Ransomware is becoming more common than ever. Corporations both large and small, are increasingly finding themselves the targets of advanced ransomware campaigns. Unfortunately, most security teams haven’t had enough experience with ransomware in corporate environments to stop infections before they run rampant. This post explores some of the challenges security teams may face when trying to use SIEM correlation rules to identify the behavior and activities associated with a ransomware infection.

Zooming out for Greater Visibility

The recent popularity of this attack method with hacking groups has become the catalyst for several blog posts from members of the security community that dissect specific ransomware binaries and report their findings. Unfortunately, these binaries change frequently, and a single binary only provides a single piece of the large and complex ransomware puzzle. With this in mind, the threat research team here at Exabeam took a different approach to ransomware investigation, they dissected 86 strains of ransomware, looking for commonality in the goals and behaviors of the entire threat category.

By documenting the behavior shared by all 86 strains, we were able to assemble the “Ransomware Kill Chain”. This kill chain organizes the lifecycle of all ransomware infections into phases, and then reviews the activities taken by ransomware at each stage. Armed with this information, security teams should be better equipped battle ransomware in their environments.

The Six Stages of the Ransomware Kill Chain

These six stages were ubiquitous across all the strains we tested, and consistent in the face of permutations or improvements to any specific strain.

Distribution campaign – attackers use techniques like social engineering and weaponized websites to trick or force users to download a dropper which kicks off the infection.

– attackers use techniques like social engineering and weaponized websites to trick or force users to download a dropper which kicks off the infection. Malicious code infection – the dropper downloads an executable which installs the ransomware itself.

– the dropper downloads an executable which installs the ransomware itself. Malicious payload staging – the ransomware sets up, embeds itself in a system, and establishes persistency to exist beyond a reboot.

– the ransomware sets up, embeds itself in a system, and establishes persistency to exist beyond a reboot. Scanning – the ransomware searches for content to encrypt, both on the local computer and the network accessible resources.

– the ransomware searches for content to encrypt, both on the local computer and the network accessible resources. Encryption – the discovered les are encrypted.

– the discovered les are encrypted. Payday – a ransom note is generated, shown to the victim, and the hacker waits to collect on the ransom.

The Observable Behavior of Ransomware

For each stage in the ransomware kill chain, there are activities which leave tell-tales in data logs, however tying them back to the ransomware itself can be tricky. It is difficult to create correlation rules within a SIEM that are capable of identifying the early warning signals of ransomware because SIEMs typically lack the context necessary to properly identify and tie the anomalies together. The context needed to piece together the ransomware story from these log artifacts comes from user behavior analysis.

For example, here is a detectable ransomware activity from Scanning phase:

A process in a temporary location, or a known process but in a new location, reads or deletes a large number of files.

Without an understanding of how the affected user usually behaves, it is hard to create a meaningful detection logic that won’t produce false positives. For example, a static threshold on reading or deleting files would not be able to take into account a user’s role, what department they belong to, or what they normally do in their day-to-day activities.

Here are some contextual questions that can be answered with behavioral modeling and would greatly help with detection and accuracy:

What is a normal amount of files for this user or their peers to read/delete/modify?

Is this process normally run by this user or their peers?

Is it the normal location for this process executable?

Is it accessing network resources it usually does not?

User and Entity Behavior Analysis (UEBA) solutions automatically garner this missing context by analyzing existing SIEM data or directly ingesting logs via syslog and then subjecting them to the tenants of data science. Machine learning and behavioral modeling reveal what normal and abnormal mean for affected users and entities. This level of detail makes finding abnormal behavior such as that associated with ransomware quick and painless.

Want to Learn More About Ransomware Behavior?

To learn more about ransomware activity, download the full Ransomware Threat Research Report. Reading this research report will help you understand:

The business models used by ransomware networks

The ransomware kill chain

How to detect and disrupt ransomware in corporate environments.

Additionally, this report also contains a security analyst ransomware cheat sheet, which summarizes all of the commonly observed activities of ransomware by stage and log artifact location.