Original article by Janus Agcaoili und Earle Earnshaw
As ransomware operators continue to equip themselves with more weapons in their arsenal, the stakes are getting even higher for targeted organizations that can suffer from grave consequences brought about by these attacks. Organizations that are affected by ransomware attacks typically incur losses in financial damages worth millions, alongside experiencing inaccessibility and even exposure of sensitive data.
Most of the recent ransomware campaigns have adopted double extortion techniques where threat actors both encrypt a company’s files and leak their data to the public. As for its evolution, we foresaw in our security predictions that ransomware in 2021 will become an even more sinister threat as it becomes more targeted and new families (such as Egregor) emerge. This year, cybercriminals will also continue to abuse legitimate tools to facilitate ransomware attacks.
On their own, these tools are not inherently malicious. Rather, they are intended to help security research or enhance the efficiency of programs. However, like many other technologies, cybercriminals have found a way to exploit them. Eventually, these tools became a typical component of ransomware campaigns and at times, even other cyberattacks. The UK’s National Cyber Security Centre (NCSC) has published a list of such tools in a report.
There are several reasons that the use of legitimate tools for ransomware campaigns is such an attractive option for cybercriminals. For one, since these tools are not malicious per se, they might evade detection. It also does not hurt that most of these tools are open-source and therefore can be accessed and used by the public for free. Finally, the usefulness of the tools’ features — the same ones that security researchers benefit from — makes them advantageous for cybercriminals, thereby turning these platforms into unintended, double-edged swords.
Table 1. Weaponized legitimate tools
Some of the tools listed in the following figure also have similar purposes with other platforms. For example, like Process Hacker, PC Hunter, GMER, and Revo Uninstaller can be exploited to terminate antimalware solutions. Likewise, both Mimikatz and LaZagne can be used for credential dumping.
Figure 1. Examples of ransomware campaigns that abuse legitimate tools for various attack stages
Notably, some campaigns use several tools at the same time, rather than just a single tool at a time, since one tool can enable the other. For example, Mimikatz, which can be abused to steal credentials, can grant access to PsExec functions that require admin privileges. One of the campaigns that employed several tools at the same time is Nefilim, which used AdFind, Cobalt Strike, Mimikatz, Process Hacker, PsExec, and MegaSync, among other tools.
Figure 2. How weaponized legitimate tools are used in a ransomware campaign
You can read how the individual tools are used in the original article.
The presence of weaponized legitimate tools must be detected so that security teams can stop a ransomware campaign dead in its tracks. However, this is easier said than done as these tools might evade detection in several ways. One is through features that can be used to implement evasion techniques, like in the case of Cobalt Strike. Cybercriminals can also alter the code of these tools to tweak parts that trigger antimalware solutions.
Additionally, when spotted from a single entry point (for example, when looking at the endpoint alone), the detections might seem benign by themselves, even when they should raise the alarm — that is, if they were viewed from a broader perspective and with greater context with regard to other layers such as emails, servers, and cloud workloads.
In tracking ransomware campaigns, organizations would be better protected if they rely not only on detections of files and hashes but also on monitoring behavior across layers. This is what we did for our recent investigation on the Conti ransomware, which we tracked using Trend Micro Vision One™.
Solutions such as Trend Micro Vision One provide increased visibility and correlated detections across layers (endpoints, emails, servers, and cloud workloads), ensuring that no significant incidents go unnoticed. This allows faster response to threats before they can do any real damage to the system.
Indicators of Compromise (IOCs) for the various tools are provided in the original article.