Subject: It’s Not Safe To Pay SafePay
Tactics: TA0009 Collection, TA0005 Defense Evasion, TA0007 Discovery, TA0040 Impact, TA0004 Privilege Escalation
Technique: T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control, T1560.001 Archive Collected Data: Archive via Utility, T1486 Data Encrypted for Impact, T1562.001 Impair Defenses: Disable or Modify Tools, T1040 Network Sniffing
Procedure:
The threat actor initiated the attack by disabling Windows Defender’s real-time protection and automatic file submission. They then proceeded to discover network shares using a PowerShell script. Sensitive data was collected and archived using WinRAR. Subsequently, they employed a UAC bypass technique involving COM objects to gain elevated privileges. Finally, the SafePay ransomware was deployed to encrypt files on the target system.
Vulnerability: EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.
Engagement Opportunity:
The attacker’s reliance on common tools and readily detectable techniques presents multiple engagement opportunities. Decoy network shares with fake but enticing data can be deployed to lure the attacker and gather intelligence on their tools and techniques. A honeypot RDP server can be set up to capture their activity and analyze their behavior. Additionally, the use of PowerShell for discovery can trigger alerts and initiate automated responses, potentially leading to the isolation of the attacker or redirection to a deceptive environment.
Threat Actor: SafePay Ransomware Group
Threat Objective:
Data Exfiltration and Financial Gain through Ransomware Deployment
Deception Opportunity:
Given the attacker’s objective of data exfiltration and ransomware deployment, a multi-layered deception strategy can be effective. Decoy documents with embedded beacons can be placed in network shares to track the attacker’s activity and gather information about their exfiltration methods. A fake financial database can be created to divert their attention from real sensitive data. Furthermore, a honeypot system mimicking critical infrastructure can be deployed to engage the attacker and analyze their ransomware deployment techniques.
Sensor Data Placement: Kernel-Mode
Observable Level: Ephemeral Values
Scoring Rationale:
The attack chain involves observables at various levels. Ephemeral values like specific file names are easily changed by the attacker. The use of PowerShell and the ransomware itself are core to the adversary’s tools. Observables like WinRAR usage and Defender events are linked to pre-existing tools. GUI interactions and specific UAC bypass techniques fall under “Core to Some Implementations.” Finally, the reliance on privilege escalation mechanisms is fundamental to that technique.
Link to Report: https://www.huntress.com/blog/its-not-safe-to-pay-safepay
Link to Report II.:
Additional Comments:
Analyzing the entire attack chain provides a more comprehensive understanding of the attacker’s behavior and motivations. This allows for the development of a more robust and multi-layered deception strategy, increasing the chances of successful engagement and disruption of their operations. Continuous monitoring and analysis of the attacker’s TTPs are crucial for adapting the deception environment and maximizing its effectiveness.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# SafePay Ransomware Attack Graph
[1]: Defense Evasion - Impair Defenses: Disable or Modify Tools - Disable Windows Defender settings via GUI (Core to Some Implementations of (Sub-)Technique) [1]
[2]: Discovery - Network Share Discovery - Utilize PowerShell script to map network shares (Core to Adversary-Brought Tool) [1]
[3]: Collection - Archive Collected Data - Use WinRAR to archive sensitive data (Core to Pre-Existing Tool) [1]
[4]: Privilege Escalation - Abuse Elevation Control Mechanism - Employ UAC bypass technique using COM objects (Core to Sub-Technique or Technique) [1]
[5]: Impact - Data Encrypted for Impact - Deploy SafePay ransomware to encrypt files (Core to Adversary-Brought Tool) [1]
1 --> 2 (Lack of System Monitoring) [1]
2 --> 3 (Lack of User Awareness) [1]
3 --> 4 (Lack of Privilege Management) [1]
4 --> 5 (Lack of Endpoint Security) [1]
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# SafePay Ransomware Pseudocode
function Defense_Evasion_Impair_Defenses(defender_settings):
# Manually disable Windows Defender settings through GUI interaction [1]
return weakened_security_posture
function Discovery_Network_Share_Discovery(weakened_security_posture):
# Execute PowerShell script "ShareFinder.ps1" to identify accessible network shares [1]
return target_shares
function Collection_Archive_Collected_Data(target_shares):
# Utilize WinRAR to archive data from identified network shares [1]
return archived_data
function Privilege_Escalation_Abuse_Elevation_Control_Mechanism(archived_data):
# Employ UAC bypass technique via COM objects to gain elevated privileges [1]
return elevated_privileges
function Impact_Data_Encrypted_for_Impact(elevated_privileges):
# Deploy and execute SafePay ransomware to encrypt files on target system [1]
return encrypted_system