Ransomware Detected & Blocked in Business Services Firm

The Network: A business services firm with over 1,110 consultants across 4 locations that advises end-clients nationwide. Their IT team is supplemented by Netsurion’s Open XDR platform and cybersecurity experts to provide comprehensive threat detection and response.   

The Expectation: Protecting business data and end clients is vital given that cyber criminals who steal personally identifiable information (PII), intellectual property, or financial data jeopardize the reputation and trust given to the long-standing organization. Netsurion’s Open XDR platform and 24×7 SOC combine to predict, prevent, detect, and respond to advanced cyber threats against the company with continuous monitoring and guided remediation. Endpoint security also protects all systems and applications with Intrusion Detection System (IDS) and Vulnerability Management to identify gaps before cyber criminals can exploit them.

The Catch: Netsurion’s Managed XDR detected suspicious process execution on several systems and the built-in Application Control capability prevented several ransomware processes on multiple systems. Further, the SOC also detected network connection attempts to external Command & Control (C&C) servers by several of the business services workstations. Cyber criminals use C&C servers for ransomware campaign management and to receive stolen data. This holistic detection by Netsurion’s SOC analysts enabled the business services organization to avoid data compromise.

Ransomware employs encryption to hold a victim’s information for hostage. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network by targeting databases and file servers, which can then quickly paralyze an entire organization.

The Find: The Netsurion SOC detected a ransomware infection after analyzing the telemetry ingested by Netsurion’s Open XDR platform with its single-pane-of-glass visibility.

Several of the many MITRE ATT&CK® techniques observed included:

The Netsurion team observed Command Line Interface (CLI) executions starting from a domain server spreading across the affected hosts and random.exe file executions loading “lilis.sys” which in turn loads “RTcore64.sys”. This file was an MSI driver with CVE-2019-16098 (privileged escalation exploit vulnerability), the likely reason for the compromise.

The Netsurion SOC team also detected .exe file executions from directory C:\windows\Temp with random alphanumeric named files and Shadow Copy Deletion on the impacted hosts, which is a clear pattern of a ransomware anomaly.

Psexec.exe and f***GPO.exe file executions were also detected on domain server in the compromised account profile path C:\Users\accountname\Desktop\F***GPO.exe and C:\Users\accountname\Desktop\PsExec.exe.

Incident Timeline:

1. At 1:09 a.m. EST, Netsurion Endpoint Security prevented the threats on the managed devices of the business services organization.
2. At 1:15 a.m. EST, the Netsurion SOC quickly detected the backup deletion activities.
3. At 2:00 a.m. EST, the SOC updated the Indicators of Compromise (IoCs) on Netsurion Threat Center, ensuring that all Netsurion customers and partners can benefit from the actionable threat intelligence.
4. At 3:00 a.m. EST, the SOC analysts identified bad MD5 hash values to managed devices for process termination.
5. At 4:02 a.m. EST, Netsurion created a real-time alert to monitor similar activities.
6. At 9:00 a.m. EST, the SOC updated Endpoint Protection policies to “prevent state” for newly-deployed endpoint agents.
7. At 9:03 a.m. EST, Customer blocked the suspicious IP address.
8. At 9:15 a.m. EST, Customer changed the password of the SA account and performed clean-up activities following Netsurion-provided remediation guidelines.
9. Total remediation time: a time to Detect & Respond of less than 24 hours.

The Fix: Guided remediation from the Netsurion SOC included:

• Ensure all devices such as Netsurion Endpoint Security workstations are reporting and active
• Check for Netlogon activities and the presence of any vulnerabilities  
• Apply updates and patches across all systems, especially driver updates
• Harden Microsoft 365 such as:
  • https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide#complete-top-security-tasks
• Restrict downloads of unauthorized applications  
• Limit access to crucial users only (role-based access control)
• Enhance user education regarding phishing emails and application download and installation
• Consider performing a policy assessment per:
  • https://docs.microsoft.com/en-us/windows/security/threat-protection/
    security-compliance-toolkit-10
• Ensure that the hardening of the system is up to date and all systems are patched accordingly

The Netsurion SOC also provided recommendations on the reimaging of the infected servers and workstations. Additional best practices and guided remediation advice were provided regarding security controls as well as cybersecurity awareness and training for users.

The Lesson:  Legacy anti-virus (AV) solutions are often bypassed by financially motivated attackers.  Regular patching with the latest updates should be implemented and validated regularly. Better user access controls and Multi-Factor Authentication (MFA) is highly recommended to protect privileged accounts like those for sys admins. Finally, comprehensive 24/7 monitoring by cybersecurity experts can detect and block threats before data is stolen or the company’s reputation damaged.