Title: Analyzing the Money Message Ransomware Attack: A Comprehensive Report
Introduction:
In August 2023, the Sophos X-Ops Incident Response team was called upon to assist an organization in Australia that had fallen victim to the Money Message ransomware. This sophisticated attack vector is known for its stealthy nature, as it does not append any file extensions to the encrypted data, making it challenging for victims to identify the affected files. In this article, we will delve into the attack flow, highlighting how threat actors deploy the Money Message ransomware, and discuss effective countermeasures to combat their efforts along the MITRE ATT&CK chain.
Attack Flow Details:
The ransomware initially gains access to the victim’s system through a VPN that uses single-factor authentication. To prevent unauthorized access, organizations should implement multifactor authentication (MFA) for VPN connections and continuously monitor VPN logs for suspicious login attempts or anomalies.
Defense Evasion:
The threat actor employs a Group Policy Object (GPO) Policy to disable Windows Defender’s real-time protection. Organizations can enhance their defense against such attacks by using security agents with robust tamper protection and by monitoring for any suspicious activity related to the disabling of security tools.
Lateral Movement:
The attacker leverages psexec and Remote Desktop Protocol (RDP) to traverse the network. Securing RDP access is crucial, and organizations should restrict RDP access to only necessary accounts, adopt a centralized jump server with MFA for administrative tasks, and promptly investigate any anomalous RDP connections.
Credential Access:
The threat actor utilizes Secretsdump.py to retrieve the SAM registry hive, which contains sensitive credentials. Organizations must prioritize safeguarding credentials by implementing strong access controls, employing robust endpoint detection and response solutions, and monitoring for any unauthorized attempts to access or manipulate critical system components.
Collection:
The compromised account is used to access sensitive folders, such as Finance, Payroll, SalesReport, and HR. Implementing least-privilege access, granular controls on data export, and evaluating Data Loss Prevention (DLP) solutions can help prevent data theft.
Exfiltration:
MEGAsync is employed by the threat actor to exfiltrate the data. Organizations should focus on enhancing data loss prevention measures, implementing outbound traffic analysis, and closely monitoring MEGAsync activities to detect and block suspicious data transfers.
Impact:
The Money Message ransomware encrypts data on both Windows and Linux environments, with the Windows version detected as Troj/Ransom-GWD. Organizations should ensure full coverage of all systems with a properly configured Extended Detection and Response (XDR) solution, and activate CryptoGuard policies to protect against ransomware attacks.
Conclusion:
The Money Message ransomware attack follows a typical MITRE ATT&CK chain. Implementing effective defense strategies, such as MFA for VPN connections, robust tamper protection, secure RDP access, strong credential access controls, and vigilant data loss prevention measures can significantly mitigate the impact of such attacks.
Key Points:
1. Money Message ransomware utilizes stealthy techniques, making it challenging for victims to identify encrypted files.
2. Implementing multifactor authentication for VPN connections is crucial to enhance security.
3. Robust tamper protection and continuous monitoring of security tool activities are necessary to evade defense evasion techniques.
4. Securing RDP access through role-based restrictions and a centralized jump server with MFA is crucial.
5. Safeguarding sensitive credentials, implementing least-privilege access, and evaluating DLP solutions are vital to prevent data theft.
6. Enhancing data loss prevention measures and closely monitoring data transfer activities can mitigate exfiltration attempts.
7. Full coverage with a properly configured XDR solution and CryptoGuard policies are essential to protect against ransomware attacks.