Overcoming the Chaos, Concern and Fear of Ransomware with Seceon aiXDR Santanu (Shaan) Bagchi | June 11, 2021 Tags: aiXDR | Use Cases
Demand for ransom in exchange for something valuable, captured forcefully, is an age old vice that has found its parallel in the digital world several years ago. Cyber criminals have resorted to extortion, preying on individuals and organizations (enterprises, businesses, institutions) by encrypting files on personal computers, workstations, tablets and mobile devices. In order to salvage the situation, helpless user would be coerced to pay up a ransom, in return for the recovery key. While the ransom could vary from a couple of hundred dollars to thousands, depending on perceived value of the data and asset, there is also a high probability that parts of the data (personal, confidential or business oriented) may be sold on the dark web, if the demand remains unfulfilled by the stipulated deadline. Welcome to the dark world of old and new ransomware – from WannaCry, Ryuk, Petya, and Maze to Darkside, REvil and Epsilon Red. While attack techniques and tactics could vary, perpetrators are mostly elusive, as with any complicated crime scenario, and cyber sleuths have negligible success at reversing the situation. That leaves us with only a few options – a.) Self-Awareness to avoid any trap b.) Software based early detection c.) Rapid response to minimize damage or eliminate threat Almost all ransomware attacks originate from an email phishing campaign or drive-by download (accessing a blacklisted site or hijacked site). Seceon aiXDR quickly swings into action, correlating logs from email server with endpoint activities, identifying access to blacklisted site (with gathered Threat Intelligence) and applying behavioral patterns to find traces of unusual or suspicious process spawned on the endpoint. The picture below depicts attack stages that are commonly seen.
RANSOMWARE ATTACK STAGES
1. Socially Engineered phishing email with link to malicious website
4. PowerShell establishes C&C communication and downloads additional script for encryption
2. User attempts to open link triggering drive-by download of malware
5. Downloaded script encrypts files selectively
3. Command-line loads PowerShell script straight into memory
6. User is presented with payment instructions required to decrypt data
Let us consider the attack scenario that unfolded at Colonial Pipeline, with business servers being critically impacted by Darkside Ransomware. Does aiXDR, the XDR Solution from Seceon, stand up to the challenges posed by tactical maneuvers from Darkside? Here is what we’ve learned about Darkside’s modus operandi… 1.
Scours information from the victim's computer - OS type, version, username, hostname, disks, language etc. Any computer with Easter European or Russian language was left unaffected.
2.
Selectively chooses which files to encrypt, based on directories, file names and extensions. This is intended to save time and keep the system in working condition so that contact information related to ransom payment can be conveyed Seceon aiXDR monitors File Access, particularly recursive access to directories is seen as suspicious activity – Threat Indicator is generated and no. of instances (recursive activity) are counted. Also, Seceon aiXDR with FIM capabilities come in handy.
www.seceon.com
Page 1