Detection Content: Ransom X Behavior

[post-views]
July 02, 2020 · 2 min read
Detection Content: Ransom X Behavior

Another ransomware family appeared this spring and is actively used in targeted attacks against enterprises and government agencies. In mid-May, cybercriminals attacked the network of the Texas Department of Transportation, but unauthorized access was discovered, and as a result, only part of the systems was encrypted. In this attack was used new ransomware – Ransom X, which stands out among its “relatives”. Ransom X is human-operated ransomware which opens a console after the execution that displays information to adversaries while it is running. It terminates 289 processes related to remote access tools, MSP and security software, databases, and mail servers. lt also performs a series of commands to clear Windows event logs, delete NTFS journals, disable System Restore, disable the Windows Recovery Environment, delete Windows backup catalogs, and wipe free space from local drives. In addition, this ransomware strain doesn’t encrypt several very specific folders, and researchers believe that in those folders cybercriminals store their tools used to infect other systems in the organization. It is currently unknown whether criminals steal data before encrypting files, or even use encryption to hide their malicious activity.

Ransom X ransomware can be detected using Ariel Millahuel‘s community threat hunting rule available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/DQYxkD57TgJH/UXoGBXMBSh4W_EKGDMO0/?p=1

 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Execution, Persistence, Privilege Escalation

Techniques: Scheduled Task (T1053)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
PyVil RAT by Evilnum Group
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
JSOutProx RAT
Blog, Latest Threats — 2 min read
JSOutProx RAT
Eugene Tkachenko