Smaug Ransomware Detector (Sysmon Behavior)

Today we would like to draw your attention to a relatively recent threat and content for its detection. Smaug Ransomware-as-a-Service appeared on researchers’ radars at the end of April 2020, attackers look for affiliates exclusively on Russian-language Dark Web forums and offer using their platform for a fairly large initial payment and 20% of further profit. To attract seasoned hackers, malware authors in some forums have suggested not paying a down payment if cybercriminals can prove their past successes.

As you might guess, the project survived and found its followers, despite the simplicity of the malware and the need on the user side to worry about additional means of hiding the malicious code. Affiliates who use Smaug ransomware have access to a dashboard where they can track their campaigns and create payloads to attack both organizations and individuals. Smaug is written in Golang, and researchers discovered samples targeting both Windows and Linux systems and using RSA public key during the encryption process. It can run completely offline without the requirement of a network connection, and its authors encourage insider attacks on systems that would otherwise not be so vulnerable to ransomware attacks.

The participant in the Threat Bounty program, Lee Archinal published an exclusive threat hunting rule that detects the characteristics of Smaug ransomware: https://tdm.socprime.com/tdm/info/mgOahtIfjNtc/dGS4d3QBQAH5UgbB3bJU/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.