Introduction
There are a LOT of different ransomware families. With the constant flood of new types, variants, rebranding, and updates, it’s hard to know where best to focus but Stroz Friedberg Incident Response Services has aligned on the volume of cases as one factor for tracking ransomware families. Currently, the ransomware heavy-weights are primarily the Ransomware-as-a-Service (RaaS) families such as REvil, Maze, and Netwalker. However, we recently worked several cases involving Defray ransomware, which doesn’t get as much time in the spotlight.
So, why should you care about Defray ransomware? One word… Sophistication.
Based on what we know right now, Defray (sometimes also referred to as “RansomExx”) is not sold or used by multiple actors such as the aforementioned RaaS families. The Defray ransomware actor uses tools and techniques that allows for faster time-to-deployment of encryption across an environment, often only giving victims hours before their entire network is encrypted. The threat actor’s toolkit and Defray provide very limited surface area for detection by traditional defenses — such as anti-virus — and covers its tracks through a number of anti-forensic techniques.
All Incidents Start with an Entry Point
In recent cases, we have observed the Defray actor favoring phishing as the technique of choice for gaining initial access to a victim environment. The malicious emails we have reviewed include an attached encrypted ZIP archive with the associated password in the body of the email. The encrypted archive contains a malicious Microsoft Office document, which downloads the next stage of malware.
Figure 1: Simple email body coming from legitimate, compromised email accounts.
Encrypted ZIP archives are an effective way to bypass AV detection engines embedded in mail gateways since the contents can’t be inspected. However, this technique isn’t seen very often implemented by attackers. While this technique is effective at bypassing mail gateway AV detection, we suspect the extra time and effort to perform the decryption of the ZIP archive makes it less likely for the intended victims to follow through with opening the malicious document.
Figure 2: Malicious Office documents still need to convince the user to “enable content” for malicious macros to execute.
When the malicious Office document is opened, it automatically downloads IcedID. While often eclipsed by Emotet and Trickbot in terms of news coverage, IcedID is sophisticated malware that’s also typically referred to as a “Banking Trojan” and seen as an initial entry point in ransomware cases. IcedID’s most distinguishing feature is its use of steganography, which it can use to hide its primary payload, modules, and configuration inside of pictures.
Figure 3: This picture could contain malware.
The primary IcedID payload is downloaded over HTTP in a URL that ends with “.cab” (common for IcedID). In this particular campaign, the response contained the IcedID DLL which was saved to the infected user’s temporary directory (%TEMP%) and then executed by the Office Document using `regsvr32.exe /s.` Shortly after execution, IcedID retrieves its configuration file (hidden in an image file with steganography, of course), and establishes persistence using Windows Scheduled Tasks.
While we did trace back all recent Defray incidents to an IcedID infection and a similar phishing document, we currently don’t believe that the phishing emails were actually sent by the Defray actor. Several sources have tracked this campaign to a specific threat group identified in open-source intelligence as TA551 or Shathak (especially if you’re a fan of H. P. Lovecraft). TA551 has been very successful in delivering payloads across multiple campaigns, which have included IcedID, Ursnif, and Valak. It’s possible the Defray actor is working with TA551, either buying access to specific victims or renting out TA551’s services.
Bring a Gun to a Knife Fight
After gaining access, the Defray actor wastes no time in scoping out the victims’ environment. There are a few tools and techniques that we have observed to be core to the Defray actor’s toolkit:
Cobalt Strike – While IcedID serves as the initial foothold, the Defray actor quickly pivots to Cobalt Strike as their post-exploitation framework of choice. This is hardly unique as it is difficult to find a more stable and effective platform for launching an attack. During the reconnaissance stage, the attacker remains stealthy – using PowerShell and WMI to spread to specific machines without anything written to registry or disk. In rare cases, we have observed the use of WMI Persistence, which is still an uncommon tactic despite being a built-in feature of Cobalt Strike. During the actual ransomware deployment phase, all bets are off, as the encrypted Cobalt Strike payload is written to disk.
LaZagne – LaZagne is our actor’s preferred tool for obtaining credentials. LaZagne has all the features people know and love from Mimikatz, but also includes searches for other easy-to-obtain credentials from web browsers, chat programs, database clients, code repositories, and password managers, all in one convenient package.
BloodHound – Like the other tools here, BloodHound is another tool built for penetration testing but commonly used for evil. The collector portion, SharpHound, is very effective at enumerating a victim network, collecting systems, users, groups, and permissions inside a domain. The output of SharpHound is written to disk, but the Defray actor uses a switch that encrypts the output with a randomly generated password. When the collected data is fed into BloodHound, it provides the attacker with a detailed map of the network and a path to the fastest way to obtain Domain Administrator credentials.
Technique: Search Order Hijacking – All of the above tools were executed using Search Order Hijacking. Search Order Hijacking is still very commonly used by attackers to help prevent detection of malicious payloads by anti-virus software. In our recent cases, the Defray actor used Rainmeter, a popular, open-source desktop customization tool, to perform the side-loading. When Rainmemter.exe was executed, it would load a maliciously modified version of “rainmeter.dll,” which decrypts and loads the actual payload from a third file named “options.dat.“
Figure 4: Rainmeter hijacking means one of three things.
In other cases, the Defray actor used LogMeIn and Google Updater for loading their payloads.
Defray, Itself
When it comes time to deploy the ransomware payload, the Defray actor pushes their Cobalt Strike side-loaded payload to all machines and executes it using WMI. Once loaded, Cobalt Strike downloads the Defray Ransomware, injects the payload into a new process using Process Hollowing, and executes it. At no point is the ransomware written to disk – everything happens in memory, thanks to Cobalt Strike. The ransomware is packed and protected with Themida, an extremely sophisticated, commercial software protection tool. Themida doesn’t just encrypt or compress a payload, it breaks an executable into individual blocks of code which it decrypts and executes at runtime, making it extremely challenging to analyze. While this makes it difficult to see what happens inside the executable (such as the specifics of the encryption process), we can observe how it interacts with the operating system. And this is when Defray turns it up to 11. Upon execution, Defray:
- Clears the System, Security, Application, and Setup logs
- Disables the Security Event logs
- Disables the System Restore (“SR”) Scheduled Tasks
- Wipes unallocated space for each drive using “cipher /w”
- Truncates the USN Journal using “fsutil” for each drive
- Disables Automatic Startup Repair
- Disables Windows Error Recovery
While the intention of many of these actions is to prevent recovery, reading over this list you can’t help but notice the amount of anti-forensics that Defray brings to bear. It’s not uncommon to see event logs cleared by ransomware actors, most notably by BitPaymer, but the extent of anti-forensics by Defray is impressive. Because these steps are performed on each encrypted system, investigating Defray ransomware cases is incredibly difficult, especially in less mature IT environments with limited security programs and controls, such as the lack of EDR or SIEM/log aggregation.
Early Bird (Typically) Gets the Worm
As mentioned earlier, Defray clears the hurdles of internal reconnaissance and privilege escalation in record time compared with what we see with other ransomware. Based on other ransomware cases we have investigated, the average time between initial compromise and ransomware deployment – referred to as the “incubation period” — is somewhere between 3 to 6 weeks. In contrast, the longest observed incubation period for a Defray case so far was only three days and the shortest was less than 12 hours. So how does the Defray actor move so quickly?
- We have yet to observe any attempt by the Defray actor to discover or access backups. It appears that their goal is primarily to hit fast and bet on the victim not having reliable backups which is, unfortunately for the victims, still a fairly common scenario.
- Defray doesn’t have a shame website and isn’t making claims of data exfiltration. For other RaaS families, a significant amount of time and effort goes into identifying data sensitive enough to warrant payment. Once again, the Defray actor is betting on payment being forced based on the lack of backups.
- The Defray actor is extremely familiar the tools in their toolkit and appears to have a comprehensive understanding of the Cobalt Strike framework. We suspect there’s some quality automation occurring behind the scenes.
While we are aware of some Defray incidents where the victim had reliable backups and therefore didn’t pay the ransom, the speed and volume appears to be sufficient for the Defray actor’s target financial goals.
What’s next for Defray
We still expect the RaaS families to continue dominating the scenes for a while, but it’s unlikely that Defray will be going away anytime soon. It will be interesting to see if Defray continues on its current fast-hitting, no-exfiltration trend, or if we’ll see new tooling and automation around data discovery and exfiltration in exchange for some speed sacrifice.
In the meantime, we highly recommend companies create regular backups (and test periodically to ensure they’re good) and employ a high-quality EDR solution to guard against ransomware like Defray as well as the growing trend of potent, file–less malware.
ATT&CK Mapping
- Initial Access
- T1566 – Phishing
- Execution
- T1059.001 – Command and Scripting Interpreter: PowerShell
- T1047 – Windows Management Instrumentation
- Persistence
- T1546.003 – Event Triggered Execution: Windows Management Instrumentation Event Subscription
- Defense Evasion
- T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
- Credential Access
- T1003.001 – OS Credential Dumping: LSASS Memory
- Lateral Movement
- T1021.002 – Remote Services: SMB/Windows Admin Shares
- T1021.006 – Remote Services: Windows Remote Management
- Command and Control
- T1071.001 – Application Layer Protocol: Web Protocols
- Impact
- T1486 – Data Encrypted for Impact
Author: Daniel Spicer