Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Keep your friends close; keep ransomware closer
#1
Bug 
Quote:
[Image: VTBLOG-LOGO.jpg]

“How to avoid being a ransomware victim?” is one of the main questions every single company and organization asks themselves every day. Unfortunately there is no silver bullet against that, but there are several good practices we can follow to minimize our exposure.

We can start by enumerating what are the main vectors that attackers use to get into victims: phishing, brute forcing and the use of exploits. Let's use this information to understand what exactly are attackers doing from a technical point of view, but more importantly, to monitor how their campaigns evolve. And here we want to highlight the importance of continuously tracking malicious activity in order to feed our systems accordingly: attackers evolve their methods and the IOCs used constantly change. We need the whole movie, not just a static picture.

This post describes different examples of techniques we can use to monitor ransomware campaigns, with a special focus on the infection vectors previously mentioned in order to minimize the risk of becoming a victim.

For more details, you can check our recorded anti-ransomware webinar in English and Spanish.
 Ransomware in phishing attacksPhishing is the most common technique used to distribute ransomware. We want to be able to discover how it is being used in new ransomware campaigns and to obtain the infrastructure behind the attack, gathering valuable IOCs and TTPs to feed our defenses.

We can start looking for emails involved in phishing campaigns uploaded this year to VirusTotal:
 
Quote:engines:ransom type:email fs:2020-01-01+

We get a list of generic ransomware email files. We can specify a certain malware family we are interested in. For instance, the following query returns emails related to some of the most common campaigns: 
 
Quote:(engines : bitpaymer OR engines : maze OR engines : Ryuk OR engines : gandcrab OR engines : clop OR engines : revil OR engines : sodibiniki OR engines  : matrix) type : email

Trickbot is a malware family frequently used to distribute ransomware. By searching for recent samples delivered by email (engines:trickbot fs:2020-09-01+ type:email) we can quickly find an interesting sample implementing an exploit and pretending to be a well known financial institution. We can quickly expand all the domains, URLs and IP addresses embedded into this file into our investigation graph, getting a broader overview of the campaign:

 
[Image: LE1CkweYY98v9aJcP3QHHihEOw7DdUaHQLbk2rqW...6NawUMdXeQ]

Expanding different nodes uncovers new IOCs to feed our defenses and unfolds this campaign, showing domain names that were used to bait victims into opening the malicious word document attached to the phishing email.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>