Training Scenario - Vanilla Ransomware
Group Name
Training Data - Vanilla Ransomware (Hive)
Scenario
In this training scenario, we will execute a ‘vanilla’ ransomware payload, running as admin without any exploits. This simulates the basic example of a user downloading malware via a phishing link, malicious USB, etc.
While this is a very simple execution method, if the payload is a zero day, it will still go unnoticed by signature based security products, and may too irreparable damage before cloud based behavioral products can get back an analysis.
Identifying it
Identifying this incident is the easiest of all the samples. Once the suspicious file name on a file with no signature has been noticed, it’s an immediate red flag.
To confirm the execution method, we can look into the process creations around the time of the incident. What we see confirms that there was no complex exploit method, or even a script! As with other samples, the child process creations are interesting, though. Even though the execution method of the malware itself was obvious, many background processes are started that disable protections and other system settings.
At this point the attack has been contained by Cyber Crucible, but analysis of the related processes is important to find scope of the malicious behaviors. The execution of the unsigned exe alone looks obvious when its laid out by Cyber Crucible, but many times background processes started by something as privileged and protected as Defender would simply be ignored.
Relevant documentation
Mitre T1566 - Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password.
Mitre T1091 - Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities.
Mitre T1204 - User execution, often gained via phishing, is the simplest way malware may begin running.