Ransomware Actors Access and Stage Data for Exfiltration

Ransomware attacks continue to evolve, with actors using advanced tactics to access and exfiltrate sensitive data. Understanding their methods is crucial for preventing and mitigating the damage they cause.

1. Data Access: Network Shares – Enumerated and Reviewed

One of the primary targets for ransomware actors is your network shares. To find and exploit them, attackers use various tools, such as:

• VeilFramework's Invoke-ShareFinder cmdlet: This tool allows attackers to enumerate network shares within a domain. You can explore the tool or test its capabilities by visiting its GitHub repository at Veil-PowerView's Invoke-ShareFinder.

• SharpShares: Another popular tool among ransomware actors is SharpShares, which queries all hosts in a domain and checks the current user's access to shares. You can find more about SharpShares at SharpShares GitHub.

  
  

Example commands from the leaked Conti chat logs illustrate how these tools are used:

1. Invoke-ShareFinder -Domain [domain_name_here].local | Out-File sharfindINFO.txt

2. SharpSharesNG.exe shares

Attackers may also map shares directly using legitimate tools and commands, like:

net use * "\\192.168.168.10\Shares" /persistent:no /user:DOMAIN\username

To detect such share access attempts, two essential event IDs should be enabled:

• Event ID 5140: A network share object was accessed.

• Event ID 5145: A network share object was checked to see if the client could be granted access.

  
  

These events can be enabled with the following command:

auditpol /set /category:"Object Access" /success:enable

Enabling these events allows you to monitor share access and changes, offering insights into potential data exfiltration activities.

2.  Identifying Network Share Access via the Registry

Network share access can also be traced through various registry keys:

• Mapped Network Drive Most-Recently Used (MRU) items:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

• Mapped Network Drives (Network Drive Wizard):

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

• Items Typed into Windows Explorer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

• Items Typed into the Windows Run Dialog:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

• All Open Shares on a System:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

3. Forensic Analysis of File and Folder Access

From a forensic perspective, identifying which files or folders were accessed is crucial. Here are some key artifacts to examine:

Open/Save MRU, Recent Files, Shellbags, LNK Files, Last-Visited MRU, Office Recent Files.

For Files or folders were accessed, refer to my previous blog posts:

• Artifacts for File Opening & Creation (Part 1): Open/Save MRU, Recent Files, Shellbags

• Artifacts for File Opening & Creation (Part 2): Last-Visited MRU, Office Recent Files, LNK Files

  
  

To identify deleted files or evidence of file access, explore these links:

• Artifacts for Deleted File & File Knowledge (Part 1): ACMRU, Last-Visited MRU, Vista/Win7/10

• Artifacts for Deleted File or File Knowledge (Part 2): Search, WordWheelQuery, Index.dat File

4. Registry Artifacts: TypedPaths & TypedURLs

TypedPaths can reveal user activity within the Windows Registry:

• TypedPaths: Insights available at

  Part 1: Windows Registry Artifacts - Insights into User Activity

TypedURLs are stored in the following registry path:

• NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

TypedURLs store locations entered into the Internet Explorer/Edge address bar, similar to TypedPaths.

Data Exfiltration

1. Data Exfiltration: Staging and Compression

Before exfiltrating data, ransomware actors typically compress the data into archive files. Common formats include .zip, .7z, and .rar. Adversaries often use tools like 7za.exe or rar.exe to perform these actions. Be alert for these file types in your network, especially .rar files.

Native compression methods that can be leveraged include:

• Compress-Archive cmdlet

• tar command

• Send to > Compressed folder

2. Data Staging

Attackers often prepare data for exfiltration by copying files to a staging directory, typically a temporary folder. Files may be copied, renamed, or bundled into archives. These operations might go unnoticed unless specific alerts are configured.

When reviewing a system for potential data staging, you want to focus on archive creation. Analysis of the MFT and UsnJrnl can prove extremely useful in this endeavor.

Reviewing Sysmon Event ID 11 (File Creation) can be very useful, as you can see the exact size of any archives created.

3. Creation of Multiple Text Files

Adversaries may redirect tool outputs to text files since text files compress well, reducing the size of exfiltrated data significantly. By converting large files into text format, gigabytes of data can be reduced to mere megabytes, making exfiltration easier and less detectable.

Note:

Adversaries (especially in ransomware cases!) often will delete the archives they have exfiltrated. They do not want you to have access to what they stole. In this case, you may need to rely on $UsnJrnl:$J analysis.

You might ask question 

If you have $mft why you need to rely on $UsnJrnl:$J analysis, to identify data exfiltration?

Answer is 

1. While $MFT provides a snapshot of the file system at specific points in time, the $UsnJrnl:$J tracks file system events in greater detail over time

2. Exfiltration might involve subtle modifications, renaming, or deletion of files. The $MFT might not capture all of these events, while the $UsnJrnl:$J can give you insights into every file operation, which is crucial for detecting sophisticated exfiltration techniques.

Example: If an attacker creates a zip file to bundle exfiltrated data, the $MFT will record the creation of that zip file. However, the $UsnJrnl:$J will log the sequence of events, like file additions to the zip, the exact time of zipping, and any renaming or moving of the file before exfiltration.

4. WinZip, 7-Zip, and WinRAR Artifacts

Adversaries frequently use popular tools like WinZip, 7-Zip, and WinRAR to compress and archive data. These tools leave traces in the registry, which can be useful for forensic analysis:

• WinZip Registry Path: NTUSER.DAT\Software\Nico Mak Computing\WinZip\

• 7-Zip Registry Path: NTUSER.DAT\Software\7-Zip\

• WinRAR Registry Path: Located in the user's NTUSER.DAT hive, this data can provide valuable information about archives created or manipulated during the incident.

5. Detecting Renamed Executables

Ransomware actors often rename executables (PE files), but they rarely edit the file's VERSIONINFO resource. This metadata includes fields like Description, Product, Company, and OriginalFileName. The OriginalFileName can be particularly useful for threat hunting.

You can query identify these executables in Sysmon Event ID 1, Security Event ID 4688/4689, or via your EDR if deployed.

Cloud-Based File Sharing Sites

Adversaries might use cloud services like MEGA, SendSpace, WeTransfer, Google Drive, Dropbox, Box, OneDrive, or cloud-based storage buckets such as AWS, GCP, and Azure. Blocking unauthorized access to these platforms can prevent exfiltration. The "Living Off Trusted Sites" (LOTS) project catalogs sites used for malicious purposes, including data exfiltration and phishing. You can explore the LOTS project.

https://lots-project.com/

1. FTP/SFTP Exfiltration

   Despite FTP being an insecure protocol, it remains a popular choice for data exfiltration. FTP uses ports 20 and 21, while SFTP uses port 22. Tools like WinSCP and FileZilla are often employed by adversaries:

   
   

   • FileZilla Log Locations:

     • %APPDATA%\FileZilla\filezilla.xml

     • %APPDATA%\FileZilla\recentservers.xml

     • %APPDATA%\FileZilla\trustedcerts.xml

     • %APPDATA%\FileZilla\sitemanager.xml

     • %APPDATA%\FileZilla\*.sqlite3

   • Example of PowerShell code used for FTP data transfer

     
     

     $FTPRequest = [System.Net.FtpWebRequest]::Create("$RemoteFile")

     $FTPRequest = [System.Net.FtpWebRequest]$FTPRequest

     $FTPRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile

     $FTPRequest.Credentials = new-object System.Net.NetworkCredential($Username, $Password)

     $FTPRequest.UseBinary = $true

     $FTPRequest.UsePassive = $true

2. WinSCP Registry Artifacts

WinSCP, another popular file transfer tool, leaves traces in the registry that may help in detecting exfiltration:

• Registry Paths:

  • HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache

  • HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging

  • HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget

  • HKCU\SOFTWARE\Martin Prikryl\WinSCP2\Configuration\History\RemoteTarget

3. RDP Exfiltration

Exfiltration through Remote Desktop Protocol (RDP) is challenging to detect, as Windows does not log what files are copied out of the network. However, RDP clients can map local drives to remote sessions, creating shares such as \\tsclient\C\. These UNC paths may appear in process creation events or command lines.

(i). RDP bitmap cache parsing is a longshot when it comes to identifying potential exfil.

4. Rclone – The Ransomware Actor’s Little Buddy

Rclone, a synchronization tool compatible with over 40 services, is often used by ransomware actors for data exfiltration. Adversaries usually do not rename rclone.exe or rclone.conf, making them easier to detect. You can learn more about Rclone and its supported services on its https://rclone.org/docs/#config-config-file

the list of

https://rclone.org/#providers

5. Power Consumption as a Detection Method

Data exfiltration can be associated with high power consumption. Transferring data requires power for the network interface and the transferring program. Tools like Rclone and MEGAsync might show up in power efficiency reports stored at C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics.

The SRUM database has also proven useful for power consumption analysis, which can help identify suspicious exfiltration activities. You can explore SRUM further in the following posts:

• SRUM: The Digital Detective in Windows

• How to Use SRUMECmd to Parse and Analyze SRUDB.dat Files

6. MEGAsync IOCs

MEGAsync, another tool often used for exfiltration, leaves behind artifacts that could aid in investigation:

• Scheduled Task Name: \MEGA\MEGAsync Update Task

• Config File (encrypted): %LOCALAPPDATA%\Mega Limited\MEGAsync\MEGAsync.cfg

• Executable: %LOCALAPPDATA%\Mega Limited | %LOCALAPPDATA%\MEGAsync

• Log Files: %LOCALAPPDATA%\Mega Limited\MEGAsync\logs\

• Registry Setting: HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID of Mega}\Instance\InitPropertyBag\TargetFolderPath

7. LockBit’s StealBit Tool

LockBit ransomware operators have developed a custom exfiltration tool called StealBit, known for its high efficiency and speed. For a deep dive into LockBit’s arsenal and the StealBit tool, check out Cybereason’s threat analysis report.

9. Network-Based Exfiltration Detection

While network logs such as firewall and NetFlow logs can help determine the amount of data exfiltrated, they do not reveal the content. Look for traffic spikes, off-hours activity, or protocol tunneling (e.g., DNS) as indicators of potential exfiltration.

Though it may be difficult to prove what exact data was exfiltrated, tracking these indicators can provide valuable leads in your investigation.

Be vigilant, keep learning stay safe

Akash Patel