Tuesday, March 15, 2016

APT Ransomware

Yesterday this article came out from Reuters: http://www.reuters.com/article/us-china-ransomware-idUSKCN0WG2L5.

I thought it would be useful to make a post explaining the situation a little more in-depth.

Myself and several colleges (InGuardians, G-C Partners) have been engaged in related, high-impact incident response engagements over recent months.

We have been working together to correlate the results of several major investigations. At least three high-value corporations were hit by well-known APT actors over the holidays between December 2015 and January 2016. The targets in these attacks include:

  • A Multi-national company from Southern California
  • A Major business solutions provider on the East coast
  • A Multi-national manufacturing business in the Southern US

Initially these recent incidents involved tactics that match previously seen APT style attacks, indicators of compromise, and tools, especially of a specific group. (We matched file hashes, typing patterns, source IPs / hostnames, etc.)

In the past the primary goals of these actors seemed to be collecting information from targets and maintaining access while evading detection. In these new cases however, the attackers attempted to manually deploy crypto ransomware across large swaths of victim computers in addition to the typical APT tools. This is unusual because in the experience of all three information security firms, crypto ransomware is typically installed opportunistically by malicious websites and drive-by downloads, not manually by an intruder. Also this behavior has always been seen related to criminal activities, not intelligence gathering by nation states.

Before these latest intrusions, active attackers mass installing crypto ransomware on major corporation computers had never been seen by any of the three companies performing the investigations. In the most recent occurrence the attacker made use of a much older breach to automatically deploy ransomware furthering changing the methods seen and used.

This is also unusual because it seems to be in contradiction to the motivations that have been seen in the past. Typically, the motivation behind installing crypto ransomware has been that lone actors or crime rings are using basic phishing tactics to extort relatively small amounts money from individuals or corporations.  In contrast, the motivation for APT attacks have traditionally been considered to be nation state directed and focused on stealing valuable information without being detected. The dollar amounts targeted are in the millions.


We have come up with several theories:

  1. After the fallout from the OPM hack, the Chinese government officially backed off from its hacking operations against the US. Numerous individuals who were employed as civilian contractors are now essentially out of work, but still have access to targets and toolsets. These individuals have started employing crypto-ransomware in order to replace lost government income and continue hacking.
  2. This activity is either practice for, or the beginnings of a denial and disruption campaign against US companies. The actors don’t actually care about the money potential but rather are interested in the extensive disruption caused by the attacks. 
  3. The activities and motivations of APT actors haven’t changed, but rogue elements within their groups are employing these tactics and reusing existing infrastructure in order to acquire supplemental income. 

In one case, the attackers used standard APT tools and techniques to attack laterally and gain access to domain controllers, then launch a GPO to push out the ransomware. Thankfully they made a small typo which caused it to fail. In another case they redirected monetary payments but, due to another small mistake, were caught before too much money was lost.

Due to confidentiality requirements with our clients, we can't post too many more details at this time, but will give updates as we can.

Attack Research, InGuardians, and G-C Partners are continuing to investigate the activity as it progresses. If you have seen similar activity and are willing to share details, please contact any of the three companies.

Val Smith



dre said...

My theory is that this is the way that cyber risk works, and will continue to work.

In my cyber common operating model (Cyber COM), adversaries will work against responders (and vice versa -- and even each other) using the game theory system known as the Stag Hunt (or a similar cooperative model). In the four quadrants of the model, e-crime takes spot 1 (as a COP or common operating picture, of which there are 4), ranging from ID theft to cyber extortion including ransomware. Spot 2 is cyber espionage, classically state actors ranging from value-chain subversion to IP theft. Quadrant 3 is reserved for cyber sabotage, ranging from disruption of services (which, as this is the center of the model, also falls directly in line with ransomware as a well e-crime-driven DoS/DDoS) and terminating in destruction. This is why you will see a mix of state, sub-state, and non-state actors converging in the center of the model (especially when they are consistently win the game). The last quadrant of the model is also reserved for mostly sub-state actors and signals with loss-of limb while terminating in loss-of life.

I've been using the model to forecast and explain events such as the one we've seen for over 3 years now. When I can turn the model computational, then we'll start to gain situational understanding with clear courses of action. Please let me know if you are interested, I actually have a framework and know of several platforms to fit the bill.

Memoirs of a College student said...

Is there a name for this APT group yet, or is it a formally declared operation?

rageltman said...

Another option to consider for change in tactics and motivation is that the original actors lost control of their CNC by compromise. This is why I wrote all the SSL shells for msf - red team is often the biggest commsec offender due to time constraint and arrogance.

dre said...

@ Memoirs: Yes, the primary actor behind ransomware is named Goonky aka VirtualDonna aka Sadclowns. Primarily tracked publicly by TrendMicro, RiskIQ, and ProofPoint. There are links to the pseudo-DarkLeech actors.

dre said...

A few secondary actors behind ransomware include the ESXi-targeting group named the Russian Guardians, as well as the JBoss-targeting group behind -- http://blog.talosintel.com/2016/03/samsam-ransomware.html

Both of these utilize lateral movement for expansion of their operations. Goonky leadership was probably arrested and the threat community at leaset partially disbanded -- http://blog.talosintel.com/2016/07/lurk-crimeware-connections.html -- seeing Angler EK delivering an eventuality of CryptXXX and TeslaCrypt all but disappearing completely. However, also quickly being replaced.

Which actor was it who was using GPOs for delivery? I can't find a source.