Rule of the Week: VHD Ransomware Detection

We believe that today we deservedly give the Rule of the Week title to the exclusive Sigma rule developed by Osman Demir to enable detection of VHD ransomware: https://tdm.socprime.com/tdm/info/jxteY8ELY6Yd/BwSPn3MBPeJ4_8xcn22h/?p=1 

The first attacks using this ransomware strain began in March 2020, and only recently researchers have linked them to the Lazarus APT. This was facilitated by the detection in some attacks of the use of the MATA cross-platform framework, which is exclusively used by this notorious North Korean threat actor; the rules for detecting the framework were published earlier this week.

In some attacks, the adversaries used a spreading utility that propagated the ransomware inside the network. The utility is created after detailed reconnaissance and collection of administrative credentials and IP addresses that are leveraged to brute-force the SMB service on every discovered machine.

The Lazarus group is probably the only state-sponsored threat actor that deals with financially motivated cybercrime. In recent attacks, the group exploited a vulnerable VPN gateway, obtained administrative privileges, deployed a backdoor on the compromised system, and were able to take over the Active Directory server. Interestingly, prior to the start of VHD ransomware attacks, Lazarus APT was seen using TrickBot malware to access victims’ networks.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.