As cybercriminals continue to use ransomware as a means for profit such as Cryptolocker and Cryptowall, organizations must develop detection capabilities around this threat. SIEM technology combined with threat intelligence can be effectively used to detect ransomware. We recommend you ask your MSSP or SIEM Administrator to create the following use cases:
Antivirus Repeat Infection
Leverage the SIEM to track systems that have had antivirus finds within the last twenty-four hours with a list. If any of those systems have any additional antivirus finds after a half an hour of the initial signs of infection, this could indicate the antivirus installed on the client is not a fully remediating infection. Because cybercriminals have recently used ransomware as one of the primary means of system compromise, these repeat infections will sometimes be cases dealing with ransomware that is not being fully remediated by your client antivirus.
Antivirus Detection Outbreak
Leverage the SIEM to track the findings identified by your antivirus data sources. If the same type of threat is identified on multiple systems, say five within the same hour, then multiple hosts have been exposed to the same type of malicious code. If the threat detected turns out to be related to ransomware, you may have a phishing campaign or massive drive-by attack that may have attempted to install ransomware on several systems.
Tor IP Reputation Traffic
Leverage the SIEM to track outbound connections from your user subnets to IP addresses associated with Tor. You can usually identify IP addresses associated with Tor by importing threat intelligence into your SIEM. Although not all ransomware uses Tor, recent ransomware such as Cryptowall has used Tor for command and control. Tracking Tor could identify command and control of certain types of ransomware and identify suspicious user browsing habits.
Outbound IP Watchlist
Although a simple use case, making a destination IP watchlist in a SIEM and engaging outbound traffic to the IP addresses on the watchlist can be effective with the right indicators. This is especially true with recent well-known ransomware IP indicators of compromise. If your organization has a dedicated threat intelligence resource, browsing sources of threat intelligence for IP indicators that have recently been circulated within the cybersecurity community and importing them into your SIEM watchlist for correlation can identify potential ransomware command and control. It should be noted these IP addresses should be tested before being placed on a watchlist. These IP addresses could host legitimate web activity on additional domains that could cause false positives.
IDS/IPS Triggers
Aggressive IDS/IPS products will create signatures around ransomware command and control activity. Creating a watchlist to look for these signatures, or setting a “name contains ‘ransom’ or ‘crypto’ “ in the SIEM field tracking the signature name, and when the signature is categorized as related to a malware/botnet type of signature, may indicate ransomware command and control.
In addition to monitoring the above use cases, we recommend you take all the standard precautions against email malware and, of course, backup your data!
