Minimizing the Network Spread of Cryptolocker

March 8th, 2016 by Menachem Perlman

LightCyber Helps Identify Cryptolocker

What Magna Saw – How to Stop Ransomware Before Damage is Done:

One of the most feared threats security professionals face today is a rampant attack of ransomware that locks up file shares and the majority of clients. The recent attack on a Hollywood, CA hospital not only made worldwide headlines but sent shockwaves through the security community. It’s also provided proof to cybercriminals that this was a good business and effective endeavor.

Ideally, a threat such as Cryptolocker would be prevented with endpoint security. We all wish that prevention is 100% effective, but everyone recognizes it is not. Catching Cryptolocker and its many variants at the endpoint is a particularly tough issue, but vendors are hard at work to improve their ability to deal with this threat. Today there is a good likelihood that ransomware will slip onto an endpoint. The bigger issue is how to stop ransomware from spreading and causing even greater damage.

Cryptolocker starts inflicting damage quickly, so detection must be accurate. Initial damage may be unavoidable, but the secondary, and far more damaging, spread can be minimized or averted. Once a company’s machine is infected, it’s almost inevitable that files on the local machine are encrypted without knowledge by the user. The next steps can give a defender a far better chance to avert greater disaster.

BAD Research

The LightCyber Research team analyzed the behavior of hundreds of Cryptolocker variants, and through machine learning, was able to determine the network behavior of Cryptolocker and various ransomware variants as they spread across the network. This network behavior was then built into a new Attack Detector that looks for certain operational behaviors on a network. It is now added to Magna’s Behavioral Attack Detection (BAD) platform and operational at customer sites. Shortly after its release, we saw what we believe to be the first ever network detection and quick remediation and containment of a machine infected with a Cryptolocker variant as it was attempting to encrypt network file shares. This is the step in the process when a Cryptolocker variant (or malware) is the most vulnerable and cannot be “hidden,” as the use of the network cannot be avoided if a highly lucrative ransom campaign is planned.

BAD to the Rescue (Detection and Investigation)

Ransomware Connectivity Rate Chart

Screenshot showing the Alert created by Magna when a host is detected making anomalous read and write operations, similar to the network behavior of Cryptolocker variants.
Click here to view larger image

Ransomware Excessive Credentials Usage Chart

Screenshot showing the Alert created by Magna when a user account is detected logging into 8x more hosts than the learned baseline.
Click here to view larger image

Ransomware Read Cycles Chart

Screenshot showing the Alert created by Magna when a host is detected make an increased amount of LDAP connections to other servers.
Click here to view larger image

This first successful thwarting of Cryptolocker was inside a large service provider. Upon detection of the unique network behavior involved in attempted to encrypt network file shares, Magna triggered an Alert named “Many Read/Write Cycles” that included investigative information on the affected user, file shares accessed and file names accessed. Upon investigation via the Magna Dashboard, the security analyst discovered that the suspicious host and user account was detected accessing almost 8,000 files on nine destinations. The security analyst also noticed another behavioral anomaly, that the account was seen logging into more than 160 hosts, an 8-x increase from the learned baseline. Even more suspicious, the Analyst noticed a 4-x increase in the number of LDAP requests to other servers and workstations on the network. The security analyst also used the Magna Dashboard to look up the Endpoint Profile that triggered the alert, including processes and executables on the system. Finally, the analyst looked at the information about the user, including the email address and phone number that was stored in Active Directory.

BAD and Remediation

Using the investigative data in the Magna Analyst Dashboard described above, the security analyst was able to confidently determine the exact host and user that was unknowingly responsible. The analyst then reached out to the user via the phone number and email address listed in the Magna dashboard. Unable to directly reach the user, the analyst made a decision to use Magna’s One-Click Remediation to temporarily disable the user account and take the machine off the network. The analyst then escalated the alert to the rest of his security team. It turns out this was the right decision, because a few hours later investigation of the affected host found the effects of Cryptolocker, and hundreds of encrypted files. Luckily the malware was only able to successfully encrypt a few files on the network file shares, so the security analyst turned what could have been a disaster into a minor incident with quick cleanup.

This is another clear example how integrated behavioral profiling of network, endpoint, user data combined with threat intelligence information allowed the security analyst to quickly make a decision and limit the damage and stop ransomware from spreading.


Leave a Reply

Your email address will not be published. Required fields are marked *