Shining Light on Detecting Darkside
Detecting Patterns of Ransomware with Anvilogic Detection Automation Platform
As Ransomware groups continue to aggressively target organizations and dominate the news cycle, it can be easy to fall prey to the “Detect Ransomware” mindset. Already in 2021, there have been over 20 reported ransomware attacks, not all coming from the same threat group. Even FireEye was monitoring three different threat groups associated with Darkside. Zen Chan discussed the innovation of using Darkside as Ransomware as a Service (RaaS), but also how the tactics, techniques, and procedures (TTP) are similar to what other ransomware groups are doing — which is exploiting native windows features, commodity malware, and off-the-shelf red team tools resulting in millions of people being impacted.
It is essential to understand that these ransomware threats primarily use aged procedures, toolkits, and frameworks to infiltrate and move laterally across networks before causing any impact. Of course, there may be newly released zero-days where your security operations team may not have had the time or the skill set to produce new detections, but every threat that has hit the news has some pattern of detection opportunities that lie outside of these state-of-the-art exploits.
Darkside did not fall outside of this statement as their procedures fall within the common patterns threat actors utilize against organizations. Below is a quick recap of how Darkside unfolded.
Initial Access & Foothold
Trend Micro’s report from May has a well-written analysis on the recent use of Darkside on the US Colonial Pipeline, noting that phishing, remote desktop protocol (RDP) abuse, and exploiting known vulnerabilities are the typical tactics for initial access. Post-initial access:
- Credential theft via LSASS process utilizing Metasploit, Mimikatz
- Credential Access: OS Credential Dumping: LSASS Memory
- Credential theft via unsecured credentials in the registry utilizing Reg
- Credential Access: Unsecured Credentials: Credentials in Registry
- Persistence via the creation of user accounts with elevated privileges
- Persistence: Create Account: Local Account
In a fashion similar to APTs, it has become more common for double extortion campaigns to utilize legitimate tools in order to evade detection. Additionally, the double extortion TTPs allow for detection prior to ransomware being executed. These procedures, along with their respective MITRE ATT&CK mappings, are as follows:
- Lateral Movement/Remote Execution through the use of PSExec, RDP
- Lateral Movement: Remote Services: SMB/Windows Admin Shares
- Lateral Movement: Remote Services: Remote Desktop Protocol
- Execution: System Services: Service Execution
- AD Discovery using tools such as Bloodhound, Adfind
- Stolen data compression and staging utilizing 7-Zip
- Collection: Archive Collected Data: Archive via Utility
- Additional command and control channels utilizing the Powershell
- Execution: Command and Scripting Interpreter: PowerShell
- Downloading Ransomware Binaries via Certutil, Bitsadmin
- Command and Control: Ingress Tool Transfer
- Stolen Data exfiltration with tools like WinSCP, rclone, Putty
- Exfiltration: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Detecting with Threat Scenarios
All of the TTPs identified above for the Darkside campaigns are aged, and each one has production-ready behavioral detections ready to deploy on Anvilogic. Having these detections in place prior to these kinds of newsworthy events is ideal, but knowing what the pattern that a threat group will utilize is impossible without the use of a time machine or an active member in the threat group itself. Outside of those circumstances, the best way to detect such behaviors is to build up your defenses utilizing basic detection patterns that encompass your entire arsenal of identifiers, not just the ones identified above.
As discussed in “The simplicity of advanced correlation using Anvilogic’s Scenario Creation”, you can easily combine tactics or techniques in Anvilogic’s codeless builder to create a high fidelity patterned detection we call a Threat Scenario.
This basic threat scenario utilizing common tactics and techniques from MITRE ATT&CK will effectively utilize your detection arsenal to identify sequenced patterns of detection triggering within your organization to bubble up your next Darkside-equivalent ransomware campaign.
Armor Up with Anvilogic
Having the right detections within your arsenal is a critical aspect of detecting any threat. Knowing what kind of detection opportunities a security operations center (SOC) should be focusing on amidst the chaos of a normal SOC’s day-to-day is quite a task in itself.
Anvilogic makes this easy with its in-house threat detection team producing new production-ready detections daily and maintaining a detection armory housing detections for over 500 TTPs across various platforms. Each released detection comes pre-enriched with MITRE ATT&CK, kill chain information, and full threat details to help analysts actively understand what and how they are trying to detect a particular TTP. The Anvilogic platform not only streamlines your tactical initiatives by having viable detections in place, it also gives teams the ability to detect patterns in threats such as the Darkside campaign with a no-code builder. The platform also provides support and guides strategic initiatives with proprietary maturity scoring capabilities and automated recommendations that help analysts focus their efforts on what matters most within their environments.
About the Authors
Kevin Gonzalez is currently the Director of Security at Anvilogic where he is responsible for the threat detection lifecycle and corporate security.
Prior to Anvilogic, Kevin led cyber security operations, engineering, and architectural practices at Lennar Corporation and Cubic Corporation while consulting for several organizations to help build security analytic programs and architect security solutions.
Kevin is from Miami, Florida. He holds a master’s degree from Florida International University in Management Information Systems along with several cybersecurity certifications.
Eric Hines is currently a Threat Detection Engineer at Anvilogic where he is responsible for threat detection analysis and intelligence.
Prior to Anvilogic, Eric was an Information Security Analyst with a diverse background in various cyber operations for the U.S. Navy.
Eric currently resides in Chattanooga, Tennessee. He holds a Bachelor’s degree from the University of Maryland Global Campus in Computer Network Infrastructure and Cyber Security along with several cybersecurity certifications.