also be used to identify early stages of a ransomware attack, including the initial access techniques like phishing and downloads of malware which enable the threat actor’s expansion into the organization. Watching for anomalous patterns of authentication, network and scanning, and enumeration of common management services are also good matches for advanced analytics such as those found in ML models.
Finally, consider that if a ransomware actor is going to attempt the “double extortion” technique, they will likely be exfiltrating large volumes of data from the environment before detonating the ransomware payload(s). Looking for exfiltration evidence can start with simple models like keeping an eye on top sources of outbound traffic and looking for upticks in outbound data volume from within the network. More complex methods include calculating producer/consumer ratios (PCR) for network flows, which can be used to quickly identify uploads, but can also be used to characterize the regular behavior of network devices and look for things like an inversion of PCR values. This would indicate that a device that normally behaves like a consumer is suddenly a producer (or vice versa). If a device that is normally a producer suddenly starts becoming a consumer, it could be being used to aggregate and stage data inside the environment to prepare it for exfiltration. If a device suddenly exhibits abnormal connections to the internet with high producer values, that could be a sign of data exfiltration — and another key piece of evidence that leads to ransomware detection.
Corelight’s Open NDR: The clear choice for ransomware detection
Corelight provides a complete range of threat detection capabilities from signature-based detection of network traffic and static files with threat intel to anomalous behavior detection and AI/ML detections for improved SOC efficiency.
Corelight’s Open NDR checks all the boxes for monitoring a network to watch for the behaviors of ransomware actors. It includes a world-class Suricata-based IDS to continuously monitor network traffic and quickly identify and alert on signs of known bad behaviors. Additionally, the Zeek® engine provides continuous logging of all network activity, including identifying protocols and applications in use and logging the details of protocol transactions, plus YARA-based malware identification and Corelight’s C2 collection for detecting malware used for ransomware attacks and in command-and-control channels. This enables continuous monitoring for traffic indicative of remote access software, and keeping a close eye on administrative traffic such as SSH, RDP, and DCE-RPC. It also identifies VPN traffic down to the protocol and provider, so that security teams can closely monitor the use of VPNs in and out of the network. In addition, Corelight can alert security teams to exfiltration of data to cloud providers. All that rich network evidence and context provides fertile hunting grounds for network security teams tasked with detecting ransomware attempts and other serious security threats.
Corelight’s Open NDR also includes Smart PCAP, which stores packet captures of sessions based on the security team’s desired profile, such as storing a copy of a session if it is associated with a specific protocol or an IDS alert. Corelight’s Open NDR is extensible, as a result of being built on top of Zeek, and can be customized with detection or enrichment packages, such as this package that alerts on filenames and file extensions associated with ransomware actors, this package that alerts on abnormally large outbound file transfers, which might be exfiltration, and this script that calculates PCR values and inserts them into the connection log.
By using Corelight’s Open NDR, your security team will have all the information they need to detect and respond to ransomware threats, quickly, and efficiently.
Recommended for you
PRODUCT
Disrupt attacks with Corelight’s Open Network Detection & Response (NDR) Platform.
DATASHEET
Corelight transforms network and cloud activity into evidenceto keep you ahead of ever-changing attacks.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.
