Just Another Blue Teamer

Happy #MalwareMonday, this time brought to you by the researchers Imano Shunichi and James Slaughter at Fortinet!

The Akira #ransomware which affects both #Microsoft and #Linux systems. According to the team, the adversary likes to target "VPN services that don't have multi-factor authentication (MFA) configured". It has an extension and directory exclusion list built in and provides the adversary some command-line options which includes the option to choose the path, file, and folder for encryption, which path to share the file on, and how fast they want the encryption process to take. There are also some "minor variants" of the ransomware that they observed as well!

Ransomware Roundup - Akira
https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira

Some MITRE ATT&CK TTPs:
TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell

TA0040 - Impact
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery

Ransomware Roundup - Akira | FortiGuard Labs

Akira is a relatively new multi-OS ransomware that encrypts and exfiltrates victims' files and demands ransom for file decryption. Learn more.…

Fortinet Blog
Oct 16, 2023 at 2:31pmWeb
Show threadJust Another Blue TeamerOct 16, 2023

My Threat Hunting Take:
When conducting a structured or unstructured hunt for ransomware, there are a few avenues that you could take. Allow me to provide some insight:

Structured:
A structured hunt is where you have an idea or hypothesis that is going to get you started, for example, powershell usage. You can hunt for powershell usage that reflects the commands to delete the shadow copies that was provided in the report, but generalize it to see if there was any variations:

Pseudo Query:
ProcessPath Contains "powershell.exe" and CommandLine Contains "command" and CommandLine Contains "shadow".

OR you can access this hunt package on Cyborg Security's threat hunter platform with your Community Account:
Shadow Copies Deletion Using Operating Systems Utilities
https://hunter.cyborgsecurity.io/research/hunt-package/2e3e9910-70c1-4822-804a-ee9919b0c419

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Intel 471 | HUNTER

Show threadJust Another Blue TeamerOct 16, 2023

Unstructured:
An unstructured hunt is when you are letting the data tell you where to go. Basically you are looking for abnormal activity simply by looking at the data and logs you have already but no real plan. Are you seeing a large amount of files being created only on certain devices? Are you trying to profile you endpoints to see what processes are running and if they seem anomalous? This approach heavily relies on your knowledge of the environment you are in and also relies on tribal knowledge!

No matter what approach you take, good luck and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday