According to Bleeping Computer, a new ransomware called LooCipher has been found in the wild. https://www.bleepingcomputer.com/news/security/new-loocipher-ransomware-spreads-its-evil-through-spam/ In usual fashion, it is impacting users through spam. Unsuspecting users are opening the phishing email, clicking on the link, giving the file authorization to use macros, and ultimately getting the malicious file installed.
In 2011, Lockheed Martin is credited with the idea of a cyber security kill-chain. The cyber security kill-chain, as designed, organizes threats into categories as well as security controls that can be deployed in those categories to mitigate those risks. If we apply the kill-chain to the Loocipher ransomware, we see the following:
- The phishing email, in the delivery category, should have been caught by commercial email protection tools.
- The dropper file (Info_BSV_2019.docm), in the delivery category, should have been caught by malware tools as well as other AV tools. Note, the end user in this case had to allow the macros to run. User awareness is still essential to defending against these types of attacks!
- Once the macros have been enabled, the malware reaches out to a TOR server to download another file (http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe) In this case, this should have been detected in the command and control as well as the delivery category. These categories usually are defended by threat intel tools, malware tools, and host based tools.
- Finally, a new file (c2056.ini) will be created and the file encryption process begins. This file creation and subsequent encryption should be caught in the actions and exfiltration category and protected by tools such as threat intel, process anomaly detection, firewalls, and malware tools.
What’s was not accounted for in the cyber kill-chain was the advance of machine learning and AI. Applying these tools to the data at each category of the kill-chain improves our ability to catch the anomalous behavior at each category, as well as improving the mitigation at each category by correlating the detections.
Starlight is committed to utilizing our Unified Security Analytics Platform to detect, alert, and respond to these types of behaviors. Our pervasive data collection, coupled with advanced data handling and machine learning, gives us multiple areas where we can detect these types of attacks across the cyber kill-chain. If the attack is missed in one stage of the kill chain, we will catch it in another stage. Once detected, we have the ability to take automated action against those anomalous behaviors. Applying our technology to the Loocipher ransomware, we would potentially detect and mitigate it in the following ways:
- Our phishing detection would evaluate the malicious URL and mitigate its risk
- The dropper file referenced above would have been evaluated by our malware tool and mitigated.
- Had the dropper file passed the malware test, the server sensor would have caught the behavior change (i.e. new process spawn with a new connection to the TOR server).
- If the dropper file passed the malware and server sensor assessment, the call to the TOR server could have been mitigated at the network level. The Starlight platform would have signaled the network firewalls to implement a block to the target server.
- The new file download (http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe) could have been caught and mitigated at the server sensor or malware assessment.
- Finally, the encryption process would be detected by the server sensor and mitigation techniques applied to prevent/stop the process from continuing.
Ransomware is a huge industry. Backups are essential but so is defense-in-depth. If you are not protecting your environment at the various stages of the kill-chain, you should consider doing so. If you are struggling to implement these concepts because you have too many tools that don’t interoperate, give us a call. We can help!
