Big companies are not immune to Ransomware!

  1. The phishing email, in the delivery category, should have been caught by commercial email protection tools.
  2. The malware files (kepstl32.dll, memes.tmp, and maze.dll), in the delivery category, should have been caught by malware tools as well as other AV tools. Note, the end user in this case had to allow the macros to run. User awareness is still essential to defending against these types of attacks!
  3. Once the macros have been enabled, the malware reaches out to a file server and downloads additional malware. This should have been detected in the command and control as well as the delivery category. These categories are usually defended by threat intel tools, malware tools, and host-based tools.
  4. New files get created and the file encryption process begins. This file creation and subsequent encryption should be caught in the actions and exfiltration category and protected by tools such as threat intel, process anomaly detection, firewalls and malware tools.
  1. Our phishing detection would evaluate the malicious URL and mitigate its risk.
  2. RDP connections would be evaluated, alerted, and automatically mitigated when anomalous logins occur.
  3. The malware files referenced above would have been evaluated by our malware tool and mitigated.
  4. Had those files passed the malware test, the server sensor would have caught the behavior change (i.e. new process spawned with a new connection to the internet file server).
  5. If the dropper file passed the malware and server sensor assessment, the call to the internet file server could have been mitigated at the network level. The Stellar Cyber platform would have signaled the network firewalls to implement a block to the target server.
  6. The new file downloads could have been caught and mitigated at the server sensor or malware assessment.
  7. The encryption process would be detected by the server sensor and mitigation techniques applied to prevent/stop the process from continuing.
  8. Finally, the exfiltration process would be detected by the network layer, the host sensor, and the threat intel.

--

--

--

Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by unifying all currently disjointed security tools and data sources.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Developers and Technologists can learn from Hackers

Securing digital identity

Java11: ChaCha20 Encryption

PwnLab_inti — Vulnhub.com

Security Risks of using collaboration tools for your Business

Verification of Self-Signed Certificates

Online Casino Chargeback Site Reddit.com

Mobile Payments and Financial Services

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stellar Cyber

Stellar Cyber

Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by unifying all currently disjointed security tools and data sources.

More from Medium

Who Are You Burbank?

Feeling good, no matter what

“My friend Mike”: The man behind the legend of Martin Luther King Jr

Do you know?