Investigating Ransomware Infections with QRadar
Ransomware is the nightmare of most of system administrators and security officers. It’s an emerging threat and the trend unfortunately is upward: more and more companies are being hit by ransomware, from small shops to large corporations.
In a previous post we discussed on how to use your QRadar to detect ongoing ransomware infections. In this post we will be discussing how to investigate ransomware attacks using your SIEM.
You may be wondering, “why bothering if it’s too late?”. It is extremely important to understand the vectors exploited and the timeline of the attack so we can avoid future infections and even stop current ransomware attacks.
Here’s a list of items to check using your QRadar:
- Anti Virus logs: That seems the most obvious thing to check. We can try to identify if the antivirus detected the threat and which was the first computer affected (the “entry point”). We can also check if the users infected had turned their antivirus off or if the ransomware was not even detected by the antivirus (a potential zero-day).
- Network Traffic: The majority of the ransomware strains communicate to a Command & Control server for two main reasons: synchronize the malware data, and in some cases, exfiltrate sensitive data. You can use your QRadar to find if your machines are connecting to a new external IP. For example, if you had all your HR laptops infected, and in the same period you observe all the laptops connecting to a new specific IP, that’s most likely the command and control server. You can blacklist this IP in your firewalls and create custom rules on QRadar to alert in case new machines trying to connect to this IP.
- Windows Logs: The windows logs can provide a lot of useful information
- Network Connection Logs: You can try to identify the command and control server by the windows network logs. Those logs can also indicate an anomalous number of connections in a port. For example, the latest ransomware threats were exploiting a vulnerability in the SMB protocol, so if you see an unusual number of connections on port 139 or 445, that may indicate a ransomware proliferating into your network. If that’s the case, you can disable the vulnerable service or block the connections on the windows firewall.
- File Modification Logs: As discussed in this previous post an ongoing ransomware infection generates a lot of “file update” logs. If you detect an anomalous number of file update logs, that may indicate a ransomware threat.
- USB Logs: Most of the ransomware attacks spread through emails and webpages, but they can also be delivered through infected USB sticks. If you know the approximate time of the infection, you can check for USB logs, looking for inserted devices. If the source is a USB stick, contact the user and make sure other people do not do the same.
- Email Logs: Most of the ransomware strains use an email phishing campaign as entry point in a company. Check your email logs (example: Microsoft Exchange logs) for suspicious attachments sent to internal users. If you find the first person infected, you can find the sender and prevent other people of receiving similar emails and getting infected.
- HTTP Logs: Ransomware can also be distributed through malicious websites. If you have your HTTP proxy logs, check for unusual downloads or unusual websites. If you find the source of the ransomware it is easy to block the access and avoid that other users get infected.
Having a proper incident investigation will help you to reduce the impact of an ongoing ransomware attack and may help you to prevent future attacks.
How do you investigate your ransomware attacks? Share with us in the comments.
Detecting ransomware with QRadar using behavioral analysis
Ransomware is one of the top trending concerns in any business; hundreds of business are seeing their data being encrypted even with the latest security solutions. As most of anti-virus solutions are signature based, they are not fully capable of detecting the latest ransomware strains. In this post we will be discussing how to configure QRadar to detect ransomware threats in real time by observing events’ behaviour.
Ransomware may seem a complex attack, but most of them are actually quite simple: The malware encrypts files and then shows a ransom message to the user. The objective of the attacker is to encrypt the files as fast as possible to maximize the impact (if the encryption is slow the user may notice and stop the attack before all the files gets encrypted), and that’s how we can detect the threat.
In a simple language, the encryption process consists in: open a file, read a file, write the encrypted file, close the file. If you are monitoring your servers with QRadar, every time a file is updated an event is generated. So if you detect a high volume of “file update” events in a short period of time, it may be a sign of a ransomware infection.
Based on that, to implement an effective ransomware monitoring capability on QRadar all you need to do is:
- Ensure file audit is enabled on your windows servers: You need to be able to see events such as “File open”, “File Update” and “File Delete”. Before creating any rule, search for those event names to make sure you are getting them. Please note that this can considerably increase your EPS rate, so if you have a large environment and you’re enabling file-access audit consider enabling it in stages and observing your EPS rate.
- Create an offense rule that detect multiple file updates: A good threshold is 500 file updates in a minute. If you see more than 500 file updates in less than a minute, that’s an indication that there is an automated process updating your files (which may be a sign of ransomware).
If you have any mitigation system (such as IBM BigFix or McAfee EPO), you can even trigger a mitigation action to stop the ransomware. For example with QRadar you can send a “process kill” request to IBM BigFix, which will quickly login into the machine and kill the ransomware process.
It is important to note that QRadar is detecting ransomware through system behaviour. This puts QRadar in advantage if compared to regular signature-based anti-virus solutions, since we will be capable of detecting “zero-day” ransomware, which anti-virus solutions may not have signature for it.
This post is based on a very interesting video series called “QRadar Stopping Ransomware” by Jose Bravo. If you want to see step-by-step of how to configure your SIEM to stop ransomware, you should check out his youtube channel.