Ransomware Use Case with EDR
There is a cliché that says “the only constant is change”. Even conventional warfare has changed in our century. New and destructive technologies have begun to dominate the battlefields. The most known is “combat drones”. In the meantime the war is not only continue on the physical world. The cyberwarfare getting big effect on the nations. Cyber attacks become more dangerous day by day. There are plenty of different adversaries with different motivation. Some groups following global activism movements, some of other groups are following political events. The most dangerous ones are state-sponsored groups and who has financial motivation.
The aggression of state-sponsored and financially motivated groups is both higher and the attack methods they use are more complicated. For this reason, these groups are the two types that should be paid the most attention. In this article, we will focus to groups with financial motivation. Therefore, most common attack is ransomware.
According to statistics of 2021 (Kochovski, 2022):
- 37 percent of all businesses and organizations were hit by ransomware.
- Out of all ransomware victims, 32 percent pay the ransom, but they only get 65 percent of their data back.
- Recovering from a ransomware attack cost businesses $1.85 million on average in 2021.
- Only 57 percent of businesses are successful in recovering their data using a backup.
- Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.
A Brief Information About Ransomware
Ransomware is one of the important threats to companies nowadays. The ransomware is a malicious software. In detailed explanation, The Ransomware is malware that encrypts important files in local and network storage and demands a ransom to decrypt the files. Once the ransomware starts running, it scans local and network storage looking for files to be encrypted. It targets files it deems important to your business or individuals. This includes backup files that can help recover information. Ransomware targets files such as system files, business related files such as xlsx, docs, pdf, pptx, sql, ai, etc.
The types of ransomware:
- Symmetric Encryption (Rare).
- Client-side Asymmetric Encryption.
- Server-side Asymmetric Encryption.
- Hybrid Encryption.
Ransomware Hunting with Sentinelone EDR
Sentinelone (will be written S1 after this.) is the one of the best EDR that dominates the market. I would like to test the other EDRs as well. I’m working on it. However, I only can get the Sentinelone’s Demo for now. Thus, I will Show you all how S1 EDR gets action against to ransomware.
In our case, we assume one of the personal in HR department gets an e-mail which is about “Credit Card Statement”. He/She is a normal person and curious about his/her Credit Card Statement for the last month and the e-mail includes “Credit_card_statement,pdf.exe”. He/she downloads the file with out any suspicion and open it with double clicks. Then he/she realize that all the file named with meaningless names and the file extensions has been changed.
He/she immediately inform the IT helpdesk or if he/she a little aware about the security topics, inform the IT security team. Now this is our milestone, now time to action!
As an analyst or IR team member or Security engineer, you login into the management consol and start to investigation. You are in dashboard and see the red circle which means S1 detected some potential unwanted application (PUA) or detected some anomality with it’s Pre-Execution engine. Like shown below:
Now, we are able to see some details about the incident notification triggered by S1. If the ransomware would be known malware, the S1 directly kills the process and stop the attack automatically. However, in our case this is customized, enhanced and now known ransomware. The good thing here, the S1 informed us about the incident. However it did not prevent the attack. There are some given information to us for better analysis:
- Endpoint Name
- File Path
- Command Line Arguments
- Signer Identity
- Classification
- Originating Process
- Initiated By
- Engines
- Detection Type
In addition to that, it inform us mitigated or not mitigated the action. One of the best thing here it mapping the attack according to MITRE ATT&CK. In the meantime, ransomware encrypted all the files in the host.
As seen figure 3 above, ransomware encrypted all the files in the victim host. However, S1 agent still working on the host and it already stored system snapshots on the agent itself. Now we can response to the incident and recover the victim machine with S1.
As a first step, we need to go to related incident and click to the “Mitigation Actions”.
Investigation
As an analyst, details and visibility are vital when reviewing the relevant alarm. Thus, the possibility of making the analysis more convenient and effective increases. For this, the details of the relevant alarm are narrated with “Story Line” rather than a list, and the ability to see according to the plot is included.
Response
When you click that, you will see the menu shown below.
There are 4 options to response an incident.
- Kill: Stops all processes related to the threat.
- Quarantine: Encrypts and moves the threat and its executables.
- Remediate: Deletes all files and systems changes created by threat.
- Rollback: Restores files and configurations that the threat changed.
I would like to mention about a feature here that might be useful for some companies, but while configurate that policy you need to be careful about the consequences of the action. You can think why I’m saying this. Here is why:
This is the “best practice” you can see on the figure 6. However, If you have tightened company policy, you can change settings on the figure 8.
For Protection Mode:
- Malicious Threat: Protect
- Suspicious Threat: Protect
- Protection Level: Rollback
In this case, S1 will kill all the suspicious and malicious attempts and rollback related host.
This is not recommended as best practice. Because it can cause unwanted actions on the server and clientside.
After clicking the “Apply” button, background processes are started. The expected action here that S1 agent kill the process, quarantined the file and remediate all changes and configurations and rollback the host. This actions will take less than 10–15 min.
As you can see from figure 9 and 10 the S1 takes related actions to prevent any unwanted malicious activity. When the agent has done with task. All files will be return normal version. Please see Figure 10.
EDR Successfully killed, quarantined, remediate and rolled back the host. You can able to see details shown below:
Conclusion
As a result, S1 EDR has successfully recovered and responsed to the ransomware. Although he did not directly kill the related .exe at the first time, S1 suspected that there was a harmful situation in the static analysis and reported it to the SOC team or the responsible contact. As expected behavior, in cases of encryption exceeding a certain number, it is now expected to detect that it is a threat and take immediate action and cut it.
In the example trial, a customized exe is used and it does not perform any hacking because it targets specific file paths. In order for Sentinelone’s agents to take relevant actions, it keeps data on the agent to keep the host’s status as a snapshot and restore it to the state after the incident. Some of the important points I have checked here, namely the performance elements I expect from an EDR on an attack basis, are as follows:
- Detection time
- Provided detailed information
- Did it proactively detect and block the attack, or did the opposite happen?
- Response capabilities
- Speed of taking action
- Post Incident Response process
In general, it seems to have met all the criteria properly.
References
- Kochovski, A., (2022), Ransomeware-Statistics https://www.cloudwards.net/ransomware-statistics/, Access Date: 01.02.2023.
- Trendmicro, Fidye yazılımı nedir?, https://www.trendmicro.com/tr_tr/what-is/ransomware.html Access Date: 01.02.2023.
