Question regarding ransomware

[Lockbits 10]

Hello guys,

We've a case where a server is working normally but one shared resource was encrypted by a ransomware. We think it was another computer that was infected because the server doesn't have encrypted local data. In order to detect which computer was the culprit, we deleted all the networks and local users permissions over this shared resource and copied some files. As the data remained intact we starting adding one per one network user in order to see which is the culprit and so far so good. Our surprise was when we added the local administrator user to the shared resource the content was encrypted again.

I looked at ESET Log Collector and I can't find anything malicious in this server.

Can you help me?

Thanks.

ESVC_CHL-APP1P_20201109092218.zip efsw_logs.zip

[itman 1,659]

48 minutes ago, Lockbits said:

Our surprise was when we added the local administrator user to the shared resource the content was encrypted again.

Of note:

Quote

Ransomware spreads by leveraging the user’s privileges to infect files that are within scope. If the user only has standard user rights, the only files visible are the ones they may have local or via a network share.

While the scope of this may be large, it can be much worse if the user actually has administrator privileges. Then, potentially every file visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection. This assumes however that the ransomware can execute as a standard user.

The fact of the matter is that most ransomware requires administrator privileges just to launch. Macro-based ransomware is one notable exception in addition to ransomware that leverages vulnerabilities like WannaCry.

https://www.beyondtrust.com/blog/entry/ransomware-5-prevention-strategies

On the shared resource, ensure UAC is set to max. level. Ransomware might be using a "living of the land" hidden admin elevation technique.

Edited November 10, 2020 by itman

[itman 1,659]

So how could this ransomware run from a standard user account?

Quote

How to run a program that requires admin privileges under standard user?

Earlier we described how to disable a UAC prompt for the certain app using RunAsInvoker parameter. However, this method is not flexible enough. You can also use RunAs with the saved administrator password using the /SAVECRED option (not safe as well). Let’s consider an easier way to force any program to run without administrator privileges (without entering the admin password) and with UAC enabled (Level 4, 3 or 2 of the UAC slider).

http://woshub.com/run-program-without-admin-password-and-bypass-uac-prompt/

BTW - this technique also bypasses UAC max. setting.

Edited November 10, 2020 by itman

[Marcos 5,074]

Were you unable to locate the machine where the ransomware was run?

I'd also recommend installing the following critical patches that are missing:
- CVE-2019-1181, CVE-2019-1182, codename "DejaBlue"  (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181)
- CVE-2020-1350, codename "SIGRed"  (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350)
- CVE-2020-1472, codename "Zerologon"  (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472)

Also consider enabling detection of potentially unsafe applications (see https://support.eset.com/kb6795/) as well as password protection and SSL filtering.

[itman 1,659]

15 minutes ago, Marcos said:

CVE-2019-1181, CVE-2019-1182, codename "DejaBlue"  (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181)

Most important, this definitely needs to be patched:

Quote

In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same bug. The vulnerable code exist in both the RDP client and server, making it possible to exploit in either direction.

https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

Edited November 10, 2020 by itman

[Lockbits 10]

Hello guys,

Thank you for the help. Customer is updating to latest version of EEA and EEI and moving their computers to ECA in order to have maximum visibility. They also know that need to install updates ASAP.