Checklist for Detecting Ransomware Precursors

Attackers usually deploy ransomware at the end of an operation—after they’ve performed privilege escalation, lateral movement and data exfiltration. Ransomware is almost never in an environment until encryption begins, so engineering detection for ransomware itself is not sufficient. To proactively test for and detect ransomware, organizations must instead look for ransomware precursors.

This checklist is designed to help organizations detect the precursors of a typical ransomware deployment and provides a starting point for hunting these threats.

Ransomware Precursors Checklist 

Instrument to detect command execution 

• Use Sysmon or an endpoint detection and response tool that captures the full path to the command, the executing user and command-line arguments.

Examine commonly used directories 

• Look for executables running from the following directories (and subdirectories):
  • C:\ProgramData (Note: Some legitimate Defender binaries run from this directory)
  • C:\Users\Public

Look for common reconnaissance commands such as:

• Nltest.exe
• AdFind.exe
• DSquery.exe
• Whoami.exe
  • This is often used in logon scripts but less-commonly with the /priv switch favorite by threat actors
• Taxlist.exe
  • Most system admins do not run this with the /s switch to interrogate a remote system.

DOWNLOAD:  Ransomware Prep Toolkit

Detect lateral movement by looking for: 

• Bitsadmin.exe
• PsExec.exe
• Psexesvc.exe
• Randomly named executables or PowerShell.exe installed as a service 
  • Check Event ID 7045 in the System event log
• Wmic.exe
  • Look for "process call create" or any use of the /node switch in command-line arguments.
• Scheduled tasks with unexpected executable parameters 
  • Check TaskScheduler\Operational event logs for Event ID 106, then examine the task XML file on the file system.

READ: Ransomware: Prevention and Response Tactics 

Detect data exfiltration:

• Use east-west NetFlow and/or firewall logs to hunt IP addresses known to be Tor exit nodes
  • Some cyber threat intelligence enrichment will usually be required to identify these IP addresses.
• Use DNS logs to hunt for never-before-seen domains.
• These are commonly used in command and control but may also be used for data   exfiltration.
• Search DNS logs for: 
  • mega.nz
  • mega.io
  • Other Mega domains being resolved 
• Extend the search to other file synchronization tools.
• Examine process telemetry for any use of rclone.exe
• Search process history for any use of date exfiltration binaries such as: 
  • pscp.exe
  • FileZilla.exe
• Search installed software and process telemetry for unauthorized file synchronization programs.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.