Blog

No se ha encontrado ningún artículo.

Intrusiones de Evil Corp: El ransomware WastedLocker detectado por Darktrace

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
18
Aug 2020
18
Aug 2020

Darktrace has recently observed several targeted intrusions associated with Evil Corp, an advanced cyber-criminal group recently in the headlines after a surge in WastedLocker ransomware cases. The group is believed to have targeted hundreds of organizations in over 40 countries, demanding ransoms of $500,000 to $1m to unlock computer files it seizes. US authorities are now offering a $5m reward for information leading to the arrest of the group’s leaders — understood to be the largest sum of money ever offered for a cyber-criminal.

Thanks to its self-learning nature, Darktrace's AI detected these intrusions without the use of any threat intelligence or static Indicators of Compromise (IoCs). This blog describes the techniques, tools and procedures used in multiple intrusions by Evil Corp – also known as TA505 or SectorJ04.

Key takeaways

  • The threat actor was reusing TTPs as well as infrastructure across multiple intrusions
  • Some infrastructure was only observed in individual intrusions
  • While most WastedLocker reports focus on the ransomware, Darktrace has observed Evil Corp conducting data exfiltration
  • The attacker used various ‘Living off the Land’ techniques for lateral movement
  • Data exfiltration and ransomware activity took place on weekends, likely to reduce response capabilities of IT teams
  • Although clearly an advanced actor, Evil Corp can be detected and stopped before encryption ensues

Evil Corp ransomware attack

Figure 1: The standard attack lifecycle observed in Evil Corp campaigns

Initial intrusion

While Evil Corp is technically sophisticated enough to choose from an array of initial intrusion methods, fake browser updates were the weapon of choice in the observed campaign. These were delivered from legitimate websites and used social engineering to convince users to download these malicious ‘updates’. Evil Corp has actually built a framework around this capability, referred to as SocGholish.

Establishing foothold / Command & Control Traffic

Darktrace detected different C2 domains being contacted after the initial infection. These domains overlap across various victims, showing that the attacker is reusing infrastructure within the same campaign. The C2 communication – comprised of thousands of connections over several days – took place over encrypted channels with valid SSL certificates. No single infected device ever beaconed to more than one C2 domain at a time.

Two example C2 domains are listed below with more details:

techgreeninc[.]com

SSL beacon details:

  • Median beacon period: 3 seconds
  • Range of periods: 1 seconds - 2.58 minutes
  • Data volume sent per connection on average: 921 Bytes

investimentosefinancas[.]com

SSL beacon details:

  • Median beacon period: 1.7 minutes
  • Range of periods: 1 seconds - 6.68 minutes
  • Data volume sent per connection on average: 935 Bytes

Certificate information:

  • Subject: CN=investimentosefinancas.com
  • Issuer: CN=Thawte RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US
  • Validation status: OK

Note in particular the median beacon period, which indicates that some C2 channels were much more hands-on, whilst others possibly acted as backup channels in case the main C2 was burned or detected. It’s also interesting to see the low amount of data being transferred to the hands-on C2 domains. The actual data exfiltration took place to yet another C2 destination, intentionally separated from the hands-on intrusion C2s. All observed C2 websites were recently registered with Russian providers and are not responsive (see below).

Figure 2: The unresponsive C2 domain

Registrar: reg.ru

Created: 2020-06-29 (6 weeks ago) | Updated: 2020-07-07 (5 weeks ago)

Figure 3: Some key information relating to the C2 domain

La Plataforma de Cyber AI de Darktrace detectó esta actividad de Mando y Control a través de varios indicadores de comportamiento, incluyendo el balizamiento inusual y el uso inusual de TLS (JA3).

Internal reconnaissance

In some cases, Darktrace witnessed several days of inactivity between establishing C2 and internal reconnaissance. The attackers used Advanced Port Scanner, a common IT tool, in a clear attempt to blend in with regular network activity. Several hundred IPs and dozens of popular ports were scanned at once, with tens of thousands of connections made in a short period of time.

Some key ports scanned were: 21, 22, 23, 80, 135, 139, 389, 443, 445, 1433, 3128, 3306, 3389, 4444, 4899, 5985, 5986, 8080. Darktrace detected this anomalous behavior easily as the infected devices don’t usually scan the network.

Lateral movement

Different methods of lateral movement were observed across intrusions, but also within the same intrusion, with WMI used to move between devices. Darktrace detected this by identifying when WMI usage was unusual or new for a device. An example of the lateral movement is shown below, with Darktrace detecting this as ‘New Activity’.

Figure 4: The model breach event log

PsExec was used where it already existed in the environment and Darktrace also witnessed SMB drive writes to hidden shares to copy malware, e.g.

C$ file=Programdata\[REDACTED]4rgsfdbf[REDACTED]

A malicious Powershell file was downloaded – partly shown in the screenshot below.

Figure 5: The malicious Powershell file

Accomplish mission – Data exfiltration or ransomware deployment

Evil Corp is currently best known for its WastedLocker ransomware. Whilst some of its recent intrusions have seen ransomware deployments, others have been classic cases of data exfiltration. Darktrace has not yet observed a double-threat – a case of exfiltration followed by ransomware.

The data exfiltration took place over HTTP to generic .php endpoints under the attacker’s control.

How Cyber AI Analyst reported on WastedLocker

When the first signs of anomalous activity were picked up by Darktrace’s Enterprise Immune System, Cyber AI Analyst automatically launched a full investigation and quickly provided a full overview of the overall incident. The AI Analyst continued to add more details to the ongoing incident as it evolved. There were a total of six AI Analyst incidents for the week spanning an example Evil Corp intrusion – and two of them directly covered the Evil Corp attack. In stitching together disparate security events and presenting a single narrative, Cyber AI Analyst did all the heavy lifting for human security staff, who could look at just a handful of fully-investigated incidents, instead of having to triage countless individual model breaches.

Figure 6: Cyber AI Analyst’s overview of the incident

Note how AI Analyst covers five phases of the attack lifecycle in a single incident report:

  1. Unusual Repeated Connections – Initial C2
  2. Possible HTTP Command & Control Traffic – Further C2
  3. Possible SSL Command & Control Traffic – Further C2
  4. Scanning of Multiple Devices – Internal reconnaissance with Advanced IP Scanner
  5. SMB Writes of Suspicious Files – Lateral Movement

Evil Corp rising

Every indicator suggests that this was not a case of indiscriminate ransomware, but rather highly sophisticated and targeted attacks by an advanced threat actor. With the ultimate goal of ransoming operations, the attacker moved towards the crown jewels of the organization: file servers and databases.

The organizations involved in the above analysis did not have Darktrace Antigena – Darktrace’s Autonomous Response technology – in active mode, and the threat was therefore allowed to escalate beyond its initial stages. With Antigena in full operation, the activity would have been contained at its early stages with a precise and surgical response which would have stopped the malicious behavior whilst allowing the business to operate as normal.

Despite the targeted and advanced nature of the threat, security teams are perfectly capable of detecting, investigating, and stopping the threat with Cyber AI. Darktrace was able to not only detect WastedLocker ransomware based on a series of anomalies in network traffic, but also stitch together those anomalies and investigate the incident in real time, presenting an actionable summary of the different attack stages without flooding the security team with meaningless alerts.

Learn more about Autonomous Response

Network IoCs:

IoCCommenttechgreeninc[.]comC2 domaininvestimentosefinancas[.]comC2 domain

Selected associated Darktrace model breaches:

  • Compromise / Beaconing Activity To External Rare
  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Suspicious Beaconing Behaviour
  • Device / New or Unusual Remote Command Execution
  • Compromise / Beaconing Activity To External Rare
  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Slow Beaconing Activity To External Rare
  • Device / New User Agent
  • Unusual Activity / Unusual Internal Connections
  • Device / Suspicious Network Scan Activity
  • Device / Network Scan
  • Device / Network Scan - Low Anomaly Score
  • Device / ICMP Address Scan
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Compromise / SSL Beaconing to Rare Destination
  • Anomalous Connection / SMB Enumeration
  • Compliance / SMB Drive Write
  • Anomalous File / Internal / Unusual SMB Script Write

NEWSLETTER

¿Te gusta esto y quieres más?

Stay up to date on the latest industry news and insights.
Puede darse de baja en cualquier momento. Política de privacidad
DENTRO DEL SOC
Darktrace son expertos de talla mundial en inteligencia de amenazas, caza de amenazas y respuesta a incidentes, y proporcionan apoyo al SOC las 24 horas del día a miles de clientes de Darktrace en todo el mundo. Inside the SOC está redactado exclusivamente por estos expertos y ofrece un análisis de los ciberincidentes y las tendencias de las amenazas, basado en la experiencia real sobre el terreno.
AUTOR
SOBRE EL AUTOR
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

share this article
CASOS DE USO
No se ha encontrado ningún artículo.
PRODUCTOS DESTACADOS
No se ha encontrado ningún artículo.
Cobertura básica
No se ha encontrado ningún artículo.

More in this series

No se ha encontrado ningún artículo.

Blog

No se ha encontrado ningún artículo.

Using AI to Help Humans Function Better During a Cyber Crisis

Stressed cyber security analysts looking at a laptop screen during a cyber incidentDefault blog imageDefault blog image
19
Sep 2023

Within cyber security, crises are a regular occurrence. Whether due to the ever-changing tactics of threat actors or the emergence of new vulnerabilities, security teams find themselves under significant pressure and frequently find themselves in what psychologists term "crisis states."1

A crisis state refers to an internal state marked by confusion and anxiety to such an extent that previously effective coping mechanisms give way to ineffective decision-making and behaviors.2

Given the prevalence of crises in the field of cyber security, practitioners are more prone to consistently making illogical choices due to the intense pressure they experience. They also grapple with a constant influx of rapidly changing information, the need for swift decision-making, and the severe consequences of errors in judgment. They are often asked to assess hundreds of variables and uncertain factors.

The frequency of crisis states is expected to rise as generative AI empowers cyber criminals to accelerate the speed, scale, and sophistication of their attacks.

Why is it so challenging to operate effectively and efficiently during a crisis state? Several factors come into play.

Firstly, individuals are inclined to rely on their instincts, rendering them susceptible to cognitive biases. This makes it increasingly difficult to assimilate new information, process it appropriately, and arrive at logical decisions. Since crises strike unexpectedly and escalate rapidly into new unknowns, responders experience heightened stress, doubt and insecurity when deciding on a course of action.

These cognitive biases manifest in various forms. For instance, confirmation bias prompts people to seek out information that aligns with their pre-existing beliefs, while hindsight bias makes past events seem more predictable in light of present context and information.

Crises also have a profound impact on information processing and decision-making. People tend to simplify new information and often cling to the initial information they receive rather than opting for the most rational decision.

For instance, if an organization has successfully thwarted a ransomware attack in the past, a defender might assume that employing the same countermeasures will suffice for a subsequent attack. However, ransomware tactics are constantly evolving, and a subsequent attack could employ different strategies that evade the previous defenses. In a crisis state, individuals may revert to their prior strategy instead of adapting based on the latest information.

Given there are deeply embedded psychological tendencies and hard-wired decision-making processes leading to a reduction in logic during a crisis, humans need support from technology that does not suffer from the same limitations, particularly in the post-incident phase, where stress levels go into overdrive.

In the era of rapidly evolving novel attacks, security teams require a different approach: AI.

AI can serve as a valuable tool to augment human decision-making, from detection to incident response and mitigation. This is precisely why Darktrace introduced HEAL, which leverages self-learning AI to assist teams in increasing their cyber resilience and managing live incidents, helping to alleviate the cognitive burden they face.

Darktrace HEAL™ learns from your environment, including data points from real incidents and generates simulations to identify the most effective approach for remediation and restoring normal operations. This reduces the overwhelming influx of information and facilitates more effective decision-making during critical moments.

Furthermore, HEAL offers security teams the opportunity to safely simulate realistic attacks within their own environment. Using specific data points from the native environment, simulated incidents prepare security teams for a variety of circumstances which can be reviewed on a regular basis to encourage effective habit forming and reduce cognitive biases from a one-size-fits-all approach. This allows them to anticipate how attacks might unfold and better prepare themselves psychologically for potential real-world incidents.

With the right models and data, AI can significantly mitigate human bias by providing remediation recommendations grounded in evidence and providing proportionate responses based on empirical evidence rather than personal interpretations or instincts. It can act as a guiding light through the chaos of an attack, providing essential support to human security teams.

1 www.cybersecuritydive.com/news/incident-response-impacts-wellbeing/633593

2 blog.bcm-institute.org/crisis-management/making-decision-during-a-crisis

Continue reading
About the author

Blog

Dentro del SOC

Akira Ransomware: How Darktrace Foiled Another Novel Ransomware Attack

Default blog imageDefault blog image
13
Sep 2023

Threats Landscape: New Strains of Ransomware

In the face of a seemingly never-ending production line of novel ransomware strains, security teams across the threat landscape are continuing to see a myriad of new variants and groups targeting their networks. Naturally, new strains and threat groups present unique challenges to organizations. The use of previously unseen tactics, techniques, and procedures (TTPs) means that threat actors can often completely bypass traditional rule and signature-based security solutions, thus rendering an organization’s digital environment vulnerable to attack.

What is Akira Ransomware?

One such example of a novel ransomware family is Akira, which was first observed in the wild in March 2023. Much like many other strains, Akira is known to target corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from being posted online [1].

In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection, Darktrace DETECT™ successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. In cases where Darktrace RESPOND™ was enabled in autonomous response mode, these attacks were mitigated the early stages of the attack, thus minimizing any disruption or damage to customer networks.

Initial access and privilege escalation

The Akira ransomware group typically uses spear-phishing campaigns containing malicious downloads or links as their primary initial access vector; however, they have also been known to use Remote Desktop Protocol (RDP) brute-force attacks to access target networks [2].

While Darktrace did observe the early access activities that are detailed below, it is very likely that the actual initial intrusion happened prior to this, through targeted phishing attacks that fell outside of Darktrace’s purview.  The first indicators of compromise (IoCs) that Darktrace observed on customer networks affected by Darktrace were typically unusual RDP sessions, and the use of compromised administrative credentials.

On one Darktrace customer’s network (customer A), Darktrace DETECT identified a highly privileged credential being used for the first time on an internal server on May 21, 2023. Around a week later, this server was observed establishing RDP connections with multiple internal destination devices via port 3389. Further investigation carried out by the customer revealed that this credential had indeed been compromised. On May 30, Darktrace detected another device scanning internal devices and repeatedly failing to authenticate via Kerberos.

As the customer had integrated Darktrace with Microsoft Defender, their security team received additional cyber threat intelligence from Microsoft which, coupled with the anomaly alerts provided by Darktrace, helped to further contextualize these anomalous events. One specific detail gleaned from this integration was that the anomalous scanning activity and failed authentication attempts were carried out using the compromised administrative credentials mentioned earlier.

By integrating Microsoft Defender with Darktrace, customers can efficiently close security gaps across their digital infrastructure. While Darktrace understands customer environments and provides valuable network-level insights, by integrating with Microsoft Defender, customers can further enrich these insights with endpoint-specific information and activity.

In another customer’s network (customer B), Darktrace detected a device, later observed writing a ransom note, receiving an unusual RDP connection from another internal device. The RDP cookie used during this activity was an administrative RDP cookie that appeared to have been compromised. This device was also observed making multiple connections to the domain, api.playanext[.]com, and using the user agent , AnyDesk/7.1.11, indicating the use of the AnyDesk remote desktop service.

Although this external domain does not appear directly related to Akira ransomware, open-source intelligence (OSINT) found associations with multiple malicious files, and it appeared to be associated with the AnyDesk user agent, AnyDesk/6.0.1 [3]. The connections to this endpoint likely represented the malicious use of AnyDesk to remotely control the customer’s device, rather than Akira command-and-control (C2) infrastructure or payloads. Alternatively, it could be indicative of a spoofing attempt in which the threat actor is attempting to masquerade as legitimate remote desktop service to remain undetected by security tools.

Around the same time, Darktrace observed many devices on customer B’s network making anomalous internal RDP connections and authenticating via Kerberos, NTLM, or SMB using the same administrative credential. These devices were later confirmed to be affected by Akira ransomware.

Figure 1 shows how Darktrace detected one of those internal devices failing to login via SMB multiple times with a certain credential (indication of a possible SMB/NTLM brute force), before successfully accessing other internal devices via SMB, NTLM and RDP using the likely compromised administrative credential mentioned earlier.

Figure 1: Model Breach Event Log indicating unusual SMB, NTLM and RDP activity with different credentials detected which led to the Darktrace DETECT model breaches, "Unusual Admin RDP Session” and “Successful Admin Brute-Force Activity”.

Darktrace DETECT models observed for initial access and privilege escalation:

  • Device / Anomalous RDP Followed By Multiple Model Breaches
  • Anomalous Connection / Unusual Admin RDP Session
  • New Admin Credentials on Server
  • Possible SMB/NTLM Brute Force Indicator
  • Unusual Activity / Successful Admin Brute-Force Activity

Internal Reconnaissance and Lateral Movement

The next step Darktrace observed during Akira ransomware attacks across the customer was internal reconnaissance and lateral movement.

In another customer’s environment (customer C), after authenticating via NTLM using a compromised credential, a domain controller was observed accessing a large amount of SMB shares it had never previously accessed. Darktrace DETECT understood that this SMB activity represented a deviation in the device’s expected behavior and recognized that it could be indicative of SMB enumeration. Darktrace observed the device making at least 196 connections to 34 unique internal IPs via port 445. SMB actions read, write, and delete were observed during those connections. This domain controller was also one of many devices on the customer’s network that was received incoming connections from an external endpoint over port 3389 using the RDP protocol, indicating that the devices were likely being remotely controlled from outside the network. While there were no direct OSINT links with this endpoint and Akira ransomware, the domain controller in question was later confirmed to be compromised and played a key role in this phase of the attack.

Moreover, this represents the second IoC that Darktrace observed that had no obvious connection to Akira, likely indicating that Akira actors are establishing entirely new infrastructure to carry out their attacks, or even utilizing newly compromised legitimate infrastructure. As Darktrace DETECT adopts an anomaly-based approach to threat detection, it can recognize suspicious activity indicative of an emerging ransomware attack based on its unusualness, rather than having to rely on previously observed IoCs and lists of ‘known-bads’.

Darktrace further observed a flurry of activity related to lateral movement around this time, primarily via SMB writes of suspicious files to other internal destinations. One particular device on customer C’s network was detected transferring multiple executable (.exe) and script files to other internal devices via SMB.

Darktrace recognized that these transfers represented a deviation from the device’s normal SMB activity and may have indicated threat actors were attempting to compromise additional devices via the transfer of malicious software.

Figure 2: Advanced Search results showing 20 files associated with suspicious SMB write activity, amongst them executable files and dynamic link libraries (DLLs).

Darktrace DETECT models observed for internal reconnaissance and lateral movement:

  • Device / RDP Scan
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Possible Share Enumeration Activity
  • Scanning of Multiple Devices (Cyber AI Analyst Incident)
  • Device / Possible SMB/NTLM Reconnaissance
  • Compliance / Incoming Remote Desktop
  • Compliance / Outgoing NTLM Request from DC
  • Unusual Activity / Internal Data Transfer
  • Security Integration / Lateral Movement and Integration Detection
  • Device / Anomalous SMB Followed By Multiple Model Breaches

Ransomware deployment

In the final phase of Akira ransomware attacks detected on Darktrace customer networks, Darktrace DETECT identified the file extension “.akira” being added after encryption to a variety of files on the affected network shares, as well as a ransom note titled “akira_readme.txt” being dropped on affected devices.

On customer A’s network, after nearly 9,000 login failures and 2,000 internal connection attempts indicative of scanning activity, one device was detected transferring suspicious files over SMB to other internal devices. The device was then observed connecting to another internal device via SMB and continuing suspicious file activity, such as appending files on network shares with the “.akira” extension, and performing suspicious writes to SMB shares on other internal devices.

Darktrace’s autonomous threat investigator, Cyber AI Analyst™, was able to analyze the multiple events related to this encryption activity and collate them into one AI Analyst incident, presenting a detailed and comprehensive summary of the entire incident within 10 minutes of Darktrace’s initial detection. Rather than simply viewing individual breaches as standalone activity, AI Analyst can identify the individual steps of an ongoing attack to provide complete visibility over emerging compromises and their kill chains. Not only does this bolster the network’s defenses, but the autonomous investigations carried out by AI Analyst also help to save the security team’s time and resources in triaging and monitoring ongoing incidents.

Figure 3: Darktrace Cyber AI Analyst incident correlated multiple model breaches together to show Akira ransomware encryption activity.

In addition to analyzing and compiling Darktrace DETECT model breaches, AI Analyst also leveraged the host-level insights provided by Microsoft Defender to enrich its investigation into the encryption event. By using the Security Integration model breaches, AI Analyst can retrieve timestamp and device details from a Defender alert and further investigate any unusual activity surrounding the alert to present a full picture of the suspicious activity.

In customer B’s environment, following the unusual RDP sessions and rare external connections using the AnyDesk user agent, an affected device was later observed writing around 2,000 files named "akira_readme.txt" to multiple internal SMB shares. This represented the malicious actor dropping ransom notes, containing the demands and extortion attempts of the actors.

Figure 4: Model Breach Event Log indicating the ransom note detected on May 12, 2023, which led to the Darktrace DETECT model breach, Anomalous Server Activity / Write to Network Accessible WebRoot.
Figure 5: Packet Capture (PCAP) demonstrating the Akira ransom note captured from the connection details seen in Figure 4.

As a result of this ongoing activity, an Enhanced Monitoring model breach, a high-fidelity DETECT model type that detects activities that are more likely to be indicative of compromise, was escalated to Darktrace’s Security Operations Center (SOC) who, in turn were able to further investigate and triage this ransomware activity. Customers who have subscribed to Darktrace’s Proactive Threat Notification (PTN) service would receive an alert from the SOC team, advising urgent follow up action.

Darktrace DETECT models observed during ransomware deployment:

  • Security Integration / Integration Ransomware Incident
  • Security Integration / High Severity Integration Detection
  • Security Integration / Integration Ransomware Detected
  • Device / Suspicious File Writes to Multiple Hidden SMB Shares
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity (Proactive Threat Notification Alerted by the Darktrace SOC)
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous File / Internal / Unusual SMB Script Write
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Anomalous Server Activity /Write to Network Accessible WebRoot
  • Anomalous Server Activity /Write to Network Accessible WebRoot

Darktrace RESPOND

When Darktrace is configured in autonomous response mode, RESPOND is able to follow up successful threat identifications by DETECT with instant autonomous actions that stop malicious actors in their tracks and prevent them from achieving their end goals.

In the examples of Darktrace customers affected by Akira outlined above, only customer A had RESPOND enabled in autonomous response mode during their ransomware attack. The autonomous response capability of Darktrace RESPOND helped the customer to minimize disruption to the business through multiple targeted actions on devices affected by ransomware.

One action carried out by RESPOND was to block all on-going traffic from affected devices. In doing so, Darktrace effectively shuts down communications between devices affected by Akira and the malicious infrastructure used by threat actors, preventing the spread of data on the client network or threat actor payloads.

Another crucial RESPOND action applied on this customer’s network was combat Akira was to “Enforce a Pattern of Life” on affected devices. This action is designed to prevent devices from performing any activity that would constitute a deviation from their expected behavior, while allowing them to continue their ‘usual’ business operations without causing any disruption.

While the initial intrusion of the attack on customer A’s network likely fell outside of the scope of Darktrace’s visibility, Darktrace RESPOND was able to minimize the disruption caused by Akira, containing the ransomware and allowing the customer to further investigate and remediate.

Darktrace RESPOND model breaches:

  • Antigena / Network / External Threat / Antigena Ransomware Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block
  • Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network /Insider Threat /Antigena SMB Enumeration Block

Conclusion

Novel ransomware strains like Akira present a significant challenge to security teams across the globe due to the constant evolution of attack methods and tactics, making it huge a challenge for security teams to stay up to date with the most current threat intelligence.  

Therefore, it is paramount for organizations to adopt a technology designed around an intelligent decision maker able to identify unusual activity that could be indicative of a ransomware attack without depending solely on rules, signatures, or statistic lists of malicious IoCs.

Darktrace DETECT identified Akira ransomware at every stage of the attack’s kill chain on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. When enabled in autonomous response mode, Darktrace RESPOND is able to follow up initial detections with machine-speed preventative actions to stop the spread of ransomware and minimize the damage caused to customer networks.  

There is no silver bullet to defend against novel cyber-attacks, however Darktrace’s anomaly-based approach to threat detection and autonomous response capabilities are uniquely placed to detect and respond to cyber disruption without latency.

Credit to: Manoel Kadja, Cyber Analyst, Nahisha Nobregas, SOC Analyst.

Appendices

IOC - Type - Description/Confidence

202.175.136[.]197 - External destination IP -Incoming RDP Connection

api.playanext[.]com - External hostname - Possible RDP Host

.akira - File Extension - Akira Ransomware Extension

akira_readme.txt - Text File - Akira Ransom Note

AnyDesk/7.1.11 - User Agent -AnyDesk User Agent

MITRE ATT&CK Mapping

Tactic & Technique

DISCOVERY

T1083 - File and Directory Discovery

T1046 - Network Service Scanning

T1135 - Network Share Discovery

RECONNAISSANCE

T1595.002 - Vulnerability Scanning

CREDENTIAL ACCESS, COLLECTION

T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

DEFENSE EVASION, LATERAL MOVEMENT

T1550.002 - Pass the Hash

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078 - Valid Accounts

DEFENSE EVASION

T1006 - Direct Volume Access

LATERAL MOVEMENT

T1563.002 - RDP Hijacking

T1021.001 - Remote Desktop Protocol

T1080 - Taint Shared Content

T1021.002 - SMB/Windows Admin Shares

INITIAL ACCESS

T1190 - Exploit Public-Facing Application

T1199 - Trusted Relationship

PERSISTENCE, INITIAL ACCESS

T1133 - External Remote Services

PERSISTENCE

T1505.003 - Web Shell

IMPACT

T1486 - Data Encrypted for Impact

References

[1] https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/

[2] https://www.civilsdaily.com/news/cert-in-warns-against-akira-ransomware/#:~:text=Spread%20Methods%3A%20Akira%20ransomware%20is,Desktop%20connections%20to%20infiltrate%20systems

[3] https://hybrid-analysis.com/sample/0ee9baef94c80647eed30fa463447f000ec1f50a49eecfb71df277a2ca1fe4db?environmentId=100

Continue reading
About the author
Manoel Kadja
Cyber Analyst

Buenas noticias para su negocio.
Malas noticias para los malos.

Inicie su prueba gratuita

Inicie su prueba gratuita

Entrega flexible
Cloud-based deployment.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
¡Ups! Algo salió mal al enviar el formulario.

Obtenga una demostración

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.