[Detect] Ransomware-like behaviour

One of the most common challenges and concerns raised by CISOs when Extrahop field staff talk with them is the problem of detecting and responding quickly to future ransomware attacks.

Most organisations have signature-based detectors on the perimeter in the form of IDS systems and sometimes APT systems but when malware authors devise an entirely new attack method - such as the EternalBlue SMB attack used by WannaCry - these defences can be rendered useless. The nightmare scenario then is malware getting into the network and mass encrypting or destroying data without the customer knowing a thing about it until it’s too late.

The question often put to Extrahop field teams is: “Surely if you are monitoring network traffic for anomalous behaviour you could find SOMETHING to tell us we are under attack?!?”

The answer to this question is an emphatic yes!

Ransomware is interesting in that - unlike other malicious software - it doesn’t care about staying hidden and stealthily navigating your network, rather it has to tell you it’s done its dirty deed in order to extort money from you.

This means that Ransomware is typically very noisy on internal networks - relying on lack of monitoring in the East-West corridor that is commonplace in enterprise networks today. This noisy behaviour can easily be detected by simply monitoring the workstations and fileservers for devices suddenly, out-of-character reading and writing significant numbers of files in a very short period of time.

This will be detected by one of two detectors in the Reveal(x) toolkit.

First, we can detect with our behavioural detector specific to Ransomware - note the line ‘Client read 900 distinct files and wrote data to 1000 distinct files on this server’. This is the actual behaviour we look out for and detect.

The second detector is specific to the SMB/CIFS protocol and works in a similar way but provides us with more detail for investigation, allowing us to delve into the details of the actual files impacted in the incident which in turn allows for quick triage to determine if this really is ransomware or something less serious. Image two below shows the kind of output we would expect to see in an actual ransomware attack - note the presence of the ransom note HELP_DECRYPT_MY_FILES.txt.

1 Like