Smaug Ransomware Detector (Sysmon Behavior)

[post-views]
September 11, 2020 · 2 min read
Smaug Ransomware Detector (Sysmon Behavior)

Today we would like to draw your attention to a relatively recent threat and content for its detection. Smaug Ransomware-as-a-Service appeared on researchers’ radars at the end of April 2020, attackers look for affiliates exclusively on Russian-language Dark Web forums and offer using their platform for a fairly large initial payment and 20% of further profit. To attract seasoned hackers, malware authors in some forums have suggested not paying a down payment if cybercriminals can prove their past successes.

As you might guess, the project survived and found its followers, despite the simplicity of the malware and the need on the user side to worry about additional means of hiding the malicious code. Affiliates who use Smaug ransomware have access to a dashboard where they can track their campaigns and create payloads to attack both organizations and individuals. Smaug is written in Golang, and researchers discovered samples targeting both Windows and Linux systems and using RSA public key during the encryption process. It can run completely offline without the requirement of a network connection, and its authors encourage insider attacks on systems that would otherwise not be so vulnerable to ransomware attacks.

The participant in the Threat Bounty program, Lee Archinal published an exclusive threat hunting rule that detects the characteristics of Smaug ransomware: https://tdm.socprime.com/tdm/info/mgOahtIfjNtc/dGS4d3QBQAH5UgbB3bJU/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)

 

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Immortal Stealer
Blog, Latest Threats — 2 min read
Immortal Stealer
Eugene Tkachenko
Detection Content: LokiBot Detector
Blog, Latest Threats — 2 min read
Detection Content: LokiBot Detector
Eugene Tkachenko
Threat Hunting Rules: Ave Maria RAT
Blog, Latest Threats — 2 min read
Threat Hunting Rules: Ave Maria RAT
Eugene Tkachenko