You may have seen the tweet from Proficio’s Threat Intelligence team regarding recent increases in ransomware, specifically the ransomware strain Troldesh (aka Shade).
TOR appears to be Shade’s primary command and control channel and TOR pages are also utilized as decryptor pages. Shade can download additional modules through TOR that can be used to mine cryptocurrency as well as generate ad-fraud traffic.
Some ways to identify the presence of Shade ransomware or signs of a potential Shade ransomware attack in your environment include:
- The presence of attempted TOR traffic in an environment where TOR traffic is not allowed or unexpected.
- TOR activity from internal hosts in your environment will trigger a Proficio AAR use case. The traffic identified may not be TOR or tied to this ransomware, but that will be determined during the analyst investigation.
- Clients with supported web proxy products or URL filters can also generally rely on them as a way to pick up non user-driven activity towards such URLs. Investigations also will be performed on any potential exploit kit activities found.
- The presence of csrss.exe in “C:\ProgramData\services\” and “C:\ProgramData\Windows\”
- EDR platforms should block or quarantine Shade upon the detection of malicious executables. If the logs are sent to Proficio, this will trigger an AAR alert that will be review by Proficio analysts. Their investigations will determine if the executable is malicious and if it is tied to a specific threat.
- Files with “crypted000007” file extensions
- If the EDR platform detects this, the infection likely has already been successful. Similarly to the csrss.exe, if logs are sent to Proficio, it will trigger an AAR that will be investigated by our analysts who will determine the validity of the threat.
- Presence of crypto-mining activity and traffic
- Such activity will typically be picked up by most EDR platforms. Clients using such EDR products are covered in terms of detections in this area. Customers with IDPS and web proxy products can also generally rely on such products for the detection of traffic and activity related to crypto-mining. If these logs are sent to Proficio, we will investigate these incidents and escalate as required.
Some ways to mitigate and reduce the possibility of a successful Shade ransomware attack include:
- Blocking emails with malicious ZIP or PDF file attachments. This will typically require an email gateway product with that functionality and detection capability.
- If your email gateway product generates logs containing relevant information, and these logs are sent to Proficio, an incident will be created. Details provided by your email gateway will allow us to investigate and escalate, as needed, phishing emails tied to specific malware campaigns.
- Blocking malicious file downloads. This will typically depend on the detection capabilities of the security device performing such blocks.
- For example, web filters can block access to webpages or downloads from webservers that are deemed malicious or against policy based on their classification of the web access. These devices can interrupt exploit kit activity based on the investigations that have been handled by the SOC. This can also be done at the individual endpoint level via EDR or HIDPS solutions. However, the detection capabilities of the devices, and if they can distinguish between malicious and non-malicious downloads, will determine the effectiveness of the blocks.
- Block all TOR traffic originating from internal hosts towards external IP addresses. Most NGFW products should be capable of identifying potential TOR traffic.
- If you subscribe to Active Defense, and this is a known address within our TIP, the IP will be blocked automatically. You can also submit a request to our SOC for a block be put in place for any suspicious IP address that has been alerted on.
- An alternative approach is to block access to known TOR nodes in advance. This can be done through signatures, a list-based approach or both. Our MSS team is able to assist with these on a per request basis.
- Patch CVE-2018-15982 and CVE-2018-8174 as both vulnerabilities are typically exploited by exploit kits. Proficio will work closely with clients that have subscribed to our VLM service to identify if such vulnerabilities are present within their environment.
Should you have additional queries, please feel free to reach out to your Client Success Manager or Security Advisors for more information regarding how Proficio can help you stay protected from ransomware attacks.