On March 8, 2019, Hilde Merete Aasheim became president and CEO of Norsk Hydro, an aluminum and renewable energy company based in Norway.1 Eleven days later, she woke up to a 4 am call from her security team.
“We are under serious cyberattack. This is not an exercise,” they told her. “You had better come to work.”
Upon her arrival, she learned that 170 Norsk Hydro sites had been hit with a ransomware now known by the name GoGalocker. Ransomware is a type of malware that encrypts a victim’s data in an effort to extort money from them. This attack often begins with an email that releases a payload on the victim’s system. Once the malware activates, it encrypts the user’s data and presents the user with a message demanding payment, usually in Bitcoin, in exchange for the decryption key necessary to regain access to their files.
Hydro’s data had been encrypted with RSA 4096- and AES 256-bit encryption, which made it nearly impossible to decrypt without the key. Additionally, the GoGalocker attackers had left a ransom note documenting their demands: the victim had to pay or permanently lose access to their data. The longer it took Hydro to pay, the ransom note said, the more money it would cost them. The note even pressed the victims to be “thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun.”2
Until the mid-2000s, ransomware was primarily associated with low-level cybercrime; the malware requires only a minimal level of technical skill to use effectively and is fairly easy to purchase. Those attackers most commonly used it in an ad hoc manner referred to as spray and pray, sending out ransomware to thousands of recipients (the “spraying”) in the hopes that targets would infect themselves (the “praying”). And despite the number of small-time cyber crooks who use ransomware, most antivirus and endpoint technologies have been able to defeat it. Criminals usually succeed only in situations where the victim system does not have up-to-date security patches or antivirus software.
For example, WannaCry—arguably the most destructive ransomware attack to date—would fail to execute if Kaspersky, ESET, or Symantec antivirus software was up-to-date and running on the victim system. The security software would mitigate the malware on sight, eliminating the threat—which, incidentally, provides a good example of why hardening systems and running endpoint protection or antivirus software is important if you want to keep your system and data safe.
Unfortunately, ransomware is no longer the low-level threat it once was. As noted in the introduction, in May 2021, Colonial Pipeline, which operates the largest gas pipeline across the U.S. East Coast, had to shut down operations due to a major ransomware attack. The attack caused significant gas shortages, leaving Americans without fuel. Gas stations began posting “out of service” signs and closing pumps, causing panic; Americans across the region worried they would not have fuel to drive to work or get food from grocery stores. Additionally, the shortage had the potential to affect emergency services such as police, fire, and medical assistance, which rely on gas-powered transportation.
While the pipeline attack was the most significant, it was not the first ransomware attack to disrupt critical operations. Since 2015, attackers have successfully used the tactic to cripple commercial and government organizations such as medical centers, ports, city transportation systems, city administrative systems, and police departments. Since 2016, a number of advanced ransomware attackers have dominated the threat landscape. In this chapter, we focus on these “big game hunting” attackers, paying close attention to their human-driven aspect. At the time of this writing, there are about a dozen ransomware variants in this category. It is important to understand, however, that there are hundreds, if not thousands, of small-scale ransomware variants used in traditional spam and automated attacks that infect victims every day.
It is clear that, unlike in traditional ransomware attacks, the GoGalocker adversary conducted reconnaissance on the target organization prior to attacking. After the incident, Symantec researchers analyzed the attack and presented their findings at RSA 2020,3 a cybersecurity conference. Their work provides rare insight into the attack.
According to the research, the adversary likely used two vectors: spear-phishing emails, for which the attackers would have had to identify potential individuals and accounts to target, and malware disguised as legitimate software. These two assessments are based on evidence that the attacker left behind. The spear-phishing emails delivered a Microsoft Excel document, which exploited the Dynamic Data Exchange (DDE) to provide attackers with the initial access to the victim system. DDE is a Microsoft protocol designed to exchange data in shared memory between applications. Attackers commonly misuse the protocol to compromise Windows systems.
Researchers also discovered malware on the Norsk systems that had been designed to look like a gambling application. This could have been related to the primary GoGalocker attack and delivered via a spear-phishing email, but it could have also been unrelated to GoGalocker, given that it first appeared 10 days prior to the attack. However, since the attacker was known to spend time in the victim’s environment, security communities couldn’t rule out this particular malware as a potential infection vector.
Following the initial compromise, two encoded PowerShell commands executed on many systems within the Norsk environment. The first PowerShell command made the computer listen on a specific port for additional code to download, while the second command compiled the downloaded code: a hacktool known as Cobalt Strike, which we will discuss shortly. In simpler terms, the victim computer opened itself to network communications from an external source and waited to receive a transmission from the attacker. When it received the transmission, it downloaded the code onto the victim computer. To use the downloaded code, the victim computer compiled the code, a process that makes it able to run. This strategy made the malware fileless and thus difficult to detect.
Of particular note: the PowerShell commands were Base64 encoded, making their actions difficult to identify. As a defender, you should look for encoded PowerShell commands actively running in your environment. Attackers commonly use this tactic, which has little legitimate use in a production environment. Many public and freely available decoders can analyze these commands.
Also of interest is the fact that the GoGalocker attackers’ command-and-control (C&C) infrastructure, which downloaded the additional code to the victim computers, was comprised of IP addresses, not domain names. This is somewhat uncommon, and there isn’t much benefit from doing this; however, using the IP addresses without a domain name removes the DNS resolution process. Perhaps the attacker felt IP use would be a more secure option for C&C services. The code downloads the second stage malware from the C&C server, and then it compiles in the memory of the victim system.
The malware GoGalocker used was also signed with three separate digital signatures, adding an additional layer of legitimacy. Code signing certificates prove the validity of a file. When the operating system encounters a file using legitimate certificates, it provides the file or application with a higher level of trust than it would to an unsigned binary. This also provides evidence that the attacker knew their chances of successfully executing the ransomware would be greater with a signed binary, and this further shows they planned prior to conducting an operation.
When the security community first reported the GoGalocker attack, it believed that a worm had spread the ransomware onto systems. The discovered phishing emails proved this assumption to be incorrect. The malware actually spread manually, via human interaction between the attacker and the victim environment. This finding was unexpected at the time of discovery, as it was abnormal behavior. For example, two of the most well-known ransomware attacks—NotPetya and WannaCry—spread via a worm that exploited a flaw within the Server Message Block (SMB) protocol. SMB is a legitimate protocol in Windows systems used to share various resources between networked computers. The flaw allowed the infection to spread without the attacker having to interact with the victim environments.
The downside of using an automated mechanism to spread malware is that it can be noisy, enabling a defender to quickly respond. By methodically enumerating and staging the victim’s environment, the GoGalocker attacker was able to stay under the defender’s radar. In some cases, the GoGalocker attacker hid in the environment for up to 10 days prior to executing the ransomware attack.
Like nation-state attackers, one way the GoGalocker attacker remained unnoticed was by using legitimate administrative tools present in the environment. When the tools present could not provide the capability that the attacker needed, they found publicly available tools rather than custom ones, making them useless for attribution purposes if a defender found them.
For instance, once compiled, the second-stage malware ran Cobalt Strike Beacon Leader, a penetration testing tool that, when used for malicious purposes, provides an attacker with keylogging, file uploads and downloads, proxy services, and a number of credential collection and privilege escalation capabilities. More importantly, it is publicly available and highly customizable.4 Along with Metasploit, the malware used Cobalt Strike to manage a wide range of other public tools. The following is a list of legitimate or dual-use tools used in the attack:
Even though these tools had been created for legitimate purposes, the victim’s system should have flagged some of them, such as Mimikatz. As a defender, you need to be familiar with the primary tools used in your environment and understand what roles should have access to them. Comprehending what various tools do and how they function can help defenders better understand and evaluate activity taking place in their environment. Some tools fall into a category known as dual use (when they provide capabilities leveraged for both legitimate and malicious purposes). You should flag these and look into them when they appear.
Another sign that the attackers carefully coordinated the GoGalocker infection is that, after identifying the security software present within the environment, they created batch files with the systems’ defense termination commands. Batch files are simply files that have a list of commands that run after executing the batch file. Basically, they allow an administrator to make a list of commands and run them on a single execution, as opposed to having to type and run each one individually. The attackers then used their privileged access to run the script across many systems concurrently, terminating defenses throughout the environment. Figure 3-1 describes the sequence and purpose of each PowerShell command and batch file present in the attack.
Here is a description of each script:
It’s important to note that the security software wasn’t defeated by a vulnerability or an exploit that the attacker used. Instead, since the attacker had privileged access, they simply turned off the protections. This tactic is not usually seen in attacks. Security software is difficult to defeat by nature of its design, and when it happens, it is usually because attackers identified and exploited a vulnerability. Now that there were no defenses in place, the attacker used PSExec to distribute the GoGalocker payload onto many systems throughout the environment.
Attackers distributed the ransomware completely with legitimate tools. Here, attackers used both WMIC and PSExec even though they could have used any tool they desired. This is because they had already disabled security controls and applications in the victim’s environment. The fact that they maintained the operational discipline to use tools present in the environment regardless of this shows they had situational awareness and likely had past experience in targeted attacks. PSExec was present only on certain systems that administrators used for day-to-day operations. However, the attacker knew that its use to deploy ransomware was unlikely to alert victims, since the activity was allowed on at least a subset of systems within the environment. Even if its use had been flagged, it would have likely been thought to be legitimate, increasing their chances of success.
Prior to executing the ransomware, the attacker conducted one last step and changed the local administrative password required to log in to the device. This was likely done to prevent the victim from trying to log back in and access their data or interrupt the encryption process. Oddly, the attacker did this only with local accounts; they didn’t change the domain admin passwords, which they could have easily done with the level of access obtained. It’s unclear why they did not do this; it may have simply been an oversight.
By accessing the domain controllers and mitigating target defenses, GoGalocker ransomware successfully executed across thousands of systems throughout the victim’s infrastructure. Figure 3-2 is an image of the ransom note that the malware left.5
Once each file was encrypted, the extension .locked was appended to the filename.
Another interesting aspect is the attacker’s ability to compile malware on the fly for use in the attacks. Here, attackers compiled many of the GoGalocker payloads within 24 hours of use in targeted attacks. Credentials stolen during the compromise were present in many of the batch files, demonstrating evidence the attackers interacted with the targeted systems.
The attack itself served as a detailed example of the evolution of ransomware attackers. Historically, these attackers lacked sophistication and were not known for conducting targeted and persistent attacks. This is one of few ransomware attackers that have used tactics, techniques, and procedures (TTPs) usually associated with nation-state attacks. While there are several other ransomware attackers known for similarly advanced tactics, few have been investigated and publicly described as providing the level of detail documented in this attack. This should also act as a warning for other organizations as to why it is important to look at the traffic and activity associated with legitimate admin tool use on their networks. If Norsk Hydro had monitored legitimate tool use during the GoGalocker attacks, it would have likely identified the activity prior to the ransomware’s execution.
While the attacker was able to successfully breach and infect Norsk Hydro, it should be noted that the company stood its ground and refused to pay the attacker. Not only that, but Norsk almost immediately went public and told the world what was happening. Sharing this information helped other organizations better understand the threat, but it also defied the attacker and left them with nothing to show for the weeks of work that went into the attack. If more organizations took this approach, it’s likely that targeted ransomware attacks such as this would decline.
Ransomware itself is not that different than it was in the early 2000s. It’s the tactics that have evolved greatly. More organized attackers figured out the real way to make money with ransomware was not by targeting individuals but entire organizations. The term big game hunting describes this genre of enterprise-level ransomware attacks. When these evolved ransomware attackers compromise organizations, they are faced with tough decisions. Once infected, organizations must decide what to do when their data, or even worse, their customers’ data, is taken from them. This can be challenging, and even when victims pay the ransom, there is no guarantee the attacker will provide the encryption key necessary for data recovery.
To make the transition from smaller and less lucrative attacks, criminals had to change how they went about conducting attacks.
In 2016, the first ransomware attack that used advanced tactics and techniques, such as those traditionally seen in nation-state operations, occurred. Organized criminals delivered ransomware across an entire organization in hopes of extorting money, as opposed to foreign governments attacking for the purposes of gathering intelligence. The attackers performed reconnaissance on targets, identifying potential vulnerable areas they could leverage to gain initial access, and spent time in the environment learning and preparing before executing the ransomware attack.
Prior to 2016, ransomware attacks often used automated mechanisms, such as worms, to infect as many systems as possible. Finding infection opportunities generally involved scanning the victim’s network. This scanning and replicating generated large amounts of traffic on the victim’s network. This drew attention and often allowed potential victims to mitigate the threat prior to the ransomware execution.
Realizing this shortcoming, a group called SamSam conducted manual attacks against potential victims, thus minimizing its footprint on the victim’s network. Security communities believe the group to have been in operation since at least 2015, though this assessment is based on the time when SamSam compiled its first known variant of malware. The group conducted targeted attacks from January 11, 2016, until November 26, 2018, when the U.S. government issued a federal indictment, naming the operators behind the attack.6 According to the indictment, two men, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, were responsible for 12 attacks resulting in more than $6 million extorted from victim organizations. Figure 3-3 shows the timeline of SamSam attacks.
Public information on the 12 attacks and the total monetary value that the attackers extorted is solely based on the intel documented in the federal indictment. Take note of the significant drop of SamSam operations in 2017: there were six confirmed ransom attacks against enterprises in 2016 and five in 2018, yet according to the indictment, only one attack took place in 2017. The lack of activity is certainly odd and unexplained. However, Sophos—an antivirus company that conducted in-depth research on SamSam attacks—identified a number of other incidents across the United Kingdom and the Middle East external to those included in the U.S. indictment. Sophos estimates the indictment accounted for only about 50 percent of SamSam’s actual attacks. If correct, this would explain the drop of activity, as the United States would be unlikely to include victims outside of their jurisdiction, though the indictment did include one Canadian victim.
Sophos also found an increase in sophistication based on both operator tactics and the increased defense evasion capabilities built into the malware. This indicates the attacker learned from their successes and failures from one attack to the next, constantly trying to improve their craft. Sophistication, however, was not the only element of the attack that increased: the ransom amount grew over time as the group gained notoriety and made headlines. While not all the details of the investigation have been made public, the group’s downfall likely came from their attacks on U.S. government infrastructure, such as the city of Atlanta. Attacking U.S. government infrastructure would have put them in the crosshairs of not only federal law enforcement but U.S. intelligence agencies, as well. Federal law enforcement and government intelligence agencies have resources not available to cybersecurity companies and researchers. For example, they can legally seize infrastructure, attacker-used social media and email accounts, and other sources of data used in attacks. These resources can provide vast intelligence on the attacker’s operations. Government intelligence agencies usually don’t focus on cybercriminals. However, the attacker drew attention by attacking government and state infrastructure. This started a chain of events leading to the federal indictments.
Certain attributes of the SamSam attacks suggest SamSam was actually the work of a government-driven attacker. For example, according to the federal indictment, the attackers are located in Iran, a country whose government has heavily monitored its citizens’ internet access since 2012 and has restricted access since 2019. With such strict monitoring, it’s unlikely the Iranian government was not aware of the activities. It is plausible that Iran could be behind the attacks. Much like North Korea, Iran could have used the stolen funds to subsidize monetary loss due to sanctions placed against it. This is only a theory, however, and as of this writing, security communities have not identified precise and conclusive evidence in support of it. Moreover, the SamSam activity ceased after the U.S. indictments were released in 2018, prior to the Iranian lockdown. The fact that the activity ceased after the indictments, without any actual arrests, could suggest Iran was unaware of the activity and cracked down on the individuals behind it once it became aware.
Regardless, since September 2018, the public has seen no more SamSam activity. Unfortunately, the 34 months of attacks conducted by SamSam provided a roadmap for smart criminals, who incorporated SamSam’s tactics into their own ransomware attacks. Since then, a number of sophisticated human-driven ransomware attacks have targeted organizations all across the world.
Ryuk, another ransomware variant associated with “big game hunting” attacks, first appeared in a public malware repository in mid-August 2018. Soon security communities began identifying Ryuk in controlled and targeted ransomware attacks, leading the security community to contend that they were the work of a single organized criminal group. The name Ryuk reflects both its use of the .ryk extension—which is appended to encrypted victim files—and the filename RyukReadMe.txt used for the ransom note.
The attackers appear to favor city governments and healthcare organizations. For example, in December 2019, they targeted the city of New Orleans. They have also struck the following governments, among others:7 Collierville in Tennessee; La Porte County, Riviera Beach, Lake City, Georgia Courts, and Henry County in Georgia; and the Lawrenceville police department in Georgia. Medical organizations compromised by Ryuk ransomware include the Saint Francis Healthcare System and Virtual Care Provider Inc., which left 110 healthcare centers without access to patient data. The attackers likely targeted organizations that provide necessary services to the community that would quickly draw attention if not available.
Ryuk ransomware is not the only malware used in these attacks. The group also uses both the Emotet and Trickbot malware, which previously functioned as banking trojans but were repurposed for use in the ransomware attacks. These attacks begin with spear-phishing emails used to deliver malicious documents that infect the victim with Emotet malware. Emotet self-propagates across the victim’s network, looking for open shares to spread and infect as many systems as possible. After establishing access to the victim’s network and acquiring the initial foothold, the attacker uses Emotet to deploy Trickbot malware to select systems that the attacker had previously identified. Trickbot malware has a modular design, so it can load various components to support different capabilities pertinent to the attacker. In attacks involved with Ryuk ransomware, Trickbot’s primary use has been to steal credentials, thus allowing the attacker to gain privileged access.
In several of the early attacks, the adversary remained in the victim’s environment for up to a week prior to deploying the ransomware. During this preliminary time, the attacker identified critical systems and the resources necessary to ensure their success and invoke the most damage. The more data of the victim’s the attacker can encrypt, the higher likelihood the victim will pay the ransom. For this reason, the attacker invested time and effort to maximize the effect of the attack. Additionally, after the initial infection but before staging the ransomware, the attacker used a number of PowerShell scripts and batch files to execute commands that identified and killed various security services that could prevent the ransomware from successfully executing. Similar to other activities discussed, these scripts require administrative privileges.
Though Trickbot appeared in many of the Ryuk attacks, in some situations, the attacker used Mimikatz to manually collect credentials as opposed to using Trickbot itself. The use of multiple malware variants—including some that are not publicly available as well as hacktools—demonstrates the attacker’s persistence and ability to adapt and change their tactics as necessary to ensure their success. Once the attacker had escalated their privileges, gained administrative access, and staged the environment, the ransom payload executed and encrypted all of the victim’s data.
MegaCortex is not as well known as some of the ransomware variants discussed thus far. Like GoGalocker, it first appeared in January 2019. Like other ransomware campaigns discussed, the attackers behind MegaCortex invested their time and effort to interact with the target environment prior to deploying the ransomware payload, but attackers have leveraged it in a number of “big game hunting” attacks against targeted enterprises.
An interesting tactic seen in MegaCortex attacks is the use of several commodity malware variants. Emotet and QakBot—both originally developed as banking trojans—provide the initial access and escalate privileges within the victim’s network. Once the attacker has established privileges and identified domain controllers and other critical infrastructure, the attacker distributes MegaCortex throughout the network and encrypts the victim’s data. These attacks are extremely similar to Ryuk and GoGalocker attacks.
EvilCorp is one of the most notorious cybercrime organizations to date. The group has been conducting for-profit cyberattacks since 2014 and is behind some of the most significant and damaging publicly known ransomware attacks.8
Before it used ransomware, EvilCorp made its money stealing from banking consumers. To maximize its success, the group developed malware known as Dridex, which it designed to steal banking credentials from infected users. With help from spam campaigns, the cybercrime organization distributed malicious office documents to as many potential victims as possible. Once the document was opened, the host’s system would download the Dridex malware. Although Dridex has many capabilities, in the first several years of its use, its primary purpose was to monitor connections made from the locally infected system’s web browser and inject fake login pages of banking websites. By doing so, the victim would browse to their bank’s website and see the login page they expected. The injected page, however, would capture and transmit the credentials back to EvilCorp infrastructure.
EvilCorp is not your ordinary criminal. The group is comprised of organized individuals who treat their craft as a professional business. And like most businesses, its goal is not only to generate profit but also to steadily grow its annual revenue. Fittingly, EvilCorp’s operations grew over time. As more people lost their savings, the group drew tremendous attention from law enforcement. As a result, its banking malware operations became less and less successful.
The organization had a problem: both law enforcement and the security community had caught up with its operations. Security vendors now detected and mitigated the web-injected updates to banking sites necessary for EvilCorp’s operations within days of their release. This significantly reduced EvilCorp’s window of opportunity to accumulate banking credentials and secure stolen funds.
Faced with a dying operation, EvilCorp made a bold move. The group did what most cybercriminals could not do: it reinvented its entire operation. Nation-states have the resources to burn infrastructure, rewrite malware, and reboot operations, but cybercriminals rarely have the resources or the ability to do the same. Dridex malware have no longer had any success in injecting bank websites into victim browsers, but it still had three valuable benefits: it was extremely prevalent, lying dormant on many thousands of systems in the wild thanks to years of spam campaigns; it could upload and download additional files onto infected systems; and it could capture usernames and passwords.
EvilCorp leveraged the access that Dridex provided to launch an all-new attack. However, this attack did not target individual consumers. Instead, it targeted entire organizations with ransomware known as BitPaymer.
In 2017, EvilCorp began using BitPaymer ransomware. Ransom operations took longer to conduct, but their payouts were much higher than those gleaned from consumer banking attacks. Based on available attack data, EvilCorp used BitPaymer to extort hundreds of millions of dollars over several years.9
These campaigns began by initially compromising the victim organization in an effort to gain entry and obtain a foothold on target organizations. This part of the attack required EvilCorp to spend up to several weeks infiltrating a victim’s network. During this time, the attacker learned about the environment and the high-value systems within it. With the help of Dridex’s credential-stealing component, EvilCorp increased its privileges and quickly gained access to domain controllers used to administer and control systems throughout the environment. With account access to domain controllers, the attacker could use various administrative tools present within the environment to disable security services such as antivirus and endpoint protection. Next, they deleted shadow copies, a technology used in the Windows operating systems to back up and restore data. Deleting it ensures the victim cannot use the resource to recover their system and data from the ransomware. Finally, using another Windows administrative tool, PSExec, the ransom payload executed and propagated to systems throughout the environment. At this point, the ransom payload encrypted its data and presented the victim with a ransom note.
Victims targeted with BitPaymer include the City of Edcouch, Texas; an organization associated with supporting the city of Anchorage Alaska; a German engineering company; the Agriculture Ministry of Chile; and many others. EvilCorp extorted hundreds of thousands of dollars per attack using BitPaymer ransomware, making millions over a three-year period.10
On December 5, 2019, the United States released a federal indictment against “17 individuals and seven entities to include Evil Corp, its core cyber operators, multiple businesses associated with a group member, and financial facilitators utilized by the group.”11 The indictment claims that a Russian man named Maksim Yakubets, based in Moscow, leads EvilCorp. He also uses the online moniker Aqua. Figure 3-4 displays Mr. Yakubets’ FBI wanted poster.12
Additionally, the U.S. government placed sanctions on the named men and organizations documented in the indictment. At the time of this writing, Yakubets and the other core members of the group are still at large.
However, the FBI did apprehend Andrey Ghinkul, a resident of Moldova. Ghinkul is a system administrator who worked to manage and distribute Dridex malware on behalf of EvilCorp. Ghinkul provided many inside details about the group and its operations after being extradited to the United States for sentencing. The indictment provided the identity of the individuals behind EvilCorp; however, Russia protects these men and has been unwilling to cooperate with U.S. law enforcement.
The indictment revealed insight into the group’s business processes. As stated previously, EvilCorp is a professional group that runs its operation as a business with the primary goal of generating revenue. EvilCorp even attempted to franchise, selling access to Dridex malware. The franchisee paid an initial fee of $100,000 and received technical support from EvilCorp. In return, the franchisee shared 50 percent of their revenue (with a minimum of $50,000 a week) with EvilCorp.13
Though the critical members of the group remain at large, the FBI disrupted EvilCorp operations by seizing infrastructure.
Unfortunately, EvilCorp’s disruption was only temporary.
BitPaymer operations continued after the indictment and ceased in June 2020. For the second time in EvilCorp’s criminal career, it had retooled, rebuilt, and started new operations.14 In the latest activity, EvilCorp began using a previously unseen variant of ransomware named WastedLocker. Initial reports at the time of activity speculated that the new operation and change in tactics were a direct result of the U.S. indictment. Regardless of the reason behind the shift, EvilCorp not only created a new ransomware variant but also abandoned Dridex operations. Furthermore, at the time of this writing, security communities have not yet seen Dridex used in conjunction with WastedLocker attacks.
EvilCorp did not use SocGholish to deliver the WastedLocker payload itself. Instead, it used the framework to download Cobalt Strike, which we’ve already discussed several times throughout this chapter. Once in the target environment, EvilCorp continued the practice of using tools already present in the environment. Since the on-network practices were similar to both EvilCorp’s and other ransomware attackers’ tactics, using them for attribution was difficult. However, the WastedLocker payload itself was entirely different than BitPaymer or any other known variant of ransomware.
While EvilCorp updated both its method of initial delivery and ransomware payload, the organization’s most significant change was its targeting. Previously, EvilCorp targeted medium-sized enterprises such as hospitals, law enforcement agencies, local governments, and IT services organizations. In June 2020, a month after the WastedLocker attacks began, a security vendor identified a massive attack underway. The group had compromised 30 organizations, many of which were well-known, large Fortune 500 companies located in the United States. EvilCorp had begun going after much bigger fish, likely seeking larger ransom payouts. The ransom demands changed from hundreds of thousands to millions of dollars per attack.
Fortunately for the 30 organizations targeted in the early WastedLocker attacks, EvilCorp was in a staging phase when it was intercepted. A security vendor terminated the attack, thus preventing EvilCorp from executing the ransom payload.
Unfortunately, a few weeks later, Garmin, a major multinational technology company, fell victim to EvilCorp. The group compromised Garmin systems and infrastructure and encrypted their data.16 According to media reports, Garmin paid EvilCorp $10 million to regain access to its data.17 If true, Garmin itself may have committed a crime, since the U.S. government placed sanctions on EvilCorp when the indictment was released. The sanctions made it illegal for a U.S.-based institution to do business with or send money to any account controlled or used by the men named in the indictment. These issues highlight the complexities and challenges that organizations face when attacked by advanced cybercriminals such as EvilCorp.
Current intelligence suggests that the ransomware variants and associated attacks covered thus far originate from organized groups. SamSam was the first, and since 2016, several other groups have copied their operational tactics. But you may have noticed that the tactics, behaviors, and post-compromise tools used in these attacks were similar. At the time of the initial research, I noted these similarities and attempted to determine whether there were relationships between both the ransomware variants and the human attackers behind them.
To explain the origin of several of these ransomware variants, let’s consider an attack against a Taiwanese bank in October 2017. In Chapter 2, we discussed a number of financial attacks in which attackers compromised a bank’s local SWIFT messaging system to facilitate fraudulent transactions, resulting in the loss of hundreds of millions of dollars. The Far Eastern International Bank (FEIB) in Taiwan was one of the banks targeted in those attacks. We attributed these attacks to North Korea. However, this attack also introduced a new tactic not seen in the previous nation-state bank attacks. Shortly before attempting to execute fraudulent transactions, the attacker launched a ransomware attack on the bank’s corporate network. This wasn’t really a true ransom attack, though, as the attacker had no intention of extorting money from the victim. Instead, they planned to steal it; their demands for payment served as a distraction. During the confusion, the attacker executed fraudulent bank transactions in an attempt to steal nearly $60 million.18
Later, researchers would identify the ransomware used in the FEIB attack as a variant known as Hermes. Hermes ransomware wasn’t well known at the time, and a number of security vendors incorrectly reported that North Korea had developed it specifically for use in their attacks. This was later proven incorrect, but it led to the public misattribution of other attacks whose later malware shared code with the Hermes ransomware. In fact, Hermes ransomware was first available for sale in February 2017, and it released updated versions in August 2017—months prior to its use by North Korea in October 2017.19 A seller with the online moniker Cryptotech had offered Hermes for sale on an online market. Figure 3-5 shows a Cryptotech post from exploit.io selling Hermes ransomware for only $300.
Binary analysis reveals that Ryuk, GoGalocker, and MegaCortex all share source code with Hermes, too. Each variant appears to be an evolution of Hermes in which attackers added features and capabilities to create ransomware that fit their needs. In other words, the base code for each variant was originally authored by the same developer: Cryptotech. Since then, however, each group likely has updated, altered, or added features with their own developer.20
Before we discuss the relationships identified in the ransomware variants, let’s review the timeline of development for each variant, as well as the timeline for the instances in which they first appeared in attacks (Figure 3-6). The timeline is significant, as it shows the relative timeframes in which each variant was released.
Ryuk, GoGalocker, BitPaymer, and MegaCortex all use encryption logic similar to that first seen in Hermes. For instance, all variants attempt to write a file to the Windows directory to validate that they have privileges necessary to encrypt the filesystem. If it has the appropriate privilege level, the ransomware writes two files named UNIQUE_ID_DO_NOT_REMOVE: Hardcoded Key and PUBLIC: RSA Public Key. Once encrypted, a validity marker
ml_w_memmove(marker, s_HERMES) validates if a file has been encrypted.21
Additionally, the variants use similar whitelists to tell the ransomware which files not to encrypt. The whitelists all include the name Ahnlab, a South Korean–based endpoint protection software. It’s odd that Ahnlab is included in these lists, since none of the targets seen in the discussed attacks are in South Korea, where the software is primarily sold. It’s likely this name was left over from the Hermes source code.22 Remember that Hermes was previously used in attacks conducted by North Korea, which has a long history of targeting South Korea.
Another interesting similarity exists in the extension appended to files once encrypted. BitPaymer appends the extension .lock to each file; GoGalocker appends .locked. This attribute is admittedly fairly minor, and it could easily be circumstantial. However, along with the other similarities seen in the ransomware code, a pattern emerges, which Table 3-1 shows.
Table 3-1: Ransomware Code Similarities
|Whitelist (files to not encrypt)||X||X||X||X|
|Same or similar encrypted file extension||X||X|
The binary relationships aren’t the only similarities between these ransomware variants. Similar wording appears in the ransom notes of GoGalocker, Ryuk, BitPaymer, and MegaCortex, as demonstrated in Figure 3-7.23
Each ransomware variant has its own note and associated filename. None of the filenames are the same, but similarities exist in the wording, formatting, and decryption validation messaging. Table 3-2 correlates each ransom variant to the respective ransom note similarity.
Table 3-2: Ransom Note Similarities
|Similar “do not” warnings||X||X||X|
|Confirm decryption with two to three files message||X||X||X|
|There is a significant hole/flaw in your security system message||X||X|
Finally, a number of tactics and attacker behaviors appear across attacks involving each of these ransomware families. These links provide stronger evidence of relationships between the groups than code similarities, because they show the human aspect of the attack. The following are tactics that were present in attacks that used the ransomware variants discussed so far. Granted, these have changed over time, and they may not be in use today. This is because attackers change tools and tactics once they are publicly outed, as we’ve previously discussed.
The commands in the batch files deployed in attacks using the WMIC console were all similar, or in some cases identical. Since I could not link these with a publicly available tool or script, I believe the attacker created them. If so, these commands provide stronger evidence than other ties discussed. The use of these batch files indicates that the attackers, at a minimum, shared resources among one another.
In addition to sharing these tactics, the adversaries used the same infrastructure to download the shell code mentioned in the PowerShell scripts detailed in the second step.24 The overlap in infrastructure could simply indicate the use of the same compromised servers, but since the infrastructure hosting the Cobalt Strike payload does not resolve to a hostname—the IP address accesses it instead—this makes compromising the payload less likely than it being an attacker-created infrastructure. These steps and tools in common are too unique to be the work of chance.
A number of these attackers use other malware in their attacks. But while the tools and malware can change and have changed, the actions behind each step have not. The capability of each action regardless of the tool or malware used has remained the same. For example, we discussed Ryuk using both Emotet and Trickbot in their attacks. Emotet provided the initial access, at which point the PowerShell scripts executed and downloaded Cobalt Strike. From there, Trickbot obtained credentials, whereas Mimikatz fulfilled this function in other attacks.
Of note, prior to the use of Emotet and Trickbot in Ryuk’s attacks, the attacker used the exact tools and steps just outlined. The use of Emotet and Trickbot was an evolution of the attack. Prior to that, however, the steps, commands, and some infrastructure were the same as what we saw used in attacks involving these ransomware variants.
So far, we’ve discussed enterprise ransomware attacks by organized criminal groups. Another attack model exists: ransomware as a service (RaaS). RaaS allows criminals to take part in large-scale ransomware attacks when they otherwise may not have the means to do so. Just as an email provider hosts the servers, networks, and backend management applications necessary for you to access your email from any device, RaaS providers provide everything an attacker needs to conduct a ransomware attack. The attackers who work for and support the RaaS provider, known as affiliates, are responsible for parts of the attack requiring human interaction, such as staging the victim environment and distributing the ransom payload. Together, the provider and affiliate work together to compromise and extort target organizations. This model poses a significant threat to large organizations, more so than the enterprise attacks discussed so far.
Well-known RaaS providers include Maze/Egregor, Ragnar Locker, Lockbit, and REvil, which provide much more than access to the ransomware payload. (Note that REvil bears no relation to the group EvilCorp mentioned earlier in this chapter.) They also render infrastructure, payment collection, and money laundering services necessary to obtain and disburse funds collected from ransomware operations. Additionally, the RaaS provider conducts ransom negotiation with the victim and hosts the infrastructure used in victim communications.
Today, ransomware attackers conduct more than just ransomware encryption attacks. New tactics are designed to squeeze money from victims beyond that gained from the ransomware. Before the ransomware encryption phase, the attackers copy sensitive victim data and exfiltrate it to attacker-owned infrastructure. This provides multiple benefits. First, the attacker can demand money not only for the encryption key needed to restore victim data but also to prevent the victim’s data from being sold or released to the public. The tactic is known as double extortion since the victim must pay two separate ransom payments. Using the double extortion tactic, the criminal demands a ransom for the encryption key necessary for the victim to decrypt their data and a second payment to prevent victim data from being exposed or sold to other criminals.
Since not all victims pay the ransom, the RaaS providers often use other tactics to “motivate” a victim who may be reluctant. For example, Maze often uses social media to publicly disclose they have breached and stolen victim data to increase the likelihood the compromised organization pays. RaaS providers host their own websites to release small amounts of sensitive victim data. The longer the victim takes to pay, the more data they release. If the victim still does not pay, the attacker sells the remaining data to generate as much profit as possible. On at least one occasion, the attacker behind Ragnar Locker attacks hired a call center in India to contact and pressure the victim into paying the ransom.
RaaS providers appear to be focusing on automating much of their attacks. For example, various ransomware payloads now use self-spreading techniques to automate what once was a time-consuming process.
On Friday, May 7, 2021, I received a message from an employee at Colonial Pipeline claiming the pipeline had come under attack, impacting their internal computer systems. Based on a screenshot of the ransom note they had received, I was able to deduce that the attack had originated from a criminal gang called DarkSide. By Saturday, May 8, news organizations began to report that a major ransomware attack had taken place, resulting in the shutdown of the pipeline and halting fuel distribution across the region.
Due to the attack’s widespread impact on people in the area, the U.S. government became heavily involved in the subsequent investigation.25 Organizations, including federal law enforcement and the Department of Homeland Security, assisted in mitigating the threat. But based on my research, I don’t think the DarkSide gang initially realized the impact the attack would have, nor the response it would bring from the U.S. government. A few days after the attack, the DarkSide gang posted a message to a press section of their data leak site, a website they used to leak stolen victim data, communicate with victims, negotiate ransom demands, and issue press releases. The message stated
We are apolitical, we do not participate in geopolitics, do not need to tie us with defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.26
DarkSide appears to have a close association with REvil, one of the original RaaS providers. We know this because one of DarkSide’s operators posted to a Russian-based malware forum to recruit hackers. The operator claimed several DarkSide members had previously participated in REvil ransomware operations as affiliate hackers, sharing profits for their participation in REvil attacks. Additionally, DarkSide and REvil ransomware share similar ransom notes, such as the same misspelled words. More importantly, both REvil and DarkSide ransomware payloads share code. The claims made, and the fact that REvil source code is not publicly available, suggest that the two gangs are closely affiliated.27 Source code contains sensitive information, and if it were publicly available or fell in the wrong hands, other criminals could alter and use it for their own attacks. Additionally, access to source code would make it much easier to identify and defeat the ransomware, making it useless in attacks, so REvil would only share such a resource with someone they know and trust.
Further, my analysis concluded that the people behind DarkSide are Russian. DarkSide operators spend time on Russian malware forums. They write their posts in Russian, and their ransomware checks its victims’ systems to ensure their default language is not Russian; if it is, the ransomware will not execute. Other researchers and media outlets came to the same conclusion, and many, including myself, wondered if DarkSide had a government affiliation. It would not be the first time Russia contracted with outside hackers for their cyber activities. In Chapter 1, we discussed that the KGB hired Markus Hess, a man located in Hannover, Germany, to hack Lawrence Berkeley National Laboratory in 1986. If the Russian government did have affiliation with DarkSide, neither the gang nor Russia would want the information to become public. If they were not affiliated, the public speculation reported by news organizations globally would also draw unwanted attention. Regardless, the United States was closing in on DarkSide, and they likely knew they were in trouble.
On May 13, 2021, U.S. President Joe Biden issued an executive order to increase cybersecurity requirements and standards for federal government-associated infrastructure. The same day, all of DarkSide’s infrastructure went offline. According to a post on a Russian OSINT Telegram channel by an associate of the DarkSide gang, they had lost access to their infrastructure, as well as to the servers storing stolen victim data.28 Further, the post alleged that, somehow, someone had withdrawn all of DarkSide’s proceeds from ransomware attacks, transferring the funds from DarkSide’s Bitcoin wallets to an unknown wallet address, leaving the criminals empty-handed. While no one took credit for the actions against the gang, it seems probable that the U.S. government was behind the takedown activity.
One of the best defensive measures you can take to protect against these types of attacks is to design, implement, and enforce a principle of least privilege throughout your environment. In short, the principle requires that users and services have only the minimum access and privilege necessary to conduct their respective operations and tasks within their environment. Many of the victims of the attacks discussed used accounts that had access to privileges and resources above what they needed to fulfill their role within the organization. The attacker was able to exploit this and use it to acquire access to resources they should not have been able to attain. A general user should not have administrative access unless there is a valid business need. Additionally, tools and resources should be locked down.
For example, just because current versions of Microsoft Windows come equipped with PowerShell doesn’t mean every user and system should have it available to them. Most users in your environment shouldn’t have access to these legitimate tools, and especially not to administrative tools such as PSExec and WMIC. They should be reserved for administrators who have a valid need for them. When accounts that shouldn’t have access to them detect them within your system’s environment, their presence should trigger an investigation to determine if an attack is underway. Unfortunately, most of these resources aren’t commonly identified when used by attackers. This is because users normally wouldn’t monitor or restrict them, given that they are legitimate.
Restricting email to plaintext and banning HTML-based email can significantly minimize the effectiveness of a compromise due to spear-phishing emails. Restricting email to plaintext will prevent images and HTML graphics from rendering properly, as plaintext-only displays allow just that: text, and only text. This will defeat many attack techniques, as it prevents many HTML-based exploits from functioning. Take the obfuscated URLs that deliver malware, for example. If the email comes through in plaintext, the user has to manually copy and paste the URL into their browser in order to navigate to the malicious infrastructure necessary to further the attack. This prevents a user from simply clicking the URL and infecting themselves.
Also consider limiting the type of attachments allowed in your environment. Restricting the file formats allowed can significantly limit your exposure to malware. For example, most businesses don’t need their users to access .rar, .dll, or .exe files received through email. If the business need doesn’t exist and the risk isn’t warranted, simply don’t allow it. Outside of email restrictions, consider blocking tools and applications that aren’t necessary in the environment. For example, many tools we’ve discussed, such as Mimikatz, do have a legitimate purpose for red-team exercises. However, if you don’t routinely conduct these types of exercises, block the tool from your environment completely. If the need does exist, only make them available to the few users in your environment who need them (following the principle of least privilege). This applies not only to applications but also to services and protocols. One of the ways in which the attackers spread malware is through open RDP ports on systems within the environment. Given this, you should restrict or severely limit these protocols. This may cause additional work for administrators, or an inconvenience to some users, but having an attacker encrypt your entire network will create an even greater inconvenience.
Unfortunately, many organizations struggle to secure user permissions, as well as the various protocols and technologies such as PowerShell used within their environment. Historically, organizations have used a trusted security model in which defensive resources trust users, applications, and infrastructure unless deemed malicious. For example, in a trust-based environment, an internal system can communicate with an outside website so long as the site is deemed safe. The problem with trusted security models is that new or unknown threats, like ransomware, have an opportunity to take advantage of this trust before defensive resources can identify them as malicious. Making matters worse, when attackers gain control of a legitimate account and escalate their privileges to use for malicious purposes, they are initially trusted by default and allowed to conduct the activity mostly unchallenged by security resources. In an environment using a zero-trust model, security resources would be more likely to identify the compromised account as soon as the attacker escalates privileges. By default, it would also not trust the attacker’s infrastructure, making it much harder to deliver malware or exfiltrate victim data. The negative aspect of using a zero-trust model is that it takes more work up-front to set up correctly and requires maintenance to ensure it trusts the appropriate resources necessary to conduct business. For these reasons, more organizations have adapted a zero-trust security model to protect their environment.
Regardless of the model used, many security tools, applications, and defenses exist today. These tools require additional setup to properly maintain their designated level of security. More importantly, a human needs to monitor these devices, as well as the alerts and warnings they create. If your system flags an attack, especially one pertaining to legitimate tools, and no one looks at it because they assume an authorized tool is being used for legitimate purposes, you won’t discover it until it’s too late. Unfortunately, this is exactly what happened in many of the victim environments discussed in this chapter.
Human-driven ransomware is one of the biggest threats to enterprises that exist today. Attackers quickly learned to adopt and implement tactics once seen only in targeted nation-state attacks. When implemented by a human behind a keyboard who spends longer time periods staging a target’s environment, these tactics greatly increase the attacker’s chance of success. State government and healthcare organizations are popular targets and at a higher risk, though organizations across many industries have been targeted.
“Big game hunting” has proven to be extremely lucrative, as most targets would rather pay the attacker than deal with the realities of recovering from this type of attack. Unfortunately, paying attackers only encourages them to continue ransom operations. Organizations such as Norsk that stand their ground and refuse to reward attackers by paying the ransom are rare. Nevertheless, both cybersecurity and law enforcement experts agree: you should never pay a ransomware attacker.29 Attackers know that an organization is more likely to pay than not, and they use this to their advantage. But when an organization decides to pay, it’s trusting that a criminal, who just spent days to weeks compromising them, is going to keep their word and provide the encryption key necessary to unlock its data. Attackers will often instead take the money and run, leaving the victim without their data or their money.
At the time of this writing, there are a growing number of ransomware groups emerging who take part in “big game hunting” attacks. Each of these personas uses malware that appears to be unique; however, as demonstrated in this chapter, many have ties to each other that indicate they may not be as unique as once thought. Identifying code overlaps, in addition to attacker behaviors and tactics, is a good way to cluster activity. Regardless of who is behind the attacks we’ve discussed, it’s difficult to believe they do not have some level of affiliation, based on the similarities outlined. However, this doesn’t necessarily mean the attacks are all the work of the same group, although some adversaries, such as GoGalocker and Ryuk, might very well have the same attacker behind the keyboard. Evidence to support this isn’t based on the code similarities—which do exist—but instead correlates with the stronger indicators, the human aspect of these attacks.
An organization is never ready for attacks that cripple all of its IT assets, and often its own data, as well as its customers’. But when it happens, understanding what to do and how to react is critical in minimizing the overall impact of the attack. Preparing for and properly defending against a ransomware attack is even more critical and should be part of an organization’s defenses. We’ve discussed a number of preemptive mitigation strategies and techniques. Use these to identify the activity prior to the deployment of the ransomware itself. For this reason, this chapter has focused on the post-compromise activities, more so than on the ransom execution itself. Identifying a potential attack when signs of compromise first appear during the enumeration and staging phase of the attack can significantly decrease an organization’s chances of falling victim to “big game hunting” looking to make a name, and a buck, off the company’s demise.