Understanding ransomware reinfection: An MDR case study

Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again. The question is what medicine is available to kick this nasty infection for good.

In this post, we’ll break down the idea of ransomware reinfection and share a real-life episode where Malwarebytes Managed Detection and Response (MDR) mitigated a resilient ransomware reinfection from the Royal ransomware gang.

What is ransomware reinfection?

Imagine this scenario: You’ve recently battled a vicious ransomware attack, finally restoring your systems to their normal functionality. You breathe a sigh of relief, secure in the knowledge that your data is safe and operations are running smoothly.

Alas, it’s not the end of the story.

The ransomware attack you just countered was actually just the final act of a long-drawn series of malicious activities. In other words, many ransomware attacks aren’t the start of the problem; they’re often the result of an unresolved network compromise.

The true culprit is how the threat actor is gaining access to begin with. Once inside, they steal login credentials, deploy malware, or establish a backdoor—a secret gateway into the network that can be exploited later. This is like them leaving a hidden door unlocked for future visits.

Even after successfully mitigating the immediate ransomware attack, these hidden doors may remain unnoticed, enabling the attackers to infiltrate your network stealthily once more. This is the essence of ransomware reinfection.

Having clarified the terminology, let’s delve into a real-world instance of a ransomware reinfection in action.

Initial Ransomware Attack – November 23, 2022

Prior to their engagement with Malwarebytes, our customer experienced a ransomware attack on their AWS environment. They chose not to pay the ransom.

The subsequent countermeasure involved a complete system rebuild from backup to recover their operations.

Onboarding with Malwarebytes MDR and Detection of Reinfection – December 9, 2022

In response to the initial compromise, the customer onboarded with our Managed Detection and Response (MDR) service and Endpoint Detection and Response (EDR) product. Immediately after installing the EDR on the endpoint, detections for additional ransomware were identified.

Our MDR analyst spotted file detections linked to the previous ransomware attack, attempted outbound communications to a known malicious site (a Cobalt Strike C2 server), and remote inbound RDP connection attempts. The MDR analyst promptly contacted the customer, recommending to block the C2 server and the source of the RDP connections, which the customer promptly implemented.

New Threat Emerges – December 11, 2022

Only two days later, a new set of remote host RDP connection attempts were detected. Again, the MDR team advised the customer to block the connection source to prevent further infiltration.

Critical Incident and Response – December 13, 2022

A new wave of local host file detections indicated a return of the previously encountered ransomware. An unencountered persistent mechanism was also identified, suggesting that the threat was not completely eliminated. As part of our response, we raised a critical incident to the customer, carried out an extensive threat hunt, and identified two compromised domain admin accounts, a domain controller (DC), and an SQL server.

A Potentially Unwanted Modification (PUM) detection of a disabled Windows system restore setting.

The customers’ C:Program Files directory showed peculiar files like ‘desktop.ici.royal.w’, ‘PackageManagement’, ‘README.TXT’, and ‘Uninstall Information’.

This new detection, “Ransomware.Royal”, suggests that the attackers were either still present in the network or had gained access again.

Our MDR team promptly reached out to the customer’s Security team and initiated a strategic consultation via a Zoom call. Detailed insights were shared on the Indicators of Compromise (IoCs) encountered, and we advised the customer to change the passwords of the affected domain admin accounts.

In response, the customer implemented an enterprise-wide password change and blocked the newly identified C2 server. Additionally, the decision was made to rebuild the compromised DC.

Lessons from the Incident

This episode underscores the relentless threat of ransomware reinfection in today’s threat landscape, as well as the critical role that 24x7x365 diligence of trained cybersecurity experts, swift responses, and collaborative efforts play in cyber defense.

Without having a similar level of expertise in-house, the reality is that many organizations will see reinfections that could lead to catastrophic results.

In this case, our customer had assumed full recovery from the initial ransomware attack, and if not for the MDR service, they may never had realized that the attack was still ongoing. Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the threat and safeguarded the customer’s digital space.

For more information of our EDR and MDR products and services, please visit https://try.malwarebytes.com/mdr-consultation-new/

Read more:

https://blog.malwarebytes.com/feed/