IOC Cheat Sheet for Top 10 Ransomware – How to Detect Fast
In 2016 there were more ransomware attacks than ever, with over 3 times more incidents compared to 2015. It’s not just the volume of attack – the ransomware has also increased in sophistication. In earlier years, most ransomware used techniques to freeze your screen or bring up messages on screen asking you to pay fines or buy services to clean up your computer. Today, most of the attacks are crypto-ransomwares that encrypt files and that increasingly target businesses.
For a security operation center, the ability to quickly detect ransomware activities is critical. For such detection, the team in the center must be alert to IOCs (indicators of compromise) associated with such ransomware, as well as identifying their AV signatures. Good monitoring practice is to have redundant sources and techniques to detect the threats – a kind of defense in depth model for detection.
Top 10 Ransomwares of 2016
Though there are more than 50 different families of ransomware active today, the following 10 were the most active in 2016. The capabilities of these ransomwares range from folder encryption to locking the master boot record and rendering the machine unusable.
Here is a list of current IOCs for detecting and blocking these Top 10 ransomwares. The IOC in the downloadable file includes the following
- IP and domain for blocking by web proxy, firewall and email gateways
- File hashes that can be included in your identity management and antivirus tools
- URIs that can be blocked by a web proxy server
These IOCs can be applied at two levels. First, at the detection level, they can be used as rules for filtering the data from proxy logs, firewall logs, NetFlow data, and email SMTP headers. Second, for triage and alert validation, they are checked with security alerts from security devices like IPS, WAF, DLP, FIM, and AV. Applying the IOCs to these security devices will help validate if the suspicious traffic or file identified in the network belongs to one of these Top 10 ransomwares. If the validation is positive, then the alert needs to be prioritized above others for immediate response and resolution.
Keeping IOCs Updated
Ransomwares continually change their modes of operations to avoid detection by security software:
- Changes in originating email id, email subject
- Changes to the server IP and URL hosting the ransomware software
- Changes in file hashes and file names for the dropper and ransomware tools
- Changes to internet servers where the secret key is posted
- Changes to network ports used for propagation
To stay ahead of the ransomwares, it is essential to keep tabs on the changing IOCs and update your security devices.
Automating Scanning for IOCs
While network level IOCs can be added as rules to proxy, firewall, NetFlow, etc., there are very few options available which can scan for IOCs in operating systems. Antivirus solutions can scan for file hashes and block a file from creation based on extension. However, they fall short in terms of hunting for other behavioral symptoms like startup folders, invoke hooks, and so on. Paladion’s RisqVU IST solution can identify and evaluate threats by analyzing suspicious activities in your endpoints based on indicators of compromise.
Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000