Ransomware is a type of attack, where attacker gains control to encrypt the system, files and/or network by using malwares/malicious software and prevents you from accessing the same. The attacker demands ransom in return of access to this systems/files. Ransomware can have irreversible impact on the organization’s operations, important data, and systems.
Ransomware is a serious security concern for all the organizations and people associated. According to the stats from the U.S. Treasury Department, U.S. victims paid $590 million in ransom to ransomware criminals in the first half of 2021 (https://home.treasury.gov/news/press-releases/jy0471). This explains the criticality of the concerns associated with Ransomware attack and confirms that it is a long way game played by the attacker groups.
It is considered that companies who experience a ransomware attack and materialistic loss, would be focusing more on improving their security posture and taking all steps required to prevent such incidents occurring again in future. However, this seems to be incorrect insights and the observation says the exactly opposite. According to the study by RiskRecon- Mastercard, the percentage of critical issues related to unsafe network has increase from 32% (Before the Ransomware Incident) to 48% (After the Ransomware Incident). These security issues were mainly related to unsafe services like database & remote administration.
Although all ransomware attacks are different considering the ways of spreading, here are two major variants of ransomware attacks –
- Crypto Ransomware – It is one of the oldest, well-known, and damaging variants of ransomware. It encrypts the files/data within the system and restricts the access until the ransom is paid. Crypto Ransomware mainly encrypt the important files, data, documents on the system and does not disturb the basic computer functions.
- Locker Ransomware – In this type, Attacker completely locks the system and displays the lock screen with ransom demand. It makes all files and application inaccessible to user and blocks basic computer functions.
To demonstrate the investigation of the impacted system, we have analyzed the lab – Dunkel Materie from the Tryhackme.com. Here, the investigation was performed on the files taken from system being Ransomware Attack.
In this scenario, the SOC team observes that one of the systems communicates to a malicious domain. To further investigate, the Incidence response team collects the logs of process run on the system and network traffic from the system. Both the files here are taken for study purpose using the Process Monitor and Wireshark tool.
Firstly, collect all possible evidence from the impacted system which may include, process logs, network traffic, impacted/encrypted files and ransomware note. Below screenshot shows the sample file for process logs and network traffic.
For this scenario, Procdot tool is used to investigate the process logs taken from impacted system.
Now, we will investigate the File/process which was triggered by the malicious executable. Here, we can see that the “explorer.exe” seems suspicious and having weird nomenclature. Hence, we will note the process IDs and will investigate further for these processes/files.
After further investigation, we find that the malicious processes noted from the previous step, have been communicated with two outbound IPs. The SOC team may have observed this communication. These IPs can be further investigated in public domain and more information about these IPs is harvested in subsequent steps.
Now, further analyze the traffic recorded by using the Wireshark on the system and look for any traffic communicated on the IPs identified. Here, we found that the System has communicated on one of the IP and has sent some information to attacker as an encoded string.
Further we continue to investigate the process/file “explorer.exe” and discover the file path where ransomware initially got executed. As shown in below screenshot.
We couldn’t find any information for another IP on the Wireshark, so we look for more information about the IP with the WHOIS lookup using virustotal.com. We found that the IP was of domain paymenthacks.com and it is already flagged as malicious by security researchers.
Now, We further look for the IPs found. Using the Public knowledge base services like alienvault.com, this IP can be seen as malicious and noted with multiple suspicious activities.
Upon further Investigating the hashes used by that domain, we found that these were used to execute the “BlackMatter Ransomware Attack”.
Even further information can be gained from the IPs used. About whom it belongs to, location, organization etc. We can see in below screenshot that the details of the IP 206.188.197.206 are found and can be used for further investigation, if required.
About Eventus
We are a passionate group of highly skilled professionals, who deliver excellence in next generation cyber security services and custom-tailored solutions for your enterprises by defining proof of value and measuring it continuously to achieve customer success. We are into providing cybersecurity since our inception in 2017.
With our unique blend of offerings in the field of Cyber Resilience, Managed SoC, Incident Response and Cloud Security, we provide services out to customers according to their needs and help them go beyond cyber security to become cyber resilient, eventually helping clients to, identify, prioritize, emulate and eliminate threats more effectively and at more advanced levels. Eventus has successfully carried out 100+ security testing and consulting projects in the past pertaining to different industries and continues to serve clients as their success Partner in cybersecurity.