Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-05-12
  • Author: Bhavin Patel, Splunk
  • ID: 507edc74-13d5-4339-878e-b9114ded1f35

Narrative

This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.

Detections

Name Technique Type
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Cobalt Strike Named Pipes Process Injection TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Renamed RClone Automated Exfiltration Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer TTP
Windows CertUtil URLCache Download Ingress Tool Transfer TTP
Windows CertUtil VerifyCtl Download Ingress Tool Transfer TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP

Reference

source | version: 1