CyberWire Daily - Going after the most valuable data. [Research Saturday]
Episode Date: September 5, 2020A look at the realities of ransomware from Sophos, including an industry-first detailed look at new detection evasion techniques in WastedLocker ransomware attacks that leverage the Windows Cache Mana...ger and memory-mapped I/O to encrypt files. A complementary article examines the evasion-centric arms race of ransomware, providing a months-long review of how cybercriminals have been escalating and markedly changing evasion techniques, tactics and procedures (TTPs) since Snatch ransomware in December 2019. The research also breaks down the five early warning signs organizations are about to be attacked by ransomware and why ransomware attacks continue to occur. Joining us on this week's Research Saturday to walk us through the research and share their findings is Sophos' Principal Research Scientist Chet Wisniewski and EVP & Chief Product Officer Dan Schiappa. The media alert and research articles can be found here: Media Alert: Sophos Reports on the Realities of Ransomware WastedLocker’s techniques point to a familiar heritage Ransomware’s evasion-centric arms race 5 signs you’re about to be hit by ransomware The realities of ransomware: extortion goes social Ransomware: why it’s not just a passing fad Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Part of the reason we're seeing really kind of aggressive attacks and very sophisticated
attacks is a variety of things. One is the attackers themselves are just getting more sophisticated. They're using state
actor-like techniques to get into an environment, kind of be stealthy, do some recon, find out where
the important assets are, and then go after specifically those assets. We're joined by two
guests this week. Dan Schapa is Executive VP and Chief Product Officer at Sophos.
Chet Wisniewski is Principal Research Scientist at Sophos.
We're discussing a series of articles they've published covering ransomware.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to
specific apps, not the entire network, continuously verifying every request based on identity
and context, simplifying security management with AI-powered automation, and detecting
threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
You know, kind of run-of-the-mill ransomware
is really out for breadth of destruction, where the more modern attackers are really just going after the most valuable data.
That's Dan Schapa.
And one of the things that's helping them, frankly, is the fact that with the COVID pandemic, you know, people jettisoned to work from home and IT organizations has frantically, you know, tried to build environments where they can still get work done.
And it wasn't planned.
It wasn't, you know, something that they had time to do properly.
And there's chinks in the armor.
There's gaps in the IT ecosystem.
And, you know, bad guys find ways to take advantage of chaos. And so in addition to their kind of newfound skills and state sponsor
like capabilities, they're taking advantage of a different IT ecosystem than we probably had,
you know, six, seven months ago. Yeah. And one of the things you point out, Chester,
here in one of your articles is that they were coming up on an anniversary, what you describe
as probably the birth of modern ransomware, which happened back in September of 2013.
Oh, it's exactly it.
And it's rare to see a run this long, right?
We're coming up on seven years where this has sort of been the dominant news story in
cybersecurity.
That's Chet Wisniewski.
And I don't know that we've seen, you know, one thing kind of dominate everything for
so long.
And I guess it kind of dovetails with the original question and Dan's answer as well, which is, you know,
they've kind of refined this process
and eliminated any simple way of us getting rid of it, right?
When everything was about web exploitation,
if we could just find a way of getting rid of Flash and Java, right,
we could plug this hole.
And we did, right?
Like, we took a long time, and we had to work together really hard,
but we got rid of Flash and Java.
And, you know, this case, they're not just using nation-state level tactics to get in, which is very hard to defend against.
There's no silver bullet in this case.
In addition to that, they've stopped just being technical.
And while some of our papers focused on Wasted Locker, which is one of the more sophisticated technical groups, there's a major social component to this as well. And I think most defenders think about these as
technical problems and maybe don't spend enough time understanding the social side of how initial
entry is being gained and that kind of stuff. And having a comprehensive plan, both technical
and social, and how they're going to combat this. Now, is it correct in my perception that the ransomware folks have really upped their
game when it comes to who they're targeting and the amount of money they try to make, or I suppose
Bitcoin, that they're trying to make off of individual organizations that they go after?
Yeah, I think it's pretty clear that there's been a bit of a stratification that's gone on in the last 24 to 36 months, right?
It's no longer a thousand random ransomware crews, right?
The ones we're hearing about day in, day out, the mazes and riots and wasted lockers and netwalkers.
These brand names that we now hear about so regularly with these multimillion dollar ransoms is a very small number of people
that have an incredible amount of success against very high value targets. There's still a ton of
other stuff. I mean, if you go on the bleeping computer forums, you'll see all kinds of people's
desktops being hit with the stop ransomware, which most people have never heard of. It's mostly
because we stopped talking about the $300 ransomware, right? We're all kind of attracted
to the shiny object of these
$10 million victims. But the most skilled ones, without question, have approached nation-state
level skills, whereas the other guys are still out there. They're just not making as much of a splash.
Yeah, and I think as well, what's interesting is even with the more advanced techniques,
estate sponsor-like techniques, they're still pretty proficient in how many attacks they could leverage.
So it's not like they do one every six months.
It's still at a pretty decent pace, and the return is much higher.
But yeah, as Chet says, there's still the kind of the everyday kind of run-of-the-mill ransomware out there that's being propagated by ransomware service and other aspects. But we're certainly seeing bigger targets, you know, being fallen
prey to this advanced techniques. Now, you all did some specific research into Wasted Locker,
looking at some of the things that it is up to. Can we go through that together? First of all,
can you give us a little bit of the background, the history,
what you know about where Wasted Locker came from? Well, Wasted Locker is a reasonably new group. I
think we mostly started hearing about them mid-pandemic, if you will, you know, April-May
kind of timeframe. So it's not one that we necessarily have been following back, although
there's a relationship that appears in the code. So there's some speculation that this may be sort of version 2.0 or version 3.0 of Drydex and some other scams we have been tracking in previous
years. But the name Wasted Locker is quite recent. It's only been a few months. And what stood out
to us is the incredibly advanced evasion techniques that this group has specifically adopted.
We've seen an evolution since around the end of 2019 where
different groups have been experimenting with new ways of bypassing anti-ransomware technologies
because I think anti-ransomware tools have gotten pretty good at blocking basic ransomware. So
we saw some groups playing with safe mode, rebooting into safe mode to bypass some
security tools. We've seen abuse of legitimately signed Windows drivers
by another group to try to sneak past some protections in Windows.
And Wasted Locker seems to be kind of going down that technical path
of finding new innovative ways of turning systems against themselves
or using the built-in Windows functions
to get around anti-ransomware technologies.
Whereas some of the other groups like Mays have gone the social direction
and are going into the, we're going to publish your data and extort you into paying.
So there seems to be different groups kind of testing the waters
with different approaches to increase their success rate.
Well, let's go through some of the specifics here that you've discovered with Wasted Locker.
I mean, what are some of the techniques that it uses? Well, the most sophisticated one that we
surfaced in our research was related to abusing the way Windows handles caching of files.
A lot of anti-ransomware technology, one of the ways you check whether something might be
ransomware is you monitor files being opened on the file system. And if the file gets opened and
then it gets closed and the entropy increased dramatically, then it was probably encrypted
because that's exactly what encryption is designed to do, make something entirely random.
And of course, legitimate files before they're encrypted have structure. They don't have
randomness. So if you're using that sort of a test, you would block most ransomware. And so
what these guys are doing is tricking Windows into
caching the files into memory, and then they're encrypting those files while they're in memory
and getting Windows to write them back to the disk encrypted. And of course, nobody's monitoring
Windows for that encryption activity. They're monitoring other processes. So it's a way of
getting around that type of anti-ransomware monitoring. And it's incredibly clever and shows
this level of deep understanding of Windows internals
that very few people in the world have.
And what sort of insights does that give you?
I mean, is that a point to the sophistication
of the folks who are creating these things?
Absolutely.
I mean, in my eyes, I've not seen that level
of understanding of Windows and sort of abusing
those kind of internal uses outside of nation states. We've certainly seen that type of understanding of windows and sort of abusing those kind of internal uses outside of nation states.
We've certainly seen that type of activity in previous attacks, you know, like Stuxnet and Dooku
and all kinds of different ones in the past that have been attributed to the United States or Israel or Russia or China.
And then those techniques go on to be used by malware authors, you know, regular typical criminal malware authors,
after they can, you know, kind of steal them or take that idea from somebody who invested millions in developing
it.
This is kind of the first time we've seen this type of innovation occur in the criminal
atmosphere all on its own, right?
It wasn't cribbed from another government operation.
Like these guys came up with it.
And that's certainly atypical.
up with it. And that's certainly atypical. Yeah, the knowledge of the Windows inner workings is really something beyond just about any kind of run-of-the-mill, even advanced developer. This
is real kernel-level stuff, the types of things that legendary people like Mark Russinovich would
be educating Microsoft employees on their own product.
And of course, he is now one.
But it's really that level of understanding that allows them to have these successful attacks.
Now, one of the things you point out in your research is the possible connection to BitPamer.
There were some things in the code that led you in that direction.
Can you share some of your findings there? Yeah, I mean, these things are always guesses, right? I mean, the malware
code is not digitally signed by its authors, you know, so it's not always that easy to attribute.
And it's one of the reasons we don't try to say attribute, you know, which nation state may be
behind it, etc. There's a million different ways you can have false flags. But there's certain characteristics to how the ransomware code itself works, its internals,
sort of the methodology with how files are opened and closed and the methods of invoking the
encryption and that kind of thing that bear a remarkable similarity to BitPamer. And it seems
beyond coincidence. So it's either one of the BitPamer authors perhaps was involved in going off into
a side project, or maybe it's, as I said earlier, like kind of a version 2.0. That code level
analysis is always a guess, but it looks a little too close to be a coincidence.
Now, does the sophistication that you see in Wasted Locker, does that run in parallel?
Does that track along with these folks targeting larger organizations?
In other words, is that sophistication being spent, if you will, on the potential of bigger paybacks?
Yeah, the victims seem to be the very high dollar victims that we've been hearing about in the press.
It's alleged that they were the ones
behind the attack on Garmin,
which allegedly had a $10 million ransom.
So these guys are going in super stealth mode,
which is what's required to penetrate an enterprise
with a sophisticated security team, right?
And some of the other ransomware as a service, Dan? And, you know, some of the other, you know, ransomware as a service,
Dan mentioned earlier, for example, like Dharma,
you know, they may get $10,000 and $15,000 ransoms,
which is, you know, it's a bad day for anybody to get ransomed
for any amount of money, especially $10,000 or $15,000.
But those crews don't have the stealth technology
to be able to breach these big companies
where the really high-dollar ransoms are.
And that's what we assume that's going on here with Wasted Locker is going into that super stealth mode so that they
can go after sort of the creme de la creme of victims that can pay those kind of ransoms.
Yeah. And when they go after the high value data, like in the Garmin case, for example,
it takes an operation down. The whole business was basically sidelined for a period of time. And so the urgency and the
sense that the company really has to resort to paying an exorbitant ransom becomes very real.
And that's kind of the whole modus operandi of their strategy. Let's go after and cause the
most damage, not by breadth, but by kind of laser-like precision, that's going to impact the business.
Well, in the time that we have left together, I want to switch to one of the practical articles
that you published here, and this is titled, The Five Signs You're About to Be Attacked.
This categorizes news you can use. Can we go through this together? I mean,
what are some of the things that can be indicators
that you may have a ransomware problem? Well, if I had to summarize it, Dave, I mean, I look at this
and that we hear these negative outcomes in the news all the time, but we rarely hear the causes
because companies don't want to admit necessarily how they were breached. So it's really difficult
for us to learn from them. So what we did is we went to our rapid response team folks who help
victims when they're mid-ransom, if you will, that are doing the analysis, like where did this begin?
And that way we have sort of an anonymous set to hopefully share some advice with people without,
you know, making any victims feel bad. And there's consistent things, these five points that Peter
McKenzie, one of our researchers put together, seem to be something that they always start here,
if you will. And
more and more often, you know, we hear a lot of talk about living off the land. And if I had to
kind of summarize it, it's understanding how and when legitimate tools are being misused in your
environment is always an early indicator. It's almost impossible to prevent the initial, initial
thing like, you know, the credentials being stolen in a phishing attack
that allow them to start trying to log into systems.
You can't prevent phishing entirely.
So what do you watch for to know that your initial prevention failed?
And that's what these tips are really.
These are those first tips you would have that something's wrong.
And a lot of the time, that's legitimate tools being used
either somewhere you wouldn't expect them to be used or being used in a pattern or at a time when they shouldn't be used.
And many organizations have, say, a change control window.
I know we do this at Sophos where we expect certain maintenance to be done on the network and on our computers at certain times on certain days.
And the IT team manages that very carefully.
That means we can monitor for all those legitimate tools
that our technicians use.
If they're being used at any time outside of those windows
when it's expected, it's either a rogue staff member
or we have a problem.
Similarly, you might see something like Nmap
that we might use in mapping our own network
to see all of our assets and see if there's some undiscovered things
laying around.
That probably shouldn't be being run from a server in your DMZ.
And if you see it on a server in your DMZ,
then, well, you, again, either have a very poorly trained IT staff member
or you've got a problem, right?
So these are the kinds of things I think companies need to get in the habit of
because I don't think we're really good at that anomaly detection,
but if you are, you can stop these guys.
And that just shows a couple key things. And the best defense against this is really a combination
of both leveraging high value technology like AI, but also coupling it with human intelligence.
So the combination of those two allow us to have these indicators that something may be going bad
by a human looking at it. Nothing has gone bad yet. So technology designed to protect you may
not have triggered anything yet. But the human intelligence factor allows us to see these kind
of steps building up into something that's highly suspicious. And then the ability to investigate
that allows you to intercept these types of activities before they really set foot.
It's also important to remember you're not doomed from moment one when these guys break in.
It takes them time to snoop around your network, identify those assets that are going to cripple your business, and then encrypt them.
So if you can get these early indicators, you might have days or even a week or more to detect these indicators and still stop them before they can succeed with ransoming you.
And that's the advantage of them being human operative
is you have time.
It's not an automated thing anymore.
So by watching carefully,
it's not that instant doom that you would get
if it was just a bot or a script.
You know, I think you both point
to a really important aspect here,
which is that human element.
And it makes me wonder, you know,
from your point of view, the experience that both of you have, how much of the defense against
these sorts of things are people with experience, people with the wisdom of years under their belts,
being able to just have that feeling like, hey, something's not right here.
Like I said, I think it's a combination of both.
You know, the years of experience help us build technology
that can do some of this stuff.
So, for example, we can detect weird use of PowerShell
or unauthorized use of PowerShell or abnormal use of PowerShell.
You know, so there's definitely technologies that we can use.
We can train models using AI to check behaviors, not necessarily check if something's malicious, but just check a set of behaviors collectively that does seem to be suspicious.
But when you do couple that with the human intelligence, those analysts who do know what's going on, when they see a shadow somewhere, they know exactly where to go look. That's really hard to replace with technology.
That is that human expertise.
And so we do believe that the future of combating these things
is a combination of kind of artificial intelligence and human intelligence.
It's defense in depth, but it's done differently, right?
Like the machines are great at the automating the volume, right?
You've got a volume of Windows event IDs coming in,
a volume of firewall alerts.
That's something humans are not at scale to be able to cope with,
and the machines have to help us there.
But the machines don't have the accuracy that the humans have, right?
So the machines winnow it down.
And then even on the human side, you talk about experience, Dave.
Obviously, there's a shortage of security people with insert you know number here five ten fifteen
years experience say analyzing these things and it's not always necessary to have you know a ton
of those people with the 10 years experience or even the five years experience i think you
you end up with a tiered thing of the machines filter the first layer you know in the smaller
organizations that may not have a lot of full-time security staff, they can depend, you know, lean on their partners, whether that be managed service
providers, whether that be companies like Sophos, to be the backstop for when they're not sure,
right? So they can deal with the vast majority of the alerts after the machines have dealt with them.
But then for those couple that they're not quite sure about, they can then sort of escalate those
to the smaller number of really experienced people that may just be a contractual relationship because you can't afford to have them or you may not be able to find them and hire them.
Yeah, that's a really interesting point.
I mean, I wonder how much or how important it is that organizations provide those security teams with the bandwidth, with the time, the resources to be able to dig into these sorts
of things. You know, we always hear that the, you know, the teams are overburdened and nobody has
all the, you know, time, money or resources that they would like to have. But providing your team
with those things, it seems could really pay off when it comes to these sorts of things.
Yeah, I think the part of the bandwidth problem in the past was also, it was too much information and lack of information. And that may sound weird,
but if you get a bunch of alerts without the context for how they happened, then you spend a
whole bunch of time trying to figure out if they're real or not. And now most more advanced
organizations at least now have EDR tools, things like that deployed on most of their infrastructure,
which gives you the
context to make good decisions much more quickly. If you send me an alert with the information about
how that alert bubbled up, a human can decide that's good or bad in a few seconds. But without
that context, that human might spend minutes trying to figure out whether that alert is
legitimate or not. So I think we're getting better at figuring out how to get the humans to hold hands with the machines.
In the past, they were kind of almost adversarial,
and I think we're really moving forward,
and I think that's where the successful organizations
are finding the wins,
is providing the right information to the humans
and automating the process of that
and making sure that the machines aren't in any way
assuming they're going to replace the
human because they can't. It's making sure the machine is serving the human better.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Our thanks to Dan Schapa and Chet Wisniewski from Sophos for joining us. Thank you. technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. Thank you.