Stopping C2 communications in human-operated ransomware through network protection

Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they’re even started.

For example, one of the most impactful cyberattack trends today is human-operated ransomware attacks, which succeed through a combination of components, including leveraging C2 infrastructure. To gain initial access, human-operated ransomware attacks are often delivered via spear-phishing with malicious attachments that, once launched by the target, typically reach out to a C2 server to download instructions and run payloads. These payloads persist on the device and periodically reach out to a (usually) separate set of C2s, awaiting instructions and takeover by a human operator as part of ransomware-as-a-service. After the hands-on-keyboard transition, remote C2s are commonly used to control post-exploitation frameworks to initiate reconnaissance, elevate privileges, and move laterally within the network to achieve data exfiltration and mass file encryption.

A human-operated ransomware attack example highlighting C2 usage. The attacker begins with the initial access stage, followed by execution, the initial C2 connection, persistence, a beaconing C2 connection, a post-exploitation C2 connection that continues throughout the attack, leading to lateral movement, and the final impact stage.
Figure 1. Example of C2 usage across the stages of a human-operated ransomware attack

Ransomware has evolved from a pre-programmed commodity threat to a complex threat that’s human-driven, adaptive, and focused on a larger scale. These days, ransomware attacks go beyond encryption and usually involve significant data theft as well to maximize the potential harm to the target, therefore increasing their chances of receiving a higher payout. Attackers engage in double extortion, demanding victims either pay the ransom or stolen confidential information is leaked and encrypted data remains inaccessible. As such, successful ransomware attacks can have lasting, damaging impacts on targets.

As ransomware attacks continue to target various entities, including businesses, governments, critical infrastructure, educational institutions, and healthcare facilities, organizations much be prepared to defend networks against human-operated attacks and other sophisticated threats. Microsoft Defender for Endpoint’s updated network protection enables organizations to protect against these C2-based attacks by blocking any outbound traffic attempting to connect to malicious C2 servers, even if attackers manage to gain initial access to a device. Additionally, network protection is continuously informed by our integrated threat intelligence to identify active C2 infrastructure and uses machine learning models to quickly assess information on domains and IPs.

This blog details how the new C2 blocking capability in Microsoft Defender for Endpoint’s network protection works. We show examples of how network protection functions with other technologies in Microsoft Defender for Endpoint to deliver comprehensive protection against C2-based attacks. Lastly, we discuss how our threat research and use of advanced machine learning models inform network protection to intelligently block ransomware and C2-based attacks before widespread impact.

Network protection detecting C2 activity in various attacks

The following cases of human-operated ransomware attacks from our threat data and investigations show how the new C2 blocking capability in network protection stop attacks and, in some cases, could have prevented attacks much earlier.

Disrupting the ransomware attack chain

In early October 2022, we observed an attack leveraging the Raspberry Robin worm as the initial access vector. Upon launch by the user, the attack attempted to connect to the domain tddshht[.]com via HTTP using msiexec.exe to download a TrueBot payload. As part of these attacks, TrueBot is typically downloaded to a user’s local application data directory where Windows Management Instrumentation (WMI) is used to run the TrueBot DLL using rundll32. In this case, network protection was enabled in the environment and blocked the C2 communication from msiexec.exe to tddshht[.]com, which prevented TrueBot from being downloaded and launched, disrupting the attack.

In similar attacks on organizations originating from Raspberry Robin, we’ve seen TrueBot lead to Cobalt Strike for post-exploitation human-operated ransomware attacks. After launching TrueBot, we observed various follow-on actions, such as reconnaissance, persistence via scheduled tasks, and ransomware deployment.

Raspberry Robin malware launches the Windows Installer service and msiexec.exe sends C2 communications of HTTP, which is blocked by network protection, preventing the attack from progressing. The attack was disrupted before the C2 connected to the domain tddshht[.]com, when TrueBot would be downloaded and launched, followed by dropping a Cobalt Strike beacon that transfers to hands-on-keyboard attack and a Cobalt Strike C2 connection, leading to follow-on activities and ransomware deployment.
Figure 2. Raspberry Robin incident disrupted by network protection  

Stopping ransomware activity before it could wreak havoc

In another ransomware-related case from March 2022, Microsoft researchers discovered a LockBit ransomware attack that was successfully detected and blocked. LockBit is an encryptor payload leveraged by many different operators who specialize in the post-exploitation phase of the attack as part ransomware as a service. In this case, there were multiple security products in different segments of the environment, and we didn’t have visibility of the initial access vector. As the attackers moved laterally within the network, we observed the operator using the Cobalt Strike framework for the post-exploitation stages of the attack, using Remote Desktop Protocol (RDP) with Rclone for data exfiltration, and LockBit at the final encryption stage. The encryption attempt followed the exfiltration stage by just two hours.

Throughout the attack, Microsoft Defender for Endpoint proactively displayed repeated alerts for the targeted customer that an active hands-on-keyboard attacker was active on their network, as well as repeated Cobalt Strike activity alerts and suspicious behaviors. Microsoft Defender Antivirus’s behavior detections repeatedly alerted and blocked Cobalt Strike in addition to fully blocking the attack’s LockBit encryptor payload, preventing impact on the subset of the network that had onboarded to Microsoft Defender for Endpoint.

Prior to this attack, network protection had already flagged the Cobalt Strike C2 domain sikescomposites[.]com as malicious. Had network protection C2 protection been enabled across the organization, then the Cobalt Strike C2 server would have been automatically blocked – further disrupting this attack earlier in the attack chain and potentially preventing or delaying the data exfiltration impact of the attack.

The network protection intelligence on the C2 was sourced two weeks before the attack in February 2022 through expert intelligence from Microsoft Threat Intelligence Center (MSTIC) and also incriminated via Cobalt Strike configuration extraction monitoring. Microsoft Defender for Endpoint could have disrupted this LockBit attack much earlier had network protection been enabled. Moreover, even if the attacker used a different or new payload, network protection would have blocked the attack if it used the same C2 infrastructure. The diagram below illustrates the timeline of events in this ransomware incident.

Two weeks before the attack, Microsoft's threat intelligence research sent intelligence on the C2 domain to network protection. Between Days 1 and 3, the attacker started hands-on-keyboard activity, repeated alerts displayed in Defender for Endpoint and the domain C2 connection was repeatedly observed and flagged by network protection. On Day 4, the attacker performed data exfiltration, Microsoft Defender Antivirus blocked the attacker's encryption payload, and the attacker successfully encrypted one device after restoring LockBit from quarantine.
Figure 3. LockBit ransomware incident timeline

End-to-end protection against C2-based attacks

The range of protection capabilities in Microsoft Defender for Endpoint ensure our customers are provided with synchronous protection, integrated remediation, and actionable alerts against these C2-based attacks. The combination of technologies and features within Defender for Endpoint assures customers that their assets are adequately protected.

Network protection blocks any outbound traffic when an application attempts to connect to known malicious C2 and informs customers of the block.

The Microsoft 365 Defender portal's alerts page displaying two examples of blocked C2 activity via network protection.
Figure 4. Example of blocked C2 activity in the Microsoft 365 Defender portal

Network protection then sends this intelligence to Microsoft Defender Antivirus, which remediates the process against known malware that attempted the C2 connection. Customers are then notified of these actions on the Defender for Endpoint portal, where they can see the attack chain, follow remediation steps, or do further investigation.

Diagram displaying how network protection blocks C2 connections using reputation lookup, sending connection metadata to signature matching to remediate the process via Microsoft Defender Antivirus, ultimately allowing Microsoft Defender for Endpoint to generate alerts using its detection logic.
Figure 5. Alerts for investigation in the Microsoft Defender for Endpoint portal are generated through a combination of technologies to protect against C2-based attacks

Network protection uses a dynamic reputation database that stores information on IPs, domains, and URLs gathered from a wide range of sources including threat research, detonation, adversary tracking, memory scanning, and active C2 web scanning. These activities lead to identifying C2 servers operated by human-operated ransomware actors and botnet actors and discovering compromised IPs and domains associated with known nation-state actors.

Network protection is aided by machine learning models that incriminate IP addresses used for C2 by inspecting network traffic telemetry. These models are trained on an extensive data set and use a diverse feature set, including DNS records, prevalence, location, and associations with compromised files or domains. Our threat experts’ knowledge further helps refine these models, which are re-trained and redeployed daily to adapt to the ever-changing threat landscape.

Training data, including good and malicious C2 IP addresses, is used to train machine learning models in addition to using extracted feature sets to predict new C2 IPs. This information is sent to Microsoft Defender for Endpoint to block malicious connections, perform remediation, and generate alerts.
Figure 6. Machine learning pipeline to generate new intelligence to protect customers from C2-based attacks

Preventing C2-based attacks

Attackers often rely heavily on leveraging C2 communications to start and progress attacks, including human-operated ransomware attacks. C2 infrastructure enables attackers to control infected devices, perform malicious activities, and quickly adapt to their target environment in the pursuit of organizations’ valuable data and assets.

Breaking this link to C2 infrastructure disrupts attacks—either by stopping it completely or delaying its progression, allowing more time for the SOC to investigate and mitigate the intrusion. Microsoft Defender for Endpoint’s network protection capability identifies and blocks connections to C2 infrastructure used in human-operated ransomware attacks, leveraging techniques like machine learning and intelligent indicators of compromise (IOC) identification.

Microsoft customers can use the new C2 blocking capability to prevent malicious C2 IP and domain access by enabling network protection. Network protection examines network metadata to match them to threat-related patterns and determines the true nature of C2 connections. Enhanced by continuously fine-tuned machine learning models and constant threat intelligence updates, Microsoft Defender for Endpoint can take appropriate actions to block malicious C2 connections and stop malware from launching or propagating. Customers can also refer to our Tech community blog post for guidance on validating functionality and more information on C2 detection and remediation.

In addition to enabling network protection C2 blocking, it’s recommended to follow the general best practices to defend your network against human-operated ransomware attacks.