Operationalize Ransomware Detections Quickly and Easily with Splunk

In 2019 multiple cities, hospitals and educational institutions in the U.S. were crippled by ransomware, including Baltimore, Atlanta, New York City, Regis University in Denver and Monroe University in New York. In the the last 12 months, the infosec community has seen these ransomware operators seriously upping their game (see Ryuk ransomware).  

According to a report from Emisoft, 113 State and municipal governments and agencies, 764 healthcare providers, and 1233 individual educational environments were affected by ransomware in 2019. While this certainly inconvenienced each organization, the impact on healthcare providers had real consequences, often with life or death implications. Doctors lost access to vital information as patients' records were unavailable, and surgical procedures were either postponed or moved to other hospitals.

For some organizations, paying the ransom was more cost efficient than restoring from backups (if restoration from backups was even possible).  Some question if paying the requested ransom is even legal, and we’re seeing legislation being introduced to specifically prohibit ransomware payments. 

Further complicating the landscape is the increasingly nefarious nature of the most recent strains detected. It's no longer just about simply encrypting files. Now ransomware operators have added a spoliation phase, which effectively destroys an organization’s capability to use the Windows System Restore capability, making restoration a much larger endeavor. If that's not enough, sensitive files are also being exfiltrated and publicly released if the ransom is not paid quickly.

You might be thinking “yeah, yeah, we know – ransomware is bad, but how can you help me stop it?” Great news: at Splunk we don’t leave you to figure it out on your own. We provide customers with hundreds of use cases to support their missions, including ransomware detection.

Let’s look at some of the ways we can detect ransomware infections in Splunk, before we receive a note like this:

The Security Information Event Management (SIEM) is the heart and brain of any Security Operations Center (SOC). If you’re using Splunk Enterprise Security (ES) as your SIEM platform, you also have access to the ES Content Updates

“The Splunk ES Content Update (ESCU) app delivers pre-packaged Security Content. ESCU provides regular Security Content updates to help security practitioners address ongoing time-sensitive threats, attack methods, and other security issues.”

There are 35 ransomware use cases provided with the ES Content updates. In the interest of brevity, we’ll highlight one — Deleting Shadow Copies. The newer ransomware strains go to great lengths to ensure Windows victims have little choice when faced with paying a ransom demand. As part of the spoliation phase of the attack, ransomware leverages the Windows utility vssadmin.exe to delete Shadow Volume Copies so they can’t be used to recover files. Detecting this activity quickly provides an opportunity to interrupt the ransomware kill chain, saving your data from being held hostage, or leaked.

A snapshot of the app below provides a description of the use cases, including the “Explain it to me like I’m 5” format. It also includes where this detection fits in the Mitre ATT&CK Framework, and the Lockheed Martin Kill Chain, as well as what data models are used and what event sources you need to detect this activity. Please note endpoint events are critical for this detection. (Need a good Windows endpoint event collection facility? Check out Microsoft’s Sysmon – it's free!) 

You have the app and the content, now how do you operationalize it? The button labeled “Configure” automatically builds the correlation rule to quickly enable this detection in Enterprise Security. It’s as close to an easy button as we get in security operations. 

Now you have detections in place – awesome! If you want to take it a step further and leverage automation to block/contain/remediate, see our blog post on leveraging Splunk Phantom to do so, "Playbook: Detect, Block, Contain, and Remediate Ransomware."  

If you’re not using Splunk Enterprise Security today, take a guided tour and get a free sandbox instance to test drive. If you are using ES today, download and install the ES Content Update app and stay on top of the latest threats.

Before IR turns into DR — or much worse, a ransom payment! — leverage the power of Splunk to detect and respond quickly to ransomware threats.

Michael Polisky

Posted by