<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

Detecting and Preventing UNC1878

unc1787 remediationRecently, The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by hackers.

UNC1878 is the designation given the Russian cybercriminal actor responsible for large-scale ransomware attacks targeting healthcare facilities across the US.

These attacks have a lot of moving pieces from initial compromise to actual ransomware encryption. These initial phases are where we are given the opportunity to catch the infection and isolate the issue before the attacker ever gets the chance of encryption.

Ransomware, overall, is difficult to detect once it gets to the deployment phase and even harder to isolate and stop due to the often rapid deployment across networks. Fortunately, in order for the ransomware to be successful for the attackers, there are many noticeable tactics they use to manipulate the environment into the most prime target before deployment.

Steps

UNC1878

Initial Access

Phishing

Malware Execution

BUER Loader/Powershell/WMIC/Cobalt Strike BEACON

Persistence

Scheduled Tasks

Discovery

Bloodhound/Cobalt Strike

Lateral Movement

Sharphound/Cobalt Strike/Command Line

Privilege Escalation

Cobalt Strike/SystemBC

Evasion

GMER

Command & Control

Cobalt Strike

Final Deployment

Ryuk

 

Initial compromise can come from many different avenues, but phishing remains the most common and most effective way for attackers to gain access to a network. During recent Ryuk infections, spear phishing attacks were observed as the way they gained access into their targeted systems. This can be both detected and prevented through properly configured mail solutions, best practices, and employee awareness training.

Once initial access is gained, Ryuk ransomware has been observed using many different loaders to deploy: BazarLoader, Emotet, Trickbot and the latest, Buer. Buer first checks to see if there is a debugger enabled, then checks language and localization to figure out where it is geographically. To deploy, Buer executes a powershell command to bypass execution policies executed by Buer to not trigger any warnings, and it runs more powershell commands to ensure it gets added to Windows Defender’s exclusion list. Then the loader phones home and gives us a chance to catch initial C2 traffic. Buer is nice enough to drop files into C:\ProgramData\directory-, where the directory name is variable with each deployment.

The infection is then going to want to create persistence, which is usually established by a task schedule on the infected host. This is hard to detect given that scheduled tasks are normal procedure and there’s not generally a way to differentiate malicious scheduled tasks from ordinary windows tasks.

Next, discovery, lateral movement, and privilege escalation are going to be the focus as the malware gets in a good position to deploy the ransomware and cripple the target. This traversal and enumeration of hosts within a network is noisy and one of the best phases we have for detection. Tools like Cobalt Strike and Bloodhound (Sharphound) are often used for this process and are normally never found on a network outside of Pentesting devices. Behavior based anomalies such as share enumeration, AD enumeration, and system enumeration are all indicators of network discovery taking place. Cobalt Strike BEACON has been observed running multiple exploitation tools via PowerShell to run network reconnaissance in associated network intrusions, such as AllChecks, FileFinder, EternalBlue, Kerberoast, mimikittenz, Sharefinder, UserHunter, etc.

From the attacker’s perspective, all this reconnaissance has hopefully led them to gain credentials and privilege escalation at this point and move through the network laterally. Every system is going to be unique, but this is where internal controls, regular active directory GPO permission audits, and hardened credentials are going to slow the attackers down, thus providing more opportunities for detection.

With the network enumerated and access gained to the targeted system, the attackers are going to try to disable anything on the systems that might disrupt their ransomware deployment. Visibility into critical processes getting disabled is vital in detecting during the evasion phase. For UNC1878, GMER has been observed as the most commonly utilized tool when attempting to disable critical endpoint-detection and respond applications. GMER was originally a rootkit detector tool that gives the attacker visibility into the drivers, libraries, registry entries, and file functions.

Finally, the attackers attempt to deploy the ransomware across the network. The ransomware itself is going to be best detected and remediated by endpoint solutions because those are the systems that will actually have visibility into this phase of the attack. Process injection, process hollowing, and process doppelganging are all common methods used by malware authors to evade detections and execute the ransomware code in memory. While investigating these methods, consistent Windows API calls are used such as VirtualAllocEx, VirtualAllocExNuma and CreateRemoteThread in order to format the relevant memory and achieve code execution. Detecting these calls can be one of the final indications we have of ransomware before the machine is encrypted. This is also a central point of deployment across a wide variety of malware droppers commonly used during Ryuk infection as this is a preferred and very common technique among sophisticated actors. After infection, the actual .ryuk files may be visible on endpoint solutions and then it’s a race against time to isolate the machine and figure out how much more of the network is compromised.

At this point, IOCs like domains and IPs are easy for attackers to change, so while they are still detection and investigation worthy, behavior-based detections don’t have the same expiration date. Some of the tactics discussed above, especially during the internal discovery phase, are clear indicators something is amiss in the network. It’s important to have multiple detections across multiple phases of the attack because of constant visibility challenges. Email monitoring is important for the initial infection phase, network monitoring for the discovery and lateral movement phase, and endpoint monitoring for the actual deployment of ransomware.

In conclusion, UNC1878 is a highly sophisticated method of deploying ransomware, but there are many common infection tactics used that are highly documented and can be mitigated by proper security measures and defense-in-depth.

If your organization is looking for guidance on UNC1878 or any other foreign threat protection and detection, Datashield is offering a free consultation with one of our security engineers.

Topics from this Article

Hacking, Phishing, Ransomware, Malware, Foreign Adversaries

Evelyn Brown
Evelyn Brown
Brown is Threat Content Developer with Datashield, an ADT Company.

Related Posts

Detecting and Preventing UNC1878

Recently, The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by hackers.

What is Microsoft Azure Virtual Network?

Azure Virtual Network (VNet) is a platform enabling you to create and maintain private networks in the context of Azure cloud and services. VNet works in a similar fashion a network in a data center works while introducing added advantages such as scale, availability, and isolation. 

What is Microsoft Azure Traffic Manager?

Azure Traffic Manager is a DNS-based load balancer to manage user traffic distribution of service endpoints in different data centers. This tool can service any of the Azure global regions and secure an optimal level of availability and responsiveness for your services.