Left of Boom: Developing Ransomware Early Warning Systems

In March of 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) established the Ransomware Vulnerability Warning Pilot (RVWP) program in an effort to warn critical infrastructure operators of vulnerabilities known to be exploited by ransomware threat actors.

‍

“As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks,” CISA states.

‍

“Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.”

‍

In a similar manner, the United Kingdom’s security and intelligence services have developed the Early Warning program, which is administered by the National Cyber Security Centre (NCSC - part of GCHQ) to warn organizations of early-stage ransomware attacks before they become serious security incidents.

‍

“The experts have built a unique system using the intelligence community’s access to several information feeds unavailable to anyone else — alongside public, commercial and closed-source inputs — that has almost certainly prevented a significant number of ransomware attacks,” The Record reported.  

‍

Takeaway: Early detection of attacks can mean the difference between an attempted ransomware attack versus a full-blown incident response and recovery process that can take weeks to months to complete and cost an organization tens of millions of dollars in losses.

‍

There are many players in the Ransomware Economy, from the RaaS platform providers who provide the ransomware attack tooling, to the affiliates who select targets and carry out the attacks, to the money launderers who obfuscate the money trail when victims pay a ransom.

‍

Halcyon researchers recently identified another major player in the Ransomware Economy: Command-and-Control Providers (C2P) who lease the attack infrastructure to threat actors, in a report titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps) (PDF).

‍

While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors.

‍

In this report, Halcyon demonstrates a unique method for identifying C2P entities that can potentially be used to forecast the precursors of ransomware campaigns and other attacks significantly “left of boom.”

‍

Halcyon used an unlikely pivot point – namely RDP hostnames within the metadata of an affiliate’s attack infrastructure – to detect imminent ransomware and nation-state sponsored attacks as the infrastructure is being stood up, providing notice weeks to months before the attack is launched.

‍

Halcyon researchers successfully used this technique to identify a C2P called Cloudzy that provided attack infrastructure to APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; to a sanctioned Israeli spyware vendor whose tools are known to target civilians; and to several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.

‍

Halcyon began with a large set of previously published and undisclosed ransomware attack network IOCs. Using Internet scanning data from Censys and Shodan, we noticed what seemed to be a group of RDP hostnames recurring frequently within the “Subject Common Name” field of X.509 certificates.

‍

These SSL certificates were most frequently used to secure RDP connections on the default TCP port, 3389. By default, Windows sets the “Subject Common Name” field to match the server’s hostname when first issuing SSL certificates for RDP.

‍

Halcyon linked RDP hostnames to ransomware incidents by connecting the SSL certificates where the hostnames appeared to associated IP addresses which matched the known TTPs of ransomware groups we track.

‍

Halcyon noted that several of these RDP hostnames were also called out as indicators of compromise (IOCs) in ransomware incidents by several different security researchers. This served to confirm our initial findings that these RDP hostnames were associated with malicious infrastructure used in ransomware campaigns.

‍

Halcyon then determined that the IP addresses associated with the SSL certificates containing these hostnames were also connected to one another based upon their distribution over multiple Internet Service Providers (ISPs).

‍

Halcyon did not expect to find the same hostnames repeated so often across so many different providers. The fact that they did suggest to us that someone had used an imaging process to quickly copy and then widely deploy servers across them.

‍

Halcyon examined the broader IP space associated with the SSL certificates containing those RDP hostnames, conducting PDNS analysis within a 90-day window of the RDP hostnames first appearing. We did this to limit the likelihood of any IP-based crossover.

‍

What Halcyon discovered was a staggering array of attack infrastructure which we, and others in the security community, recognized and associated with a wide range of threat actors. Included were government-sponsored APT groups, criminal syndicates, and a commercial spyware vendor.

‍

Halcyon researchers pioneered a new technique that can enable defenders to spot malicious hostnames proactively to identify potential threats as the attack infrastructure is being set up. Hopefully these and other efforts to provide better visibility into immanent threats can help protect organizations from catastrophic attacks earlier in the initial attack sequence.

‍

While we will never be able to stop ransomware attacks, we can stop them from being successful by making actionable intelligence available that can be used to end an attack earlier.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.