Overview
Security Use Case: Ransomware Injection
Description: Malware that has been installed covertly on a victim’s computer in an effort to demand a ransom payment for the data locked. The malware will encrypt all of the data of interest and will only be made available/decrypted when ransom is received.
Security Type: User, Network or Endpoint
Threat Actors: Insiders, Commodity Malware Groups, Organized Crime
Goals: Quick Return - Financial Gain
Task: Locate any suspicious logs that may be foreseen as suspicious through the use of LogRhythm's Web Console Dashboards and Analyzer Grid.
Hint: Ransomware encrypts files by rapidly accessing the readable version of the file, copying it with encryption, and deleting the readable version. You can easily see ransomware by looking a file integrity monitoring (FIM) data.
- Data to look out for might include an increase in certain Log Source Types, abnormal Common Events popping up and new user origins showing up. Be sure to lookout for certain applications or process activity that may seem out of the norm.
- Move the incident through the Threat Lifecycle Management process and document your findings as you go.
There is a generic technique for using the LogRhythm Web Console for threat hunting. You need to familiarize yourself with the log data in your environment by looking at the Web Console, dashboards, alarms, reports, and running searches. This helps you discover things that should not be occurring in your environment abnormal and usually rare. Some of the best tools in the Web Console for discovering threats are:
- The time range filter
- Alarms
- Top Classification
- Top Common Events
- Top Log Source Type widgets
Once you have discovered a threat, you need to decide whether you actually need to do something about it. This is known as qualifying the threat. Then you can investigate the threat using pivots, drilldowns, searches, reports, and cases. Next we neutralize the threat; we stop the problem from getting worse. Lastly, we recover. We determine how we will prevent this and similar types of things from happening again.