Section 1 - Crypto - But the Bad Kind

JoJo's Hospital got hit by a ransomware attack just recently; I am tasked with investigating how this happened. The threat actor is a ransomware crew calling itself LockByte; they left a ransom note in the system, in which they gave the Hospital 72 hours to respond to their demand of 2M USD lest they leak all the personal information stolen during the attack. Furthermore, they contacted patients, denouncing the Hospital's cybersecurity stance and demanding a ransom of 10K USD within the next 72 hours; the attackers claim to have information such as Social Security Numbers, health info and health history, and residency addresses. To put it mildly, it's a serious case. The ransomware's encrypted files had the file extension .encrypted.

To get an idea of the scope of the problem, I used these KQL queries:

FileCreationEvents
| where filename endswith ".encrypted"
| count

FileCreationEvents
| where filename endswith ".encrypted"
| summarize count() by hostname

FileCreationEvents
| where filename endswith ".encrypted"
| distinct hostname
| lookup Employees on $left.hostname == $right.hostname

In brief, there are 321 distinct employees in JoJo's hospital, each with their own device. Summarizing count by hostnames shows that every single employee--from the CEO to the housekeeping staff--had 20 files encrypted by the ransomware each, for a total of 6420 files encrypted across the hospital network. All files were encrypted at the same time: 2024-06-17 at 14:49:30. The attackers must've left a ransom note some time before, during or after the attack.

FileCreationEvents
| where timestamp between (datetime(2024-06-17 14:40:00.0000) .. datetime(2024-06-17 14:59:30.0000))
| where filename !endswith ".encrypted"

Among the results, I find the ransom note and evidence of data that likely was exfiltrated. This file only exists on the hostname AMFB-MACHINE, username andavis, which belongs to Senior IT Adminitrator Anthony Davis. It's probable that he was "patient zero" in this case; I decide to look what commands were being executed on the day of the ransomware attack.

ProcessEvents
| where hostname == "AMFB-MACHINE"
| where timestamp between (datetime(2024-06-17) .. datetime(2024-06-18))
| where process_commandline !contains "SystemApps"
or process_commandline !contains "WindowsApps"

Note the executables and files:

1. lockbyte_ransomer.exe, which was renamed and copied to the hospital's SharePoint as spread_ransomware.exe
2. patient_data_exporter.exe, which was run to extract current and old, archieved patient data from jojos-hospital-server into discrete .zip files.
3. patient_data_1.zip, patient_data_2.zip and patient_data_3.zip, the mentioned discrete .zip files, which were uploaded via cURL to the attacker-controlled server secure-health-access.com.

The attackers took the precaution of erasing the evidence, but at least patient_data_1.zip remained on Anthony Davis' computer even after the del command was executed. (See [1])

And, obviously, these files came from outside the hospital network.

OutboundNetworkEvents
| where url has_any ("patient_data_exporter.exe", "lockbyte_ransomer.exe", "spread_ransomware.exe")

The same domain pops up again: secure-health-access.com. To investigate it further, I did a lookup against the PassiveDns table.

OutboundNetworkEvents
| where url has_any ("patient_data_exporter.exe", "lockbyte_ransomer.exe", "spread_ransomware.exe")
| project domain = tostring(parse_url(url).Host)
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip

OutboundNetworkEvents
| where url has_any ("patient_data_exporter.exe", "lockbyte_ransomer.exe", "spread_ransomware.exe")
| project domain = tostring(parse_url(url).Host)
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain

There are two attacker-controlled domains: emr-help-net and secure-health-access.com, both of which are associated with the IP addresses 203.0.113.1 and 203.0.113.2. It's a good idea to see if these IP addresses are recorded in any of the hospital network's logs; the query...

search "203.0.113.1" or "203.0.113.2"
| sort by $table, timestamp asc

...shows that these IPs were seen in the tables PassiveDns, AuthenticationEvents and InboundNetworkEvents. First, I'll check InboundNetworkEvents for evidence of reconnaissance.

As seen here, the attackers start with search queries, hoping to find information on the hospital's internals, including weak points in its security stance. However, on 2024-05-20 at 11:47:55 in the morning, they've managed to access sensitive internal folders, such as patients, patient data, health records, the patient database, and so on. 27 days later, starting on 2024-06-17 at 13:12:46 in the afternoon, the attackers start actually exporting the data, including backups, using internal mechanisms.

Note that the exfiltration seen in Anthony Davis' computer started on 2024-06-17 at 14:23:25 in the afternoon, roughly an hour and ten minutes after they started using the patient_data_exporter.exe to gather data for exfiltration.

Moving on to the AuthenticationEvents table:

Anthony Davis' account andavis had its credentials compromised, it was used to log in to the hospital network, and used to steal data and spread the ransomware across the hospital network. It might've also been used during the reconnaissance process to begin with. Now, how were his account credentials compromised to begin with?

Section 2 - Sharks in the Hospital Water

According to fellow investigators, Anthony Davis' credentials were sold on the dark web; it's very likely that LockByte purchased and used them in this manner. A few weeks back, a hospital employee reported seeing a suspicious sponsored search result for the popular chicken restaurant Raising Cane's, which has a location across the street from JoJo's Hospital and is thus very popular among employees. The sponsored result has the url www.rasinkanes.com; the official Raising Cane's webpage is www.raisingcanes.com. This merits further investigation.

OutboundNetworkEvents
| where url has "raisinkanes.com"

This query shows 26 results from 24 distinct employee IP addresses. The url to rasinkanes.com redirects to either of two domains: totally-legit-domain.com or nothing-to-see-here.net Pivoting with a lookup against the Employees table shows us the affected users:

OutboundNetworkEvents
| where url has "raisinkanes.com"
| distinct src_ip
| lookup Employees on $left.src_ip == $right.ip_addr
| distinct role, name
| sort by role desc

Crucially, among the people who navigated to this suspicious domain was Senior IT Administrator Anthony Davis.

Investigating the domain with PassiveDns reveals nothing, to my surprise. Hoping to uncover more of the attacker's infrastructure, such as other malicious domains, I pivot:

OutboundNetworkEvents
| where url has "raisinkanes.com"
| distinct tostring(parse_url(url).["Query Parameters"].["redirect"])

This confirms the urls redirect to one of two domains. I can use this to check if there are any other malicious domains that redirect to these besides raisinkanes.com, like this:

let redirectDomains =
OutboundNetworkEvents
| where url has "raisinkanes.com"
| distinct tostring(parse_url(url).["Query Parameters"].["redirect"]);
OutboundNetworkEvents
| where tostring(parse_url(url).Host) !in (redirectDomains)
| where tostring(parse_url(url).['Query Parameters']) has_any (redirectDomains)
| project ['bad domain'] = tostring(parse_url(url).Host)
| distinct ['bad domain']

Once again, doing a lookup against PassiveDns returns nothing about these domains. Let's go back to checking what, exactly, happens when the users were redirected:

let redirectDomains =
OutboundNetworkEvents
| where url has "raisinkanes.com"
| distinct tostring(parse_url(url).["Query Parameters"].["redirect"]);
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (redirectDomains)

The users are then directed to download some files. Most worriesome is that at one point a file named advanced-ip-scanner.exe is downloaded, a day after the afflicted users download (and likely open) the malicious files. The IP address that downloaded said executable belongs to Senior IT Administrator Anthony Davis. Using a similar query, we can check exactly what distinct files were downloaded:

let redirectDomains =
OutboundNetworkEvents
| where url has "raisinkanes.com"
| distinct tostring(parse_url(url).["Query Parameters"].["redirect"]);
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (redirectDomains)
| distinct tostring(parse_path(
    tostring(parse_url(url).Path)
    ).Filename)

It's likely that these documents (Raisin_Kane_Promo_Offer.docx and Raisin_Kane_Free_Meal_Voucher.pdf) dropped something once the affected users opened them.

let redirectDomains =
OutboundNetworkEvents
| where url has "raisinkanes.com"
| distinct tostring(parse_url(url).["Query Parameters"].["redirect"]);
let bad_files =
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (redirectDomains)
| distinct tostring(parse_path(
    tostring(parse_url(url).Path)
    ).Filename);
let affected_hosts =
FileCreationEvents
| where filename in (bad_files)
| distinct hostname;
ProcessEvents
| where hostname in (affected_hosts)
| serialize
| extend drop = next(process_commandline)
| where process_commandline has_any (bad_files)
| distinct timestamp, process_commandline, drop

Indeed, once the documents are opened they drop cobaltstrike.exe on the system. And also, on May 16th, "Anthony Davis" executes advanced-ip-scanner.exe.

CobaltStrike is a tool with legitimate uses for red team operations (in a very simplified manner: good guys hacking their own companies to find vulnerabilities before the bad guys do.)

Since this is a paid tool, most uses by adversaries are cracked copies. There exists an open source alternative called Sliver, which will likely become more popular as it grows refined over time.

Another CobaltStrike alternative that has grown in popularity is Brute Ratel, which is also paid proprietary software.

Since Anthony Davis is the Senior IT Administrator and evidently the most interesting target for both ransomware groups, I'll focus on his system.

ProcessEvents
| where username == "andavis"
and timestamp >= datetime(2024-05-14 12:05:44.0000)
and process_commandline !contains "WindowsApps"
and process_commandline !contains "SystemApps"

So it is. After Anthony Davis opens the malicious .docx file, it drops and executes cobaltstrike.exe, connecting to IP address 93.238.22.123 at port 50050. The attacker, now possessing hands-on-keyboard access, runs discovery commands to scope out the system.

• systeminfo: Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards). [Microsoft Learn]
• ipconfig /all: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. [Microsoft Learn]
• netstat -an: [The -a flag] Displays all active TCP connections and the TCP and UDP ports on which the computer is listening. [The -n flag] [d]isplays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names. [Microsoft Learn]
• net user: [...] displays a list of all user accounts for the local computer. [Microsoft Learn]
• net localgroup administrators: Used without additional parameters, **net localgroup <**GroupName> displays a list of users or global groups in a local group. [Microsoft Learn] In this case, it shows all administrator accounts in this device.
• net view: Used without parameters, net view displays a list of computers in your current domain. [Microsoft Learn] In the hospital's case, this likely means all computers on the network.

The attackers then execute advanced-ip-scanner.exe with the /silent switch. Advanced IP Scanner is a legitimate tool which shows all network devices, gives you access to shared folders, provides remote control of computers (via RDP and Radmin), and can even remotely switch computers off. The documentation is here. In this case, the attackers are probably just relying on its LAN-scanning capabilities.

The attackers then proceed to download, compress and exfiltrate the hospital's network diagrams, credential backups (which were saved as a plain text file) off its server, and other important network info (with one command in particular crudely obfuscated by reversing the string.)

While this is the end of the threat actor that stole and sold Anthony Davis' credentials and hospital network information, there are some previously-undiscovered commands run on May 20th, likely LockByte at this point (as May 20th is when the first reconnaissance queries and other suspicious activity beginsm before the ransomware attack itself): besides the usual set of discovery commands, they also use:

• net group "Domain Users": Adds, displays, or modifies global groups in domains. [...] [The <GroupName> parameter] [s]pecifies the name of the group to add, expand, or delete. Specify a group name to view a list of users in a group only. [Microsoft Learn]

And also execute a pair of encoded commands with -Nop -ExecutionPolicy Bypass, which will run said command without alerting or prompting the user in any way. The encoded commands are in base64 and turn out to be the same command, run twice:

1. Invoke-WmiMethod -ComputerName $Server -Class CCM_SoftwareUpdatesManager -Name InstallUpdates - ArgumentList (, $PendingUpdateList) -Namespace root[&ccm&]clientsdk | Out-Null

This seems to be checking what updates are (or aren't) installed in the system, perhaps to look if there are any unpatched vulnerabilities to exploit. The attackers also check network adapter configuration and perform a nslookup against Google. For completion's sake, the table above contains the commands they used to spread the ransomware and exfiltrate patient data, as seen on [2].

And with this, we come to a close: before the ransomware attack, a second threat group succesfully compromised Senior IT Administrator Anthony Davis' devices via a phishing campaign targeting JoJo's Hospital employees, impersonating a local business frequented by hospital employees. This group later sold the hospital's network information and credentials to LockByte, whom used this information to stage a ransomware attack; notably, a case of double-extortion: "pay so your information is decrypted AND the stolen data is not sold/leaked."