Earlier this week, an Incident Response (IR) company was called in by a new customer that was experiencing a ransomware attack which they were unable to control.
They promptly deployed the Minerva Labs Malware Prevention software on the customer’s endpoints and were able to mitigate the attack.
Even though we pride ourselves in the prevention of malware from the get-go (stopping it before it even executes), with the help of Minerva, the IR team was able to quickly regain control of the network and completely stop the ransomware attack from spreading. All this without even knowing what the attack was! A post-mortem performed revealed this to be a very interesting new attack.
The Rust Ransomware
The Ransomware was apparently written in the Rust programming language, and shares some similarities with the https://github.com/cdong1012/Rust-Ransomware project. This malware was first spotted on November 18th 2021 (4 days prior to the attack), and at the time of writing this, was not recognized by most AV vendors (5/67 on VirusTotal)
It looks like the threat actor spent quite some time on the victim’s network, gaining administrator credentials without being detected by either the EPP or EDR solutions that were in place. This allowed him/her to exfiltrate 84GB of data, downloading the files before encrypting them and adding a .”sykffle” extension.
The Ransomware kills services and processes like Winword, Browsers, Onenote etc., in order to be able to also encrypt files that would otherwise be open. Not only this, but it also tries to delete shadow copies in order to prevent data recovery.
Unfortunately, we cannot share the IOCs gathered during this attack as this could potentially expose the victim (each sample is custom built uniquely for each attack).
Needless to say, Had Minerva been installed initially, this attack would have been prevented from the start.
How to protect yourself from Ransomware?
Different ransomwares work in different ways. Some exploit vulnerabilities in an operating system, while others rely on unsuspecting users to help them gain entry via phishing attacks.
What this means is that there is no simple means of detecting or preventing all types of ransomware attacks. That’s why you need cybersecurity tools and professionals on your side that integrate the deep expertise required to respond and prevent a variety of ransomware attack techniques — including those associated with unknown ransomwares that are not yet widely understood. Minerva’s technology does this by drawing on our team’s deep cybersecurity expertise to prevent attacks from multiple threat attacks preemptively, and mitigate the unfortunate even of an ongoing attack.