Ransomware Analytics

The increasing sophistication of ransomware attacks highlights the need for a defense-in-depth approach to create security layers within the organization. A comprehensive SIEM-based approach always increases the potential of detecting ransomware before its deployment.

The Ransomware Analytics application for LogPoint SIEM consists of alert packages, dashboard packages, search templates, and Knowledge Base (KB) lists, which help you detect advanced malware, such as Ryuk ransomware, FiveHands ransomware, Conti ransomware, and Egregor ransomware. Ransomware Analytics dashboards provide visualization of event details for ransomware, command-line interface, endpoint, and remote data protocol, enabling you to monitor the security status of your organization. When LogPoint identifies ransomware within your environment, it triggers security alerts based on predetermined rules, enabling you to detect the potential threats and ransomware early, and take corrective actions against them. The dashboards and alerts can be customized by modifying the existing parts to suit your needs. You can further customize the data and searches to perform in-depth analysis.

Read more on how to detect Ryuk ransomware, FiveHands ransomware, and Egregor ransomware with LogPoint:

Release Details

Version:5.0.2

Supported On:v6.7.4 and later

Release date:2021-10-04

Document date:2021-10-04

SHA 256: fa5bd458a0e91658eb6e5433202235d09977201ba36dbac48a851ec05447b47e

Documentation:Ransomware Analytics Guide

Download

Package Details

The application consists of the following components:

Dashboard Packages
- LP_Ryuk Ransomware
- LP_CLI Activities
- LP_Endpoint Activities
- LP_Tamper Activities
- LP_Remote Login Activities
Alert Packages
- Ryuk Ransomware
  - LP_Ryuk IoC IP Match
  - LP_Ryuk IoC Domain Match
  - LP_Ryuk Ransomware Affected Host
- Egregor Ransomware
  - LP_Egregor Payload Command Line Detected
  - LP_S3 Browser Execution
  - LP_RClone Utility Execution
- FiveHands Ransomware
  - FiveHands IoC Hash Match
  - FiveHands IoC IP Match
  - FiveHands IoC Domain Match
  - LP_SoftPerfect Network Scanner Execution
  - LP_RouterScan Execution
  - LP_S3 Browser Execution
  - LP_RClone Utility Execution
- Conti Ransomware
  - LP_Possible Ransomware Deletion Volume Shadow Copies Detected
  - LP_Credential Access via LaZagne
  - LP_Cobalt Strike Default Named Pipes Detected
  - LP_Sysinternals Tool Usage - PsExec
  - LP_Windows Defender Stopped
  - LP_Regsvr32 Anomaly Detected
  - LP_Suspicious Rundll32 Activity Detected
  - LP_Possible Reconnaissance Activity
  - LP_RDP Registry Modification
  - LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected
  - LP_Suspicious WMI Execution Detected
  - LP_RClone Utility Execution
  - LP_Conti IoC Domain Match
  - LP_Conti IoC IP Match
  - LP_Conti Ransomware Affected Host
- Clop Ransomware
  - LP_Clop IoC Hash Match
  - LP_Possible Windows Defender Evasion Attempt
  - LP_Possible Clop C2 Communication Detected
  - LP_Clop IOC Domain match
  - LP_DLL Loader Component Write Detected
  - LP_Dewmode Webshell Resource Download Request Detected
- LP_Active Directory Enumeration via ADFind
- LP_Discovery via PowerSploit Recon Module Detected
- LP_Process Execution from Suspicious Location
- LP_Suspicious Reconnaissance Activity Detected
- LP_Possible Bitsadmin Download Detected
- LP_Executable Dropped in Suspicious Location
- LP_Suspicious File or Directory Permission Modification
- LP_Microsoft Defender Disabling Attempt via PowerShell
- LP_Microsoft Office Product Spawning Windows Shell
- LP_Registry Run Keys Detected
- LP_Possible Modification of Boot Configuration
- LP_Mitre Possible Privilege Escalation using Application Shimming
- LP_Batch Scripting Detected
Knowledge Base (KB) Lists
- RYUK_DOMAINS
- RYUK_IPS
- RYUK_RANSOMWARE_HASH
- CRITICAL_HOSTS
- FIVEHANDS_HASHES
- FIVEHANDS_IPS
- FIVEHANDS_DOMAINS
- POWERSPLOIT_RECON_MODULES
- CONTI_DOMAIN
- CONTI_IPS
- CONTI_HASHES
Search Template
- LP_Ransomware Hunt

Enhancements

The latest MITRE ATT&CK information of all Ransomware alerts, including Attack Category, Attack Tag, and Log Source, has been updated, as the LogPoint alert user interface now allows you to customize these alert rule mapping options. It is to be noted that you can customize these alert rules mapping options only in LogPoint v6.12.0.
The LP_Advanced IP Scanner Execution alert related to the FiveHands ransomware has been removed from the application.
The threat_actor and associated_malware Syslog fields have been updated for all Ransomware Analytics alerts.

Installation

Follow these steps to install the Ransomware Analytics v5.0.2 application:

Download the Ransomware Analytics package from the Download section above.
Install the package by importing the pak file to LogPoint under Settings >> System >> Applications.

Supported Device

Supported LogPoint versions work with the Ransomware Analytics application.

Required Log Sources

The minimum required log sources are:

Sysmon
Firewall
Windows AD
Windows Client

Screenshot - Sample Dashboard

Change in the Previous Version

Changes in Ransomware Analytics v5.0.1

Enhancements

The Ransomware Analytics application now includes new alert packages to detect the Clop ransomware and Knowledge Base (KB) lists for the Conti ransomware. Also, the alerts LP_Mitre Possible Privilege Escalation using Application Shimming and LP_Batch Scripting Detected have been added to the Ransomware Analytics application.

Support

If you have any queries or require assistance, please feel free to contact our support team:

Email: servicedesk@logpoint.com
Phone: +45 7060 6100

Best regards,