Blog

Ransomware

Defending against ransomware: a live threat scenario

Defending against ransomware: a live threat scenarioDefault blog imageDefault blog image
08
May 2017
08
May 2017

In 2016 alone, cyber-criminals launched 638 million ransomware attacks. That’s 20 ransomware attempts every second.

The cyber security industry has tried to stem the tide by stopping ransomware at the network border, which can help detect some known ransomware threats. The problem is that ransomware is constantly evolving and mutating, with new strains popping up every day.

At Darktrace, our technology detects ransomware without prior knowledge, a vital capability since no matter how strong the network border is, these types of threats inevitably find a way inside.

Let’s take a look at how Darktrace’s unsupervised machine learning detected and responded to a real ransomware attack at a large financial services organization. As with most ransomware, it all started with a phishing email.

  1. Darktrace first noticed anomalous behavior when an employee checked his personal webmail on a corporate laptop. The device started making HTTP requests to a rare external domain: Thu Nov 17, 20:20:22 192.168.103.106 connected to webmail.northrock.bm [80]
  2. The employee opened what he believed to be a Word document, but was actually a malicious .zip file containing a ransomware payload. The device then connected to a second rare external domain. It was not until the next day that OSINT vendors identified the domain as malicious: Thu Nov 17, 20:20:55 192.168.103.106 connected to www.inhabitantap[.]top [80]
  3. Darktrace then observed the device downloading a suspicious .exe file from the anomalous domain: File Transfer (EXE) — FileTransfer::Exe file found with filetype (application/x-dosexec) [80] SHA1: 7099508c86c3b40268a4039afa5aabafb6f36d90
  4. At this point, the ransomware executable had already bypassed multiple perimeter security protocols on the device. The ransomware then began to search for available SMB shares. Unlike the encryption of data on individual devices, SMB encryption jeopardizes data across the entire corporate network. Darktrace highlighted this activity as a major deviation from normal: 20:26:01
 |
    1 SMB Move Success — share= rename_to=[REDACTED].thor file=[REDACTED].xls [445]
    An unusual time for this activity
 |
    20:26:01
 |
    1 SMB Read Success — share= file=[REDACTED].xls [445]
 |
    An unusual time for this activity
  5. Nine seconds after the start of the SMB encryption activities, Darktrace raised an alert signifying that the anomaly required further investigation. As the behavior persisted over the next 24 seconds, Darktrace continually revised its understanding of the deviation as it progressed into a serious threat.
  1. At this point, Darktrace’s Enterprise Immune System determined that the threat required an immediate response, but the security team had gone home for the weekend and wasn’t on site to manually remediate the situation. The Enterprise Immune System stepped in and automatically interrupted all attempts to write encrypted files to network file shares. In so doing, Darktrace neutralized the threat 33 seconds after the malicious activity began.
  1. SMB write successes are observed as the device encrypts files on the network share (shown in gray). The green spikes represent the ‘significance’ of the activity as understood by Darktrace. This pattern of SMB activity represented a major deviation from the device’s normal behavior.

At every stage of the attack, the Enterprise Immune System continuously monitored the situation and raised alerts of increasing severity. Despite the speed with which the attack unfolded, and despite multiple endpoint solutions failing to identify the executable, the Enterprise Immune System identified the device’s behavior as highly anomalous, and in a matter of seconds, it destroyed the threat.

To learn more about the threats Darktrace finds, check out our Threat Use Cases page which details how external attackers changed data on a biometric scanner and attempted to take control of an industrial power station.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Andrew Tsonchev
Director of Technology

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.