One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs).
In particular, the X-Force IR team has identified several actions ransomware operators take that are common across almost all ransomware attacks — and are also relatively easy to detect through search queries and detection mechanisms identified by X-Force IR. This blog will review several opportunities security teams have to detect most ransomware adversaries within the default WELs. By leveraging the default WELs, many ransomware victims have the data they need to detect ransomware operators; they simply need to know where to look. That is where X-Force IR can help.
Because many ransomware affiliates interact, cross-pollinate and operate on behalf of different ransomware groups, we don’t attribute the following activities to any particular ransomware group; they are common across multiple ransomware groups. Sodinokibi/REvil, Avaddon and DarkSide ransomware groups shut down from May to July, but the affiliates that conducted attacks on behalf of these groups have shifted to new groups such as LockBit and emerging ransomware groups.
X-Force Threat Intelligence has tracked several malicious actors that have acted as affiliates of multiple groups. For example, ITG08 — also known as FIN6 — has probably acted as an affiliate for Ryuk, LockerGoga and MegaCortex attacks. In addition, ITG14, which shares campaign overlap with FIN7, has been an affiliate of Sodinoki ..
Support the originator by clicking the read the rest link below.
