Blog

Ransomware

Difendersi dal ransomware: uno scenario di minaccia dal vivo

Difendersi dal ransomware: uno scenario di minaccia dal vivoDefault blog imageDefault blog image
08
May 2017
08
May 2017

In 2016 alone, cyber-criminals launched 638 million ransomware attacks. That’s 20 ransomware attempts every second.

The cyber security industry has tried to stem the tide by stopping ransomware at the network border, which can help detect some known ransomware threats. The problem is that ransomware is constantly evolving and mutating, with new strains popping up every day.

At Darktrace, our technology detects ransomware without prior knowledge, a vital capability since no matter how strong the network border is, these types of threats inevitably find a way inside.

Let’s take a look at how Darktrace’s unsupervised machine learning detected and responded to a real ransomware attack at a large financial services organization. As with most ransomware, it all started with a phishing email.

  • Darktrace first noticed anomalous behavior when an employee checked his personal webmail on a corporate laptop. The device started making HTTP requests to a rare external domain:Thu Nov 17, 20:20:22 192.168.103.106 connected to webmail.northrock.bm [80]
  • The employee opened what he believed to be a Word document, but was actually a malicious .zip file containing a ransomware payload. The device then connected to a second rare external domain. It was not until the next day that OSINT vendors identified the domain as malicious:Thu Nov 17, 20:20:55 192.168.103.106 connected to www.inhabitantap[.]top [80]
  • Darktrace then observed the device downloading a suspicious .exe file from the anomalous domain:File Transfer (EXE) — FileTransfer::Exe file found with filetype (application/x-dosexec) [80] SHA1: 7099508c86c3b40268a4039afa5aabafb6f36d90
  • At this point, the ransomware executable had already bypassed multiple perimeter security protocols on the device. The ransomware then began to search for available SMB shares. Unlike the encryption of data on individual devices, SMB encryption jeopardizes data across the entire corporate network. Darktrace highlighted this activity as a major deviation from normal:20:26:01
 |
    1 SMB Move Success — share= rename_to=[REDACTED].thor file=[REDACTED].xls [445]
    An unusual time for this activity
 |
    20:26:01
 |
    1 SMB Read Success — share= file=[REDACTED].xls [445]
 |
    An unusual time for this activity
  • Nine seconds after the start of the SMB encryption activities, Darktrace raised an alert signifying that the anomaly required further investigation. As the behavior persisted over the next 24 seconds, Darktrace continually revised its understanding of the deviation as it progressed into a serious threat.
  • At this point, Darktrace’s Enterprise Immune System determined that the threat required an immediate response, but the security team had gone home for the weekend and wasn’t on site to manually remediate the situation. The Enterprise Immune System stepped in and automatically interrupted all attempts to write encrypted files to network file shares. In so doing, Darktrace neutralized the threat 33 seconds after the malicious activity began.
  • SMB write successes are observed as the device encrypts files on the network share (shown in gray). The green spikes represent the ‘significance’ of the activity as understood by Darktrace. This pattern of SMB activity represented a major deviation from the device’s normal behavior.

At every stage of the attack, the Enterprise Immune System continuously monitored the situation and raised alerts of increasing severity. Despite the speed with which the attack unfolded, and despite multiple endpoint solutions failing to identify the executable, the Enterprise Immune System identified the device’s behavior as highly anomalous, and in a matter of seconds, it destroyed the threat.

To learn more about the threats Darktrace finds, check out our Threat Use Cases page which details how external attackers changed data on a biometric scanner and attempted to take control of an industrial power station.

Like this and want more?

Receive the latest blog in your inbox
Grazie! Il vostro invio è stato ricevuto!
Oops! Qualcosa è andato storto durante l'invio del modulo.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Andrew Tsonchev
VP of Technology

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

USE CASES
Nessun articolo trovato.
PRODUCT SPOTLIGHT
Nessun articolo trovato.
COre coverage
Nessun articolo trovato.
This Article
Difendersi dal ransomware: uno scenario di minaccia dal vivo
Share
Twitter logoLinkedIn logo

Related Articles

Nessun articolo trovato.

Buone notizie per la vostra azienda.
Cattive notizie per i cattivi.

Iniziare la prova gratuita

Iniziare la prova gratuita

Consegna flessibile
È possibile installarlo virtualmente o con l'hardware.
Installazione rapida
Solo 1 ora per la configurazione e ancora meno per una prova di sicurezza delle e-mail.
Scegliete il vostro viaggio
Provate l'intelligenza artificiale dell'autoapprendimento ovunque ne abbiate bisogno, anche nel cloud, in rete o via e-mail.
Nessun impegno
Accesso completo al visualizzatore di minacce di Darktrace e a tre rapporti sulle minacce personalizzati, senza obbligo di acquisto.
Grazie! Il vostro invio è stato ricevuto!
Oops! Qualcosa è andato storto durante l'invio del modulo.

Richiedi una demo

Consegna flessibile
È possibile installarlo virtualmente o con l'hardware.
Installazione rapida
Solo 1 ora per la configurazione e ancora meno per una prova di sicurezza delle e-mail.
Scegliete il vostro viaggio
Provate l'intelligenza artificiale dell'autoapprendimento ovunque ne abbiate bisogno, anche nel cloud, in rete o via e-mail.
Nessun impegno
Accesso completo al visualizzatore di minacce di Darktrace e a tre rapporti sulle minacce personalizzati, senza obbligo di acquisto.
Grazie! Il vostro invio è stato ricevuto!
Oops! Qualcosa è andato storto durante l'invio del modulo.