MITRE ATT&CK Enriches Ransomware Detection

The Network: A United Kingdom-based Managed Service Provider (MSP) specializing in managed IT, cloud, telecom, and security monitoring services uses EventTracker from Netsurion to provide SOC-as-a-Service (SOCaaS) capabilities to their end clients, and to rapidly detect security incidents within the MSP’s own environment.

The Expectation: EventTracker Security Information and Event Management (SIEM) services, advanced endpoint protection, and behavior analytics deliver added protection for the IT service provider and their clients.

The Catch: Detections of WannaCry ransomware. EventTracker EDR detected Indicators of Compromise (IOCs) that signify a WannaCry infection on the newly integrated host computer. WannaCry ransomware can also be known as CrySis, WanaCry, Wcry, and Wanna Decryptor. Common infection methods of WannaCry ransomware include:

  • Social engineering via phishing emails
  • Malvertising on legitimate websites loaded with infected ads
  • Exploit kits used by adversaries for targeted campaigns on known website and application vulnerabilities

The Find: The EventTracker Security Operations Center (SOC) detected many unknown MD5 hashes that had not been seen previously and where the hash reputation was poor. They correlated the IOC and attack patterns to that of WannaCry. WannaCry is a ransomware crypto worm that targets computers running the Microsoft Windows operating system. It encrypts data and demands ransom payments in Bitcoin cryptocurrency to unlock the files. WannaCry is also referred to as network worm because it includes a "transport" mechanism to rapidly spread itself by scanning vulnerable Microsoft systems. First seen in a global outbreak in 2017, WannaCry continues to lurk in infected computers and disrupt companies of all sizes and industries with its threats.

On seeing so many hashes with bad reputations, the EventTracker SOC analyst followed the standard operation procedure to proactively call and email the MSP within 15 minutes of detection. The EventTracker SOC analyst was quick and responsive in detecting the ransomware and providing enriched threat intelligence from MITRE ATT&CK regarding the threat and known adversary techniques.

Actual Microsoft Windows processes leveraged in carrying out the attack:

  • attrib +h
    • Attempt to hide the Wannacry executable file.
  • icacls . /grant Everyone:F /T /C /Q
    • Granting all user to the folder and sub-folders.
  • wmic shadow copy delete
    • WMIC.exe can be used to delete all volume shadow copies (data backup) on a system.
  • Net  Stop "EventTracker Monitoring Daemon" and C:\Windows\system32\net1  Stop "EventTracker Monitoring Daemon"
    • Attempts to stop the EventTracker Monitoring Daemon service on the host, essentially to inhibit the remedial actions for the detected incidents.

WannaCry Adversary Tactics and Techniques in MITRE ATT&CK:

Tactics in MITRE ATT&CK Technique Name in MITRE ATT&CK Commands/Processes Matching the Tactics and Techniques in MITRE Brief Description ID
Impact Inhibit System Recovery wmic  shadowcopy delete WMIC.exe can be used to delete all volume shadow copies on a system T1490
Defense Evasion File and Directory Permissions Modification attrib +h WannaCry uses attrib +h WannaCry uses to make some of its files hidden T1222
Defense Evasion File and Directory Permissions Modification icacls . /grant Everyone:F /T /C /Q WannaCry uses icacls . /grant Everyone:F /T /C /Q to grant all users full access controls. T1222
Command and Control Multi-hop Proxy TaskData\Tor\taskhsvc.exe Use Tor nodes for command and control traffic T1188
Impact Service Stop C:\Windows\system32\net1  Stop "EventTracker Monitoring Daemon" Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. T1489

The Fix: The EventTracker SOC promptly alerted the MSP about the detections. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system. The identified WannaCry hashes were then added to EventTracker Threat Center, our treat intelligence repository to assist in rapid detection across all Netsurion customers.

Recommendations to mitigate this WannaCry ransomware include:

  • Adhere to a strict password policy and least privilege policy.
  • Educate users on social engineering and anti-phishing email awareness programs.
  • Implement enhanced email security with email protocols such as Domain-based Message Authentication, Reporting, & Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identification Mail (DKIM) policies.
  • Update anti-virus and anti-malware software with current signatures.
  • Closely monitor network share and block the unnecessary shares.
  • Implement frequent backups of all-important files and isolate them from local and open networks. Also keep offline backups of data stored in locations inaccessible from infected computer.
  • Maintain patches from software and application vendors such as Microsoft in the case of WannaCry.
  • Identify which systems and applications are mission critical to your business and day-to-day operations.
  • Implement and practice a digital disaster recovery plan.

The Lesson: Adversaries are actively targeting the trusted relationships of MSPs. Netsurion’s integrated SIEM and Endpoint Detection and Response (EDR) capability was instrumental in detecting and disrupting this ransomware activity. Continuous monitoring from Netsurion ensures 24/7/365 visibility and rapid mitigation. Learn more about how Netsurion protects organizations against advanced cybersecurity threats.

Detected Indicators of Compromise (IoCs):
File Name MD5 Hash
taskdl.exe 4fef5e34143e646dbf9907c4374276f5
taskse.exe 8495400f199ac77853c53b5a3f278f3e
wannacry.exe 84c82835a5d21bbcf75a61706d8ab549
@wanadecryptor@.exe 7bf2b57f2a205768755c07f238fb32cc