A recent ransomware attack has hit a corporate travel agency that provides services to Fortune 500 and other companies, demanding $4 million in Bitcoin as ransom.
Researcher @JAMESWT shared a malware sample used against CWT (formerly Carlson Wagonlit Travel), according to Threatpost. The ransomware was identified as Ragnar Locker, used previously to attack Energias de Portugal (EDP), demanding $11 million in Bitcoin as ransom.
First spotted in December 2019, Ragnar Locker is known for targeting corporate entities, performing reconnaissance or discovery research on a network/target before executing the ransomware. It uses a variety of different techniques, including:
- Attacking Windows Remote Desktop Protocol (RDP) connections to gain a foothold in networks
- Exploiting managed service providers’ remote management software for network access, like ConnectWise and Kaseya
- Gaining administrator-level access to domains
- Using native Windows administrative tools like PowerShell and Windows Group Policy Objects (GPO) for lateral movement to Windows clients and servers
The method of using legitimate and already-existing tools within a target’s environment to execute attacks is known as Living-off-the-Land. The use of these tactics and tools results in clever evasion and bypassing of security software detection.
Securing Against RDP Ransomware Risks
RDP is one of the most common ways attackers install ransomware on systems, as can be seen in recent attacks on the major Japanese car manufacturer Honda and an Argentinian energy distributor – learn more in RDP Risk: Ransomware Targets Manufacturing and Energy Plants.
At Blumira, we saw an 85% increase in RDP attacks against our honeypots over time since December 2019 through April 2020 as many organizations quickly shifted to remote-only work during the COVID-19 pandemic.
As can be found in the above post, Blumira recommends that:
- RDP should never be internet-facing, as it is not a secure method of remote management.
- RDP is generally not secure without configuring Network Level Authentication (NLA) and other similar protections.
Remote access should flow through a proper virtual private network (VPN) connection protected by two-factor authentication (2FA).
- Limit how many users are granted RDP access and give access only to specific IPs. Follow least privilege principles (see tips on Group Policy Management).
Windows Security Log Resources to Protect Against Ransomware
With many organizations of varying sizes running Windows shops, they are easily a target of ransomware attacks like Ragnar Locker that leverage built-in tools to move laterally and install malware in their network.
To help any organization easily increase their visibility into Windows security logs for better threat detection and response, Blumira is offering a free set of pre-configured Windows policy settings available on Github.
Sr. Incident Response Engineer Amanda Berlin created Logmira to help organizations quickly import GPO settings into their environment. She has also provided many other Windows how-tos, tutorials and on-demand webinars to help security and IT teams:
- Logmira: Windows Logging Policies for Better Threat Detection
- How to Enable Sysmon for Windows Logging and Security
- Intro to Windows Security Logs – On-Demand Webinar
- Windows Logging Tips for Better Threat Detection – On-Demand Webinar
In one of the articles she’s written, she covers a real-life detection by Blumira’s platform within a customer’s environment, a PowerShell execution bypass attempt that is used by attackers to execute code on systems without administrative access. As mentioned earlier, threat actors behind the Ragnar Locker ransomware attacks leverage common Windows tools like PowerShell and GPO to move laterally to Windows clients and servers.
In this case, the PowerShell execution policy bypass finding was linked to files from a popular hacking tool called Cobalt Strike, a type of software typically used by red team operations but sometimes also seen in use for malicious purposes. A particular part of the application was used – the part that can execute PowerShell scripts, download files and spawn other payloads, according to Berlin.
In Blumira’s platform, we provide playbooks on next steps. In this case, we recommended that the organization remove the device from the network if possible and start internal incident response procedures. We also recommend auditing the device, paying closer attention to PowerShell commands executed by examining any logs around the time of the event. See more in Analysis of a Threat: PowerShell Malicious Activity.
Blumira’s cloud SIEM platform provides both automated threat detection and actionable response for organizations of any size. We detect and provide playbooks for a number of findings related to the entire chain of ransomware infection – from indicators of attacker reconnaissance (like scanning) to lateral movement and unauthorized or anomalous access activity, as well as any malware, ransomware and data exfiltration that would indicate a breach in progress.