SAN FRANCISCO–Like many other forms of intrusion, ransomware attacks are constantly evolving, as defenders get better at detecting and preventing them and attackers are forced to respond and change their techniques. In an effort to stay ahead of defenders, many ransomware groups have begun employing DNS tunneling for communications and data exfiltration in recent years, a technique that can be difficult to detect.
DNS tunneling is not a new technique by any means, and has been used by various forms of malware since the early 2000s at least. The basic idea is simple, but elegant. Rather than using HTTP for C2 communications or data exfiltration, the attacker uses the DNS protocol. There are a few ways to do this, and detecting the technique typically requires defenders to dig through logs and look for anomalous queries or other indicators. It’s attractive for attackers because it’s relatively simple to do and won’t be detected by many security tools. Ransomware actors have adopted it in a big way, often using a feature in the Cobalt Strike framework to send payloads and communications through DNS responses.
“DNS tunneling is very common in ransomware attacks now,” said Artsiom Holub, a senior research analyst at Cisco Umbrella, during a talk at the RSA Conference here Thursday.
“Ransomware has evolved greatly since we first identified it years ago. Today it’s very complicated and includes multiple stages and cybercrime groups focused on initial access, creating loaders, building profiles of affected networks, and deploying the ransomware. Disrupting the flow of this kill chain can stop it or detect it early and if you know more you can do more.”
Ransomware infections, which began as mostly a nuisance in the early days, can now pose an existential threat to organizations, depending on the depth of the intrusion and the victim’s resources. Add in the potential for data theft and extortion, which many ransomware groups now employ, and any ransomware intrusion can quickly turn into a serious issue. Ransomware attackers also have sped up the timelines of their attacks in the last few months, sometimes going from initial network access to ransomware deployment in a matter of hours. Finding early indicators of an intrusion can make the difference between a small compromise and a massive, network-wide one.
“Considering the trends observed through the analysis of ransomware attack timelines, X-Force maintains that ransomware attacks will continue to increase in speed and efficiency throughout 2022,” said John Dwyer, head of research with IBM Security X-Force, last week. “X-Force recommends organizations properly invest in protection, detection, and response efforts to effectively combat the increasing speed of the attack lifecycle.”
Because Cobalt Strike has become so popular with ransomware actors, looking for indicators of its presence can be a good starting point. Golub said that in the last few years, the vast majority of the ransomware incidents he’s seen have used Cobalt Strike in some way.
“Malicious actors are lazy too sometimes and they don’t want to create a new set of tools for each attack so they reuse off the shelf tools,” he said.
“Domain and the DNS system is also being used as a covert channel for exfiltration, communications, and beaconing and if you can’t detect this, your risks are significantly higher. DNS is ancient, but it’s what the Internet is built on and it’s no going away anytime soon.”