📚 Keep your friends close; keep ransomware closer

(engines:bitpaymer OR engines:maze OR engines:Ryuk OR engines:gandcrab OR engines:clop OR engines:revil OR engines:sodibiniki OR engines:matrix) type:email

Trickbot is a malware family frequently used to deliver ransomware. By searching for recent samples delivered by email (engines:trickbot fs:2020-09-01+ type:email) we can quickly find an interesting sample implementing an exploit and pretending to be a well known financial institution. We can quickly expand all the domains, URLs and IP addresses embedded into this file into our investigation graph, getting a broader overview of the campaign:


Expanding different nodes uncovers new IOCs to feed our defenses and unfolds this campaign, showing domain names that were used to bait victims into opening the malicious word document attached to the phishing email.


This kind of phishing attacks where legitimate logos, domains and brand images are used to bait victims into executing malware can hurt a company's reputation, not to speak of being used against the company itself. The sooner we detect a campaign the faster we can perform actions to shut it down. VirusTotal’s Livehunt checks any submitted file against a search criteria written in Yara.

For example, to check for embedded domains in emails detected as phishing, we could use:

import "vt"
rule brandmon_google {
    strings:
        $domain1 = "accounts.google.com"
        $domain2 = "mail.google.com"
        $domain6 = "drive.google.com"
    condition:
        for any engine, signature in vt.metadata.signatures : (
            signature contains "phishing" and vt.metadata.file_type == vt.FileType.EMAIL and (any of them)
        )
}

Exploits used in ransomware attacks

Exploits are commonly used for installing malware or for escalating privileges into your system.

According to this report, the four CVEs that are most frequently used for performing ransomware attacks this year are:

• CVE-2019-19781 → Revil/Sodinokibi, Ragnarok, DopplePaymer, Maze, CLOP y Nephilim.
• CVE-2019-11510 → Revil/Sodinokibi y Black Kingdom
• CVE-2012-0158 → EDA2 y RASOM
• CVE-2018-8453 → Revil/Sodinokibi

We can add to the list a couple of recent remarkable exploits: zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796). We observed several ransomware lookups in VirusTotal tagged with this last vulnerability during the last months:




We could use the following query to get more detailed information about what CVEs were used in ransomware attacks during 2020:

engines:ransom tag:exploit fs:2020-01-01+ tag:CVE-2020*

We can once again filter by malware families. For instance, the previous query is mostly GandCrab malware, which can be easily checked using the query: (engines:ransom and not engines:gandcrab) tag:exploit fs:2020-01-01+ tag:CVE-2020).

Now, we are ready to create a Livehunt rule to find new files tagged with one of the exploits frequently used by ransomware. 

This will result in an immediate notification, allowing us tracking any new IOCs we can use to protect our system.

More importantly, this is very valuable information we can use on a regular basis to manage our patching policy, prioritizing patches based on fresh data of how different exploits are being used in real attacks.

Tracking fresh campaigns

Now, we want to make sure that we monitor any new ransomware campaign in order to understand how it evolves and what new artefacts and techniques they use.

As an example, we can start with a recent DFIR Report investigation revealing Ryuk exploiting zerologon. There are many ways to track campaigns, however VT Graph is a great choice to get together all the discovered observables and extend our knowledge in a visual way. Here are some tips that could help you during this process:

• Start by adding all the known observables to a new VT Graph.
• Expand domains, URLs and IPs to unfold relations and obtain new observables.
• In order to keep our list of observables up to date, we can translate common Yara rules into Livehunt rules to catch new files, injecting Livehunts results directly into the graph.
• Additionally, we can use Retrohunt rules to look for similar samples in our collection.

We start the investigation dropping one of the files included in the publication in a new graph, showing domains, urls and ip addresses embedded in the file, ITW URLs hosting the file and network observables contacted by this sample when executed. This file is detected as “bazar” malware, used to install Ryuk. We dropped all this information in our graph:



Additionally to keep pivoting using our graph and indicators, we can also translate the Yara rules from the DFIR report into Livehunt rules.




We can integrate Livehunt results into our graph in just two clicks. Just click on the target icon at the right in the VTGrap interface, select the rule desired and choose "Load results". This will add all the new observables that match our rules to the current graph. We can expand these new nodes aggregated to unveil new observables and create relationships.



All these new IOCs are fresh observables that are clearly related to this campaign. All this continuous flow of fresh indicators will help us improve our security mechanisms to stop Ryuk from passing through our defenses.


Summarizing, the knowledge of what attackers are using is the first necessary step for us to minimize our exposure to different campaigns. It wouldn't be right to put all the different ransomware attacks under the same umbrella, as they became highly specialized and protecting from different actors is not exactly the same. The techniques described in this post are a good starting point for automatically minimizing our exposure to more spread ransomware campaigns, however they can be applied both for generic and targeted attacks.

Stay safe and happy hunting!