6 Steps Threat Profilers Can Follow to Uncover Ransomware (and Other Nefarious Activity)
Ransomware attacks have dominated headlines in recent years, as attackers take aim at an increasing variety of targets, from school districts to critical infrastructure networks. Ransomware accounted for 25% of all breaches in 2022, according to the Verizon Data Breach Investigations Report, and in early 2022, CISA reported that it had observed incidents of ransomware in 14 of the 16 critical infrastructure sectors.
The ability for both commercial and federal organizations to detect this kind of nefarious activity on hosts before bad actors take action has become paramount. But being able to proactively suss out evidence of ransomware or any other potential criminal activity is about more than just finding something that seems suspicious – it’s being able to determine with reasonable confidence that what’s been found is actually nefarious. And that’s where threat profiling comes into play. Effective threat profiling requires arriving at answers that are both critically understood and actionable. Because even though activity may look unusual, it doesn’t necessarily mean that a crime will take place.
That’s why profiling potential threats must be based upon concrete observations that are backed by accurate data.
Our Threat Profiling Expedition into Russian Ransomware
Here at Censys, we recently embarked on a threat profiling expedition of our own using the Censys Search tool, powered by our leading internet data set. Access to this data, which provides a comprehensive view of the internet and is continuously refreshed, enabled us to not only identify suspicious activity, but to conclude with reasonable confidence that it was in fact nefarious.
As a result of our threat profiling, we were able to determine that multiple hosts in the U.S. not only demonstrated evidence of Russian ransomware, but were intended for criminal activity. In a relatively short period of time, we arrived at significant findings that we could back up with observable data.
From this profiling expedition and others like it, we’ve identified patterns – or plays, if you will – that threat profilers looking for any type of nefarious activity can run on a tool like Censys Search. We’ve compiled these plays into our new Threat Profiler’s Playbook: 6 Steps to Uncovering Ransomware (and Other Nefarious Activity), which you can download for free here.
Let’s talk about the first three plays.
1. Choosing the Right Search Filter
Where do you want to begin proactively looking for threats to profile? That’s the first question you’ll need to address when jumping into an internet data set. In our ransomware expedition, we knew that we wanted to begin with location – specifically, Russia. However, you may want to narrow down your search by other attributes like operating system, host DNS, or software. The Censys Search tool allows you to filter by a variety of attributes, shown below.
HOST OPERATING SYSTEM
HOST AUTONOMOUS SYSTEM
By searching [location.country=`russia`] on search.censys.io, we saw that there were over 4.7 million hosts located in the country.
2. Following Unusual Host Attributes
Searching through 4.7 million hosts to identify evidence of suspicious activity would be like trying to find a needle in a haystack. That’s why we next used the “Reports” function in Censys Search to examine a second layer of host attributes. In our case, we felt that running a report based on specific software types that we knew could be used for nefarious purposes when in the wrong hands – the pentest tool Metasploit, specifically – would help get us closer to the presence of potential threats. We found that 10 of the 4.7 million hosts contained Metasploit.
Metasploit in and of itself is by no means a smoking gun. It’s essentially the software version of a lock picking kit and its presence doesn’t necessarily mean a lock has been picked. But by identifying the presence of Metasploit on these 10 hosts, the research team was able to pivot, and with a seemingly larger group of threat actors using open source penetration testing tools like Metasploit, investigate hosts with this tool.
We continued looking at the data of these hosts, specifically their TLS and Protocols data, and discovered that two of the hosts also contained a Deimos C2 tool. Deimos C2 is a command and control tool, which pen testers use to make their jobs easier by allowing them to automate commands to hosts they’ve compromised. Presence of C2 tools could indicate that a host can or is controlling other hosts, or that the host itself is controlled by a “command” host.
We took this as a sign to keep digging.
3. Going Back in Time with Historical Perspectives
Learning about a host’s current attributes is one thing, but being able to look back at how that host evolved over time can unlock new insights that change the direction of an investigation. Historical data views can allow threat profilers to make connections that would have previously gone unnoticed.
Using our data, we were able to fingerprint the Deimos C2 tool with JARM and pivot to a host in Ohio (“Host D”) with Deimos C2. Leveraging Censys’ history function, we wound back the clock to uncover pss.exe on the host, which is associated with the Karma Ransomware group.
After leveraging Censys’ historical data to locate ransomware executables on Ohio “Host D,” Censys revisited the original Russian “Host A” for other indicators of nefarious activity. Because the data that’s accessible on Censys Search goes back about two years, we were able to take a look back in time at our prime suspect: “Host A.”
A historical view can be useful to keep in mind as you conduct your own search, particularly if you’ve uncovered a suspicious host and have run into a wall about the current state of data, want to observe the host at the time of an incident, or want to see changes in its posture to uncover anomalies or attempts to hide indicators of nefarious activity.
In our case, without pulling the historical view of “Host A” we would have never arrived at our ultimate discovery of ransomware.
To learn about all six steps and how we collected even more evidence of Russian ransomware, check out The Threat Profiler’s Playbook.