Incident Analysis

An 81-page report details how ransomware has evolved, along with recommendations on how to deter attacks and disrupt its business model.The Ransomware Task Force (RTF) this week published a report detailing recommendations to fight back against the operators and infrastructure that drive ransomware, which its team of experts describes as a “serious national security threat” and “public health and safety concern.”More than 60 people from software companies, security vendors, government agencies, nonprofits, and academic institutions teamed up with the Institute for Security and Technology (IST) to create the RTF, which launched last December. Participants include Microsoft, McAfee, Rapid7, Amazon, Cisco, the Cyber Threat Alliance, the Global Cyber Alliance, US Department of Justice, Europol, and the UK’s National Crime Agency, among many others.

In their 81-page report, “A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force,” experts share proposed guidance to deter ransomware attacks, disrupt its business model, help organizations prepare, and better respond to the global threat.
While other threats, such as business email compromise, also cause tremendous losses for businesses each year, RTF is focusing on ransomware because of its massive impact.
“One of the concerns we have is the scope and scale of ransomware,” says Megan Stifel, executive director for the Americas at the Global Cyber Alliance and co-chair of the RTF. “It’s holding parts of the ecosystem and the economy at risk, particularly aspects of critical infrastructure, that can give rise to a range of cascading consequences that in some cases individually, or certainly collectively, can create a significant national security problem.”
RTF’s framework arrives as ransomware attackers continue to evolve their strategies. Ransomware targeted the healthcare industry during a global pandemic and has shut down schools, hospitals, police stations, city governments, and US military facilities, its report points out.
“The professionalism of the affiliates, and focusing on their ability to attack organizations, is probably the biggest challenge,” says Raj Samani, fellow and chief scientist at McAfee, of fighting ransomware. “This has supported the big-game hunting strategy and ultimately the ability to get into organizations and disrupt operations or steal data, [which] has given threat actors the ability to demand a lot more than ever before.”
The framework outlines 48 actions government and industry leaders can take to disrupt the ransomware business model and mitigate the impact of attacks. While there have been many reports on the growing ransomware threat and widespread recommendations on how to fight it, many organizations struggle to adopt them. The idea behind this framework is to create a more comprehensive, all-hands-on-deck approach to dismantling the ransomware threat.
Some of the RTF’s recommendations are listed as higher priority, though it advises viewing them together as a whole. At the top of its list is the suggestion for a coordinated, law enforcement effort to prioritize ransomware through a strategy that includes the use of “a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals,” the RTF says in the framework.
“The first priority really does need to be this public pronouncement that ransomware is a serious national security threat, and that governments will work together with the private sector and other stakeholders in reducing its impact through a range of actions, including this idea of enhanced information sharing to support intelligence and enforcement,” says Stifel.
There is room for improvement in how this is done, she adds. 
“The ability for the government to ingest information around ransomware needs to improve, but also the ability for industry to share information around ransomware is in significant need of enhancement,” Stifel says.
The RTF’s second recommendation suggests the US launch an “intelligence-driven anti-ransomware campaign, coordinated by the White House.” This must include an Interagency Working Group led by the National Security Council, an internal US government joint ransomware task force, and a private, industry-led informal Ransomware Threat Focus Hub.
Its third prioritized recommendation suggests governments create a cyber response and recovery fund to support ransomware response and other security efforts, mandate victims report ransom payments, and require them to consider alternatives before paying ransom.
Payments were a tricky subject to navigate in the creation of the framework, and Stifel notes the RTF couldn’t come to a consensus on whether to prohibit payments. Participants agreed that while paying ransom is detrimental in many ways, there are challenges in barring payments altogether. Doing so “would really put victims in a very hard spot,” Stifel adds.
The framework also suggests closer regulation of the cryptocurrency sector and states governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter trading to comply with existing laws, such as Know Your Customer, Anti-Money Laundering, and Combatting Financing of Terrorism.
Ransomware is a rapidly evolving threat, and criminals continue to hone their skills and tactics to successfully extort businesses. McAfee’s Samani will elaborate more on this topic and how these changes have influenced the distribution of ransomware in an upcoming RSA Conference session entitled “Ransomware: New Recipe For An Old Dish.”
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full BioRecommended Reading:More Insights

Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure.Nonprofit research organization MITRE has released the latest version of its ATT&CK framework, adding support for threat information affecting Apple’s MacOS and various flavors of Linux, while also allowing more data sources and relationships. The release is one of two updates to the popular framework due out this year, with another planned for October. The two most major changes are better support for both the MacOS and Linux platforms and the adoption of more flexible ways of specifying the necessary data to describe each threat technique. The release includes 16 new groups, 67 new pieces of software, and updates to 36 other groups and 51 software entries, according to MITRE.

The goal is to make the framework more functional, based on specific feedback from its community of users, says Adam Pennington, ATT&CK lead at MITRE.
“People look at ATT&CK as a way to map out and plan their defenses,” he says. “We are seeing it used as a way for people to either start from a specific area — such as an adversary that they are worried about or some subset of an attack, and take a look at what their stance is in relation to each of those behaviors — or perhaps as a way to plan out behavioral analytics.”
In a blog published Thursday, the research organization stated that the update is designed to better connect offensive techniques with potential defensive actions. The intent is to tag every technique in the ATT&CK framework with “defensive-focused fields [and] properties as a way to help defenders detect and respond to attacks.
The company had described the improvements in its road map for 2021, published in March. The organization stated there would be no major structural adjustments; instead, MITRE plans to make improvements across the framework. 
“Our chief focus will be on enhancing and enriching content across the ATT&CK platforms and technical domains,” MITRE stated in its road map. “We’ll be making incremental updates to core concepts, such as Software and Groups, and working towards a more structured contributions process, while maintaining a biannual release tempo, scheduled for April and October.”
A major initiative in the latest version is to allow better data to be collected on specific threat descriptions included in the ATT&CK framework. The idea is to tell defenders specifically what data they need to collect to best detect attackers and determine which techniques they are using. MITRE reviewed all the different data sources and components and remapped them where necessary.
“The material that people see today is not going to undergo another drastic change. We are just going to be adding more context behind it,” Pennington says. “It’s about getting a better idea of — with their various collection mechanisms, SIEMs, sensors, whatever — what do they need to be looking for to understand an adversary’s behavior.”
The ATT&CK framework now also includes more MacOS- and Linux-specific threats and mappings, he says. 
“We spend a lot of time on Windows, as do adversaries,” Pennington says. “For Linux, we hear a lot going on with containers, but we don’t see a ton of detail in what is going on. The same with Mac. We hear from people there is a lot of activity going on, and we are beginning to incorporate that into ATT&CK.”
MITRE has also brought together the threats, techniques, and data sources for cloud platforms into consolidated groups, such as the infrastructure-as-a-service (IaaS) platform as part of the broader Cloud Service Providers category. In addition, software-as-a-service (SaaS) offerings Office 365 and Google Workspace are not included, so defenders can map adversary behaviors.
The company continues to make modifications based on feedback. In October, the company will release more support for mobile threats and defenses, as well as update the approach to threats that affect industrial control systems.
In the future, ATT&CK will also incorporate container technologies. MITRE has already released a draft ATT&CK for Containers matrix and will be incorporating feedback for a future release, the organization says.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full BioRecommended Reading:More Insights

The stealthy backdoor is likely being used by Chinese APTs, researchers said.

A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.
The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
The attack began with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder – a tool that Cybereason said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).
The use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.
“The accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” according to a Cybereason analysis, published Friday.
A Quiet Espionage Malware
The RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.
Once executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.
The malware then creates an additional file in %temp% with the hardcoded name “58097616.tmp” and writes the GetTickCount value multiplied by a random number to it: “This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,” researchers explained.
After that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS – with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.
Then, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.
The C2 commands are myriad:

List running processes
Open process
Get free space in logical drives
Files enumeration
Delete file
Move file
Create process with a hidden window
Open file for simultaneous operations
Write to file
Close handle
Open file and write directly to disk
Look for the “Kr*^j4” string
Create pipe, copy data from it and AES encrypt
Write data to file, append with “n”
Write data to file, append with “exitn”

PortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.
“The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,” researchers explained.
Chinese APTs in the Cyberattack Mix – Probably
Cybereason’s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.
“There are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,” according to the report.
For instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.
“Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,” according to the analysis. “When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.”
That said, the PortDoor malware doesn’t share significant code similarities with previously known malware used by those groups – leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.
“Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!