In August 2023, the Sophos X-Ops Incident Response crew was engaged to help a corporation in Australia contaminated with Money Message ransomware. This assault vector, recognized for its stealth, doesn’t append any file extensions to the encrypted information, making it tougher for victims to determine the encrypted information just by recognizing such extensions.
In this submit, we are going to have a look at the incident assault movement, illustrating how menace actors are deploying the Money Message ransomware and what measures can fight attacker efforts at varied factors alongside the MITRE ATT&CK chain.
Make a be aware of it
As a part of its routine, the ransomware drops a ransom be aware named “money_message.log” instantly into the basis listing of the C: drive.
The ransom be aware on the goal’s system learn as follows:
Your information was encrypted by “Money message” worthwhile group and may’t be accessed anymore.
If you pay ransom, you’ll get a decryptor to decrypt them. Don’t attempt to decrypt information your self – in that case they are going to be broken and unrecoverable.
For additional negotiations open this <redacted>.onion/<redacted>
utilizing tor browser https://www.torproject.org/download/
In case you refuse to pay, we are going to submit the information we stole out of your inside community, in our weblog:
<redacted>.onion
Encrypted information can’t be decrypted with out our decryption software program.
<redacted>.onion/<redacted>
Attack Flow Details
Initial Access
Our investigation signifies that the attacker gained preliminary entry through the goal’s VPN, which was utilizing single-factor authentication. This is an instance of MITRE’s T1078 – Valid Accounts method.
Guidance
Implementing multifactor authentication (MFA) for VPN connections is paramount to boost safety and thwart potential unauthorized entry. Additionally, steady monitoring of VPN logs and consumer exercise needs to be in place to promptly detect any suspicious login makes an attempt or anomalies. Upgrading to a extra sturdy and layered authentication strategy, similar to MFA, is crucial to bolster the primary line of protection towards potential menace actors looking for to use single-factor vulnerabilities and achieve unauthorized VPN entry.
Defense Evasion
The menace actor deployed GPO Policy to disable Windows Defender real-time safety. This is an instance of MITRE’s T1562.001: Impair Defenses: Disable or Modify Tools sub-technique.
[HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows Defender] DisableAntiSpyware: [REG_DWORD_LE] 1 [HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderReal-time Protection] DisableRealtimeMonitoring: [REG_DWORD_LE] 1
Guidance
The first line of protection accessible to organizations is to make use of a safety agent that has sturdy tamper safety. In phrases of monitoring for this exercise, these are detection-ready occasion sources. While it’s potential a system administrator would disable these protections (not less than quickly) throughout troubleshooting, given the chance of this exercise, it’s one thing that needs to be investigated promptly if a corresponding help ticket isn’t discovered.
Lateral Movement
The menace actor leveraged psexec to run a batch script with the intention of enabling the RDP port, subsequently utilizing Remote Desktop Protocol (RDP) to traverse the community. This is an instance of MITRE’s T1021.001: Remote Services: Remote Desktop Protocol sub-technique. RDP is a standard discovering in circumstances dealt with by Incident Response, as proven by our findings from IR circumstances dealt with throughout the first half of 2023.
Figure 1: RDP abuse detections in IR circumstances for the primary half of 2023
The batch script contents are as follows:
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' netsh advfirewall firewall add rule identify="Open Remote Desktop" protocol=TCP dir=in localport=3389 motion=permit
Guidance
Securing RDP entry might be troublesome for a lot of firms, however it’s a challenge worthy of funding. The first merchandise to verify off the field is to limit, by position, which accounts can entry different techniques utilizing RDP. The overwhelming majority of customers don’t want this entry. Secondly, adopting a centralized leap server, which solely admins can entry with MFA and blocking on the community stage different system-to-system RDP is a robust preventative management. Lastly, a detection needs to be in place to promptly assessment anomalous RDP connections to deconflict them with accepted system administration exercise.
Credential Access
The menace actor, utilizing Secretsdump.py (a part of the Impacket toolkit), retrieved the SAM registry hive. This is an instance of a method of executing MITRE’s T1003.002: OS Credential Dumping: Security Account Manager subtechnique.
C:WINDOWSsystem32svchost.exe -k nativeService -p -s RemoteRegistry
Guidance
It is essential for organizations to prioritize the safeguarding of delicate credentials. Implementing sturdy entry controls, using sturdy endpoint detection and response options, and monitoring for any suspicious exercise associated to SAM hive entry are important steps. Any unauthorized makes an attempt to entry or manipulate this important system part needs to be promptly investigated, as they could point out a breach or malicious exercise that would compromise the safety of delicate credentials.
Collection
A confirmed compromised account was used to entry delicate folders like Finance, Payroll, SalesReport and HR in FileServer. MITRE lists 37 sub- and sub-sub-techniques underneath TA0009: Collection.
Guidance
Often by the point a menace actor is staging information, it’s too late to have a great safety end result. A great strategy to forestall theft of information is to undertake least-privilege entry, which suggests guaranteeing solely the required folks have entry, adopted by granular controls on exporting, sharing, or transferring the information. DLP options, whereas having a historical past of being troublesome to implement and preserve, are price evaluating for high-risk information.
Exfiltration
The menace actor leveraged MEGAsync to exfiltrate the information. This is an instance of MITRE’s T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage.
UserAssist entry: 87 Value identify: C:Users<redacted>AppDataLocalTemp6MEGAsyncSetup32.exe Count: 1 User ”<redacted> registered Task Scheduler job “MEGAMEGAsync Update Task S-1-5-21-<redacted>"
Guidance
Organizations ought to give attention to enhancing information loss prevention measures and community monitoring. Implementing sturdy outbound visitors evaluation and content material inspection may also help determine and block suspicious information transfers. Furthermore, intently monitoring MEGAsync actions and detecting any uncommon or unauthorized information transfers might be important in mitigating information breaches. Rapidly examine and reply to any indicators of unauthorized exfiltration to forestall potential information compromise and reduce the influence on information confidentiality.
Impact
The menace actor leveraged two ransomware binaries, one for the Windows atmosphere and one for the Linux atmosphere. The Windows model is called home windows.exe, and is detected as Troj/Ransom-GWD by Sophos. This is an instance of MITRE’s T1486: Data Encrypted for Impact.
- The Money Message encryptor is written in C++ and contains an embedded JSON configuration file which comprises some key particulars like what folders to dam from encrypting, what extension to append, what companies and processes to terminate, and area login names and passwords doubtless used to encrypt different units.
- The encryptor makes use of the ChaCha Quarter Round algorithm and ECDH encryption
- The ransomware creates the C:money_message.log ransom be aware when full
- On endpoints protected with Sophos, the next detection is triggered:
Malware detected: ‘Troj/Ransom-GWD’ at ‘C:Users<redacted>AppDataLocalTemp6windows.exe’
The Linux variant is called ‘esxi’, Upon execution it is going to delete all of the digital laborious disks. This is an instance of MITRE’s T1561: Disk Wipe.
Commands executed on ESXi host:
cd /tmp/ chmod 777 esxi dir ls ./esxi
Guidance
As talked about earlier, at this late stage within the assault, having full protection on all techniques with a correctly configured XDR answer is significant to guard organizations from ransomware. In the case of Sophos, it’s important for purchasers to have their CryptoGuard coverage activated, which is one thing help can information prospects on.
Conclusion
The Money Message attackers’ path to exfiltration conforms to a reasonably typical MITRE ATT&CK chain, as we now have proven above. Though this specific attacker tries to muddy the waters for defenders, good protection – particularly within the early phases – can present an efficient toolkit towards dangerous outcomes.