There have recently been several high-profile ransomware campaigns utilizing Maze and Snake malware. From critical medical supply companies, to large logistics firms, many businesses of all sizes have fallen victim to this cybercrime wave.
When an organization falls victim to a ransomware attack, it is only the final stage in an otherwise lengthy compromise process on the adversary’s part. The public often only sees the outcome that makes the news headlines without realizing the adversary usually spends considerable resources initially compromising the victim, performing reconnaissance, stealing credentials and evading network defenses.
Based on Cisco Talos Incident Response engagements, a Maze ransomware incident timeline might look like this:
Day 0 - 6: Initial compromise, Cobalt Strike artifacts are deployed, and internal administrative accounts are compromised.
Day 7 - 13: Additional active reconnaissance, data is typically stolen and uploaded to adversaries infrastructure.
Day 14 - 21: Utilizing stolen credentials, Psexec or WMIC is executed on the victim’s domain controllers. Maze ransomware spreads, taking down the network, creating havoc for the company to deal with.
Recovery: Talos Incident Response is deployed on site.
While there’s no set amount of time it takes from initial compromise to actual ransomware attack, there is some good news — victims have opportunities to detect and respond to these attacks. Every action listed generates noise in the form of a log or an alert that defenders can detect and respond to. For larger enterprises, that can be a lot of noise — so it’s important to tune your defenses to focus on those critical threats to your enterprise.
Complicating all of these things are current events with the COVID-19 pandemic. Companies are dealing with increased remote workforces and infrastructure strain, and all the security complications that come with it. Unfortunately, the adversaries who utilize the Maze or Snake ransomware families haven’t let up. It’s important for enterprises to have endpoint antivirus deployed throughout their enterprise. For AMP for Endpoints customers, the following IOC’s are of importance:
For TrickBot and it’s variants:
W32.TrickBot.ioc
For Cobalt Strike SMB Beacons
W32.AnomalousNamedPipeUsage
W32.PossibleNamedPipeImpersonation.ioc
For PowerShell Exploitation: W32.PowershellPostExploitationLoaderLaunch.ioc
For Mimikatz and credential access triggers:
W32.MimikatzDumpCredentials.ioc
W32.PowersploitModuleDownload.ioc
W32.InvokeMethodExploitationFrameworks.ioc
System Process Protection (SD.Block.SPP)
Ransomware Indicators:
W32.PossibleRansomwareShadowCopyDeletion.ioc
W32.BCDEditDisableRecovery.ioc
For Ryuk Ransomware:
W32.MAP.Ransomware.rewrite
W32.RyukRansomware.ioc
W32.RyukARPTableScan.ioc
For Maze Ransomware: W32.MazeRansomware.ioc
Cisco Talos Incident Response is also offering a discounted price through July 25 to address the increased need for security planning and responding to unknowns during the COVID-19 pandemic.