As everyone knows, there is currently a resurgence of attacks with ransomware all over the world. Cyber criminals have not made a truce despite the Covid-19 pandemic, and some do not seem to have taken any time off during the current summer.
From an intelligence and cyber point of view, it is very interesting to note that in the past, the months of July-August were either very busy like in 2003 with MSBlast, or, on the contrary, rather quiet: when cybercriminals were taking advantage of the sandy beaches instead of the TCP/UDP port beaches, especially in certain well identified places…
In a country that we will not mention, there is a large infrastructure protected and monitored by TEHTRIS remotely from its SOC in France, which has been targeted with the well-known weapon called SODINOKIBI. We will share some elements about it in this article.
Usually, this is what all those who have understood the issues related to workstation protection fear. We will use here the example of the infrastructure monitored by TEHTRIS, without naming the target country, or the offensive methods used, so as not to disturb the ongoing investigation.
When the unknown binary in question is launched on thousands of machines, the TEHTRIS EDR agents present in the operating systems (agents that integrate a capability to suspend the execution via a kernel driver) report the information to their EDR manager.
If we translate the language of our robots for humans, it gives this: “I am the XXX EDR agent, and SYSTEM wishes to launch such software that I do not know, in such a context, and my policy requires me to ask for authorization from my EDR manager.”
The latter immediately looks in his learning machine database, which corresponds to the total activity known and learned on the infrastructure since the first seconds of installation.
This playbook exists since 2014 at TEHTRIS: it associates the TEHTRIS EDR agent with our CTI (Cyber Threat Intelligence). It is very efficient and is completely integrated to our EDR and constantly presence in our practices.
This playbook works efficiently when it is correctly configured: in the presence of an unknown binary, TEHTRIS robots would have all the rights to carry out live analyses automatically, which humans would not have time to do. This is especially useful in cases where an attack would take place at night, on weekends, etc. Cyber war never stops and TEHTRIS robots enforce policies planned and decided by humans ahead of deployment phases.
These robots on their own send the binary either to offline TEHTRIS-hosted antivirus software, offline TEHTRIS sandboxes, or our artificial intelligence engine, which is the result of our research in Deep Learning mode. The latter is the first French tool to have been accepted on Google VirusTotal.
In our example, the part that contributes to this automation in SOAR mode, at the heart of the TEHTRIS XDR Platform, receives the results in a very short time from the sensors requested from the CTI side. Without hesitation, the diagnosis indicates that the unknown binary is identified as unknown ransomware with 100% certainty.
The managers and experts in charge of this large infrastructure were wise to trust the winning triplet: the TEHTRIS XDR Platform equipped with its SOAR + the TEHTRIS EDR agents + the TEHTRIS CTI analysis capacity. Indeed, they have set up a predictive and resilient authorization to neutralize the slightest ransomware live, without human intervention. Speaking in cyber language in the James Bond style, this would be comparable to the famous “license to kill.”
TEHTRIS EDR neutralized automatically by itself a completely unknown load of ransomware, a variant of SODINOKIBI which had been able to bypass the other defensive measures in place (local antivirus).
In the press, we often read that a company has been partially destroyed from these kinds of threats: stations, servers, etc. For months now, TEHTRIS maintains a 100% resilience score for its clients who follow a strict defensive protocol, including facing unknown threats.
The solutions exist, but you have to be able to find them, which remains quite complicated in a market where science is unfortunately not always the thinking model.
We believe that there are currently four categories of infrastructures and protection. Here is a guide to measure the category you are in, and to choose where you want to position yourself:
1) Without EDR agents based only on traditional protection such as antivirus, next-gen antivirus: the probability of being destroyed is higher than 95% in the case of an unknown sabotage-type attack.
2) With EDR agents but mainly focused on the user experience, with a user-friendly interface and/or very oriented towards forensics, analyses, post-attacks and investigations: the probability of being destroyed is higher than 90% in the event of an unknown sabotage-type attack, because they are recent technologies of automatic neutralization, or not even at all.
3) With effective EDR agents, those capable of neutralizing unknown attacks live but sometimes poorly configured, not sufficiently autonomous or needing to be connected to an external SOAR, which makes the effectiveness more complex: the probability of being destroyed is greater than 60% in the event of an unknown sabotage-type attack, depending on the case.
4) With efficient and autonomous EDR agents, those capable of protecting companies alone in integrated SOAR mode: the probability of being destroyed varies between xx% and 20% in the event of an unknown sabotage-type attack, depending on the products and associated settings.
This last category is simple: these are EDRs attached to an XDR Platform, with SOAR, CTI, a vocation to make hyperautomation, and above all, a perfect configuration which indicates what must be eliminated, when and how (the famous necessary integration). Experts and international cutting-edge CISOs have switched to these technologies in recent years.
On the TEHTRIS side, we hold a complex score of maximum efficiency, placing us at the forefront of the best technical solutions at the operational and global level, far from laboratory analysis with 3 exploits and 2 APT tests, but directly in touch with cyber crime and digital spies.
TEHTRIS EDR is obviously part of this 4th category, since we were among the first agents in the world with these capabilities. Our early adopters believe that we created this category 6 years ago.
Our customers compare the disruptive technology of our EDR to what automation brings to Industry 4.0 with its intelligent sensors, capable of acting without human intervention.
When TEHTRIS EDR is deployed and configured to neutralize cyber sabotage, it can counter a major attack, even at night, and continue to protect the infrastructure with complete autonomy.
In the particular case presented in this article, we recall that SODINOKIBI is a ransomware that threatens the security of thousands of companies and we believe that a campaign of attacks is most certainly underway around the world.
TEHTRIS experts have therefore carried out reverse engineering on the binary, and we wish to share with the greatest number of people an interesting IoC base, so that experts can feed their sensors and tools.
Do not hesitate to contact us if you have any particular defensive questions, or to go through our network of expert partners, able to fight efficiently against new threats with our technologies.
After breaking into the victim company’s information system, the attacker raises his privileges and spreads the ransomware by creating remotely scheduled task (thanks to the mechanisms offered by Microsoft in a Windows environnment).
Powershell command deleting Microsoft Snapshots (VSS):
Command: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
Decoded command: Get-WmiObject Win32_Shadowcopy
Planned task named: \sys
Names of services stopped during malware execution:
Network IoC contained in the configuration file of the SODINOKIBI ransomware and which can be used as a CnC (mechanism deactivated in the strains analyzed)