2020 has witnessed an uptick in ransomware attacks targeting hospitals and healthcare facilities. See, for example, C5 Capital Founder André Pienaar's account of a ransomware attack in the early days of COVID-19 in the U.K. Another high-profile incident occurred in late September when U.S. healthcare services company UHS was struck with Ryuk ransomware, resulting in a weeks long disruption of their networks at multiple locations. In late October, several US federal agencies released a joint advisory via the (CISA) highlighting the "imminent threat" from these ransomware operators and providing recommendations for detecting and mitigating such threats. Just since the advisory's release, news has surfaced that healthcare systems in Oregon, New York, and Vermont have been affected by ransomware. Private sector reporting has attributed these campaigns to the Ryuk ransomware gang, sometimes known as UNC1878 or Wizard Spider, a criminal group that likely operates out of Russia.
A defense-in-depth approach to cybersecurity
Preventing ransomware requires a multi-faceted approach. A defense-in-depth strategy leveraging a combination of email inspection, network detection and response (NDR), endpoint detections solutions, and comprehensive backup and recovery systems represents the best path to combating such ransomware infections. IronDefense is designed to provide a state-of-the-art NDR capability to aid in these efforts. Further reading on IronNet’s research and recommendations on ransomware can be found in a recent blog post by the Threat Research team.
Detecting BazarBackdoor & BazarLoader with IronDefense
One of the common precursors to recent Ryuk attacks has been the presence of a malware family known as BazarBackdoor and BazarLoader. Per CISA’s recent alert:
- [T]hreat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns.
- Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.
- BazarLoader has become one of the most commonly used vectors for ransomware deployment.
Thus, detecting this type of loader malware represents an opportunity to identify and disrupt the infection chain. IronDefense implements several different behavioral analytics that provide opportunities to detect activity specifically associated with Bazar. We outline those analytics here:
Domain Generation Algorithm
Domain Generation Algorithm identifies entities exhibiting patterns of multiple, algorithmically-generated DNS queries, consistent with methods used by malware to rendezvous with command and control infrastructure. The patterns of domains generated depend on some value known to both the malware and the C2 infrastructure, often the current date/time.
BazarLoader uses a blockchain-based, peer-to-peer, decentralized domain name system called EmerDNS for C2, which has become popular amongst malware authors due to its inherent resistance to takedowns or sinkholing by defenders and law enforcement. The resulting C2 domains change regularly, and are strings determined by BazarLoader’s DGA with the “.bazar” top level domain utilized by EmerDNS.
Consistent Beaconing identifies when entities generate activity consistent with repetitive attempts by malware to establish communications with a command and control server. The targeted beaconing behavior may either be periodic or obfuscated with randomization. Beaconing activity may indicate the presence of malware attempting to call home.
After BazarLoader has been successfully delivered, BazarBackdoor is downloaded and decrypted, the malware will periodically call back to the C2. These periodic check-ins allow the attacker to maintain connectivity to the infected system. Bazar also downloads the well-known Cobalt Strike penetration testing suite after a period of time, which will also exhibit similar beaconing behavior.
Suspicious File Download
Suspicious File Download prioritizes downloads based on suspiciousness and anomalousness. It is particularly sensitive to file downloads that have suspicious filenames as well as uncommon HTTP header values. The analytic targets the scenario in which a user clicks a link—either in an email or on a website—and is led to a download that contains executable code. It also targets scenarios in which malware already installed on a user's system reaches out to grab additional resources (e.g., BIN, EXE, DLL, VBS).
The attacks must at some point download the malicious software onto the targeted host, and this initial download presents another opportunity for detection. Executable files that have unusual filenames or are anomalous within the network (like Bazar) are highly likely to be caught by the Suspicious File Download analytic.
Domain Analysis HTTP/TLS
The Domain Analysis analytics alert on suspicious domains that have yet to be seen in the network's environment in the last 30 days. The analytic assesses outgoing communications from an internal host to a new or unusual domain. The communication may be the result of a malware calling back to a domain for instructions or an employee who inadvertently visited a malicious web site. If the domain has not been detected in the past 30 days of traffic, the analytic examines fields within the header, such as the path, referrer, and user agent, for unusual activity.
As the malicious files in question are likely to be downloaded from a domain with a poor or unknown reputation, this provides another potential avenue for proactive detection. IronDefense’s Domain Analysis analytics are designed to key in on unusual or undocumented domains that appear within network traffic, which is common for such malware.
TLS Invalid Certificate Chain
TLS Invalid Certificate Chain validates all available server certificate chains in a flow and generates events for chains that fail the validation process. The analytic is used to quickly identify falsified, invalid, or self-signed TLS certificates. The events include the reason for validation failure, the root certificate issuer, and the root certificate source entity community of interest.
The threat actors leveraging Bazar and Ryuk have also frequently been observed dropping Trickbot modular malware onto victim systems. Trickbot has notably been known to use self-signed, non-valid SSL certificates, which would invariably trigger a TLS Invalid Certificate Chain alert and provide another opportunity for detection.