Malware, Ransomware

An inside look at how ransomware groups go stealth

The FBI’s Cyber Division leads the nation’s efforts to investigate and prosecute internet crimes. (FBI)

Most organizations know the basic blocking and tackling needed to protect themselves from ransomware: regularly back up data offsite, have a dedicated incident response plan in place, and stay up to date on the latest malware signatures and indicators of compromise.

But law enforcement agencies and cybersecurity experts warn that ransomware groups are working harder than ever to leverage tools and techniques that hide their presence from threat detection engines, cover their tracks from investigators and generally make it harder for companies to spot or respond to intrusions until it’s too late.

Supervisory Special Agent Jonathan Holmes, who works in the FBI’s Cyber Division and Major Crimes Unit, said that “ransomware investigations are often very difficult to investigate,” pointing to a range of tools and techniques that make it harder to track an attacker’s IT infrastructure.

“They’re relying on email providers that don’t keep logs, that can’t provide law enforcement with basic information about the accounts the subjects are using. So, it makes our ability to investigate those cases very, very difficult,” he said this week at an event hosted by the Cybersecurity and Infrastructure Security Agency.

Leaving no breadcrumbs

Another way ransomware actors work to cover their tracks: deleting fresh malware samples and other digital traces on their way out the door.

Malware obfuscation is not unique to ransomware actors. But Keegan Keplinger, a research and reporting lead at eSentire, told SC Media last week that this is a common tactic among ransomware groups that is designed to make it harder for an organization to detect an ongoing attack or sift through the digital wreckage afterwards for evidence and leads. Each fresh malware sample collected by threat intelligence firms or investigators provides new information about how and when it’s deployed that can be used to prevent future attacks.

“With [big attacks] there’s some things that we don’t automatically detect and there’s some things that we do. So, when you have a sample, you can take it and look at it and try to roll out more detection and make sure you have better coverage, just in case there’s different visibility in different environments, different scope of different security products,” Keplinger said. “Just because you’re catching one part of a ransomware attack in one case doesn’t mean you’re going to catch it in every case. So being able to broaden that kind of rule set that you have for detection [is helpful].”

While examining a newer strain of ransomware called “Egregor,” researchers at AppGate found evidence of multiple ways the actors behind the attack made it harder for incident responders or law enforcement to analyze the malicious code or set up new detection rules.

“The sample we analyzed has many anti-analysis techniques in place, such as code obfuscation and packed payloads,” the company noted. “Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided.”

Holmes pointed to other tools, like third-party anonymizing technologies, that can further muddy the waters.

“Oftentimes these ransomware actors are utilizing the Tor network to communicate with one another and often to communicate with victims…that creates problems for law enforcement to identify that infrastructure that the bad guys are using,” he said. “These individuals are also relying on virtual currency like Bitcoin to receive payments from their victims, and Bitcoin can be very challenging to investigate." That's especially true when these individuals are tumbling Bitcoin or relying on virtual currency exchanges, which are either not law enforcement friendly, and which function outside the normal banking system.”

Attack back strategies

Holmes might be understating law enforcement capabilities on this front. While Tor and virtual currencies have provided real problems for law enforcement in the past, there is growing evidence that this may no longer be the case. In 2017 the Department of Justice moved to dismiss a child pornography case in part to avoid having to publicly disclose in court an exploit they used to track the IP address of the suspect who was allegedly accessing child pornography through a Tor browser.

Meanwhile, criminal indictments by DOJ and global tax enforcement investigations by the IRS have increasingly touted the use of software from companies like Chainalysis and other digital forensics companies who have demonstrated the ability to pierce the veil on anonymity promised by many virtual currencies.

“I don’t want to necessarily name any of them specifically, but we do have the tools in place today that we didn’t have in place even six months to a year ago to take what was an anonymous form of payment and moving funds and really make it so it’s not anonymous anymore,” said Ryan Korner, a special agent at the IRS Los Angeles office last year.

Marcus Fowler, director of strategic threat at the cybersecurity firm Darktrace, told SC Media that such tactics and tools often indicate that the ransomware group is “a fairly professional shop that’s doing this across the board in other places and doesn’t want to get fingerprinted and therefore identifiable early on” in an attack.

By design, most successful ransomware attacks end with the highly noticeable act of locking up systems and demanding payment. Because of that, long-term access and maximum stealth is not always a top priority in the same way it is for groups with more espionage-minded goals. That being said, Fowler said cyber criminal groups can also use the same techniques to run a false flag operation, masquerading as a straightforward ransomware attack while hiding evidence of other motives.

“How much should I care about hiding my hand when I’m going to encrypt everything and it’s going to be blinking red lights and people running around pulling out things?” said Fowler, who also spent 15 years at the CIA including a stint as an operational department chief working on counterterrorism and cyber issues.

“But if I’m hiding, it means I have tradecraft that is very precious," he said. "I’m probably one of the Apex predators when it comes to ransomware, or I’ve done something else in that environment that I don’t want them to know about.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.