On December 5th 2016 a large organization approached Cyberbit to investigate a ransomware attack. This organization is one of the world’s leading logistics and transportation companies, employing over 30,000 people. The attack had evaded all endpoint security solution over 24 hours prior to contacting Cyberbit, and begun encrypting employee workstation hard drives.
The organization contacted Cyberbit for its ability to detect and investigate unknown malware attacks. Cyberbit EDR (Endpoint Detection and Response) detected the ransomware within seconds. The attack was analyzed and found to be a new and aggressive strain of the well-known Locky ransomware. Minutes after detecting the malware Cyberbit EDR provided a detailed graph view of the attack story, and a recommended remediation plan.
Infiltration and Encryption
The infiltration vector was an Excel macro attached to an email. Once the user opened the attachment and ran the macro, the malware installed, and started downloading the ransomware payload.
As seen in the time stamp – the attackers packaged the malware on that same morning. As a result, the file was new and unknown.
The malware downloaded and ran DLLs to map the entire hard drive. Next, it encrypted each file on the drive and added the following ransom message to be displayed when opening any file:
Detecting the ransomware
The customer initially wanted to know whether Cyberbit EDR could have detected the ransomware that bypassed their current endpoint security solution.
Cyberbit EDR uses a hybrid detection engine which employs behavioral analysis to predict, at very high levels of probability, whether an observed behavior is malicious. The engine is continuously optimized and taught new behaviors by means of machine learning.
Cyberbit executed the unknown ransomware on a workstation that ran the Cyberbit EDR solution. The ransomware was identified in seconds, as seen in the screen shot below, flagging it with the most severe risk score of 100, critical.
Exposing the detailed attack storyline (Cyberbit EDR Screen Shots)
Once it detected the attack, Cyberbit EDR provided a behavioral graph of the initial infection process triggered by the Excel macro. The behavioral graph display enables tier-one (entry level) analysts, with minimal experience, to rapidly understand the incident without having to invest in time consuming research.
After the initial infection process, Excel.exe created multiple network communications, and launched Winword.exe to establish additional network connections with multiple IPs and download a malicious payload called “lodka1”.
- lodka1 is de-obfuscated to create spe in the directory AppData\Local\temp.
- exe executes this 32bit DLL by using the command: “rundll32.exe <path name>, plan”.
- spe connects to the IP 184.108.40.206 (ports:49338-49341) and downloads the encryption key.
- It then enumerates on all relevant folders and after enumeration finishes encrypts files. Encrypted files can be identified by the random code name with .osiris suffix
It is worth noting that “plan” is not a function in the DLL export table nor is it a string in its code.
Finally, the ransomware started modifying files on the infected machine’s drive. This abnormal behavior was identified, tracked and again flagged by Cyberbit’s EDR platform:
During our research we found that the malware maps all files that are shared with the infected workstation across the network and proceeds to encrypting them as well in order to increase damage across the organization.
So how did this attack evade detection?
The attack was a variant of Locky, a known ransomware attack. In order to evade security, the attackers re-packaged the email attachment and payload, creating new variants that would seem legal when tested by conventional security systems. Malware actors frequently use this tactic to evade security solutions that use signatures or indicators of compromise (IOCs) to detect attacks.
This organization used an endpoint security solution provided by one of the leading security vendors. The solution was activated throughout the breach, however, because of the unique and targeted nature of the attack it failed to detect it, allowing it to spread undetected inside the organization for over 24 hours.
40% of endpoint protection solutions failed to detect this attack
When we started the investigation, we tested which other solutions would have detected this attack at that moment and ran the malware through the VirusTotal service. Out of 55 detection engines featured on VirusTotal, 22 failed to detect the ransomware. Unfortunately, this included advanced, “signature-less” and “behavioral” platforms as seen in the following VirusTotal reports:
Green: this tool analyzed the file as clean
Grey: no reply from this tool
This attack was a variant of a known ransomware type. However, known malware frequently evades endpoint protection solutions. Attackers repackage their malware as often as every minute, deeming each new version a “zero day”, invisible to conventional security platforms.
Advanced endpoint detection platforms were created to address this problem and provide signature-less detection by alternative means like behavioral analysis and machine learning. Nevertheless we have seen that nearly 50% of endpoint protection platforms failed to detect this malware.
The ability to detect and investigate unknown malware depends on the quality of the endpoint detection sensor, the detection algorithms, proper use of machine learning and big-data platforms, and the tool’s user experience. We advise organizations considering to add or replace their endpoint protection platform to thoroughly test their candidate vendors on live malware to understand their true capabilities.
Tal Morgenstern is Head of R&D, Endpoint Detection and Response Team at Cyberbit.