Under Ransomware attack — the story of an incident response

---

In this article we share the account of a real Incident Response activity relating to a Ransomware attack on an infrastructure of approximately 2 000 systems.

Activity Results

The security incident, in this specific case, manifests with a series of service disruptions encountered by some users attempting to access corporate applications. Initial checks by technical departments reveal that the disruptions are caused by a Ransomware attack that has encrypted server disks, blocking their functionality. Both Windows and Linux servers have been impacted.

The results of our activities have allowed us to trace the cyber-attack to an activity known as “Big Game Hunting” (BGH), that is, a targeted cyber-attack of the Ransomware type. This type of attack, particularly growing in the international landscape, originates from the initial compromise of workstations belonging to some company employees through phishing activities, then evolves into a cyber-attack involving workstations, users and servers.

Lifecycle

The entire attack lifecycle has been established to be approximately 6 months. From the initial compromise of workstations to the actual launch of the Ransomware attack, the criminals had access to critical company systems.

The Ransomware attack escalation instead is concentrated in a shorter timeframe, approximately 14 days, during which the attacker tampers with the entire Backup system flow before launching the encryption of all server disks.

Attribution

The first attack vector used in this type of intrusion is the use of email containing malware (trojan) for the initial compromise of workstations, replaced, in the second phase, by tools that offer more flexibility for offensive operations (Cobalt Strike – Powershell – Wmic – Mimikatz).
We established a direct connection with the use of the Gootkit trojan during the initial phases; the indicators of compromise relating to the final phase of the attack also appear to be associated with the offensive infrastructure used in past campaigns by the Gootkit malware.

Gootkit is a malware particularly active in the Italian context; one of the criminal groups with which this operator collaborates is known by the name Mummy Spider, a criminal group known for BGH activities.

Tools Used

Some of the tools used by the criminal group for the compromise of the company’s systems:

• Cobalt Strike
  • Used for the compromise of Server systems. Cobalt Strike is a penetration testing tool, improperly used for the execution of targeted attacks; the tool also allows the launch of post-exploitation activities.

• Mimikatz / DCSync
  • Used to perform credential dumps of the entire Active Directory environment

• Powershell / WMIC
  • Used for compromise and interaction

• Gootkit Malware
  • Used for the compromise of company workstations. Trojan-type malware used for the compromise of systems and passwords of affected users.

• Netscan
  • The attacker used the executable file “netscan.exe” to perform various Network Scanning activities. Specifically, positioning the executable within the path “C:\Users\Public\…”

• TOR
  • The criminal group used “The Onion Routing” (TOR) software to camouflage its illicit activity by routing traffic through secure and anonymous networks.
    The TOR service was disguised as a “Google Update” service

Detection and Response Capabilities

The attack chain observed in this incident demonstrates the value of continuous monitoring and threat detection. Our Managed Detection and Response capabilities integrate specialised activities of Cyber Threat Intelligence and Threat Hunting to identify and respond to such multi-stage intrusions before they reach the encryption phase.

Where to find us

• Reach our social channels Twitter, LinkedIn, and YouTube
• Visit our website fortgale.com