Welcome back to our Stories from the Field series, where we share info on how our Insider Threat analysts work with customers to proactively defend their environments against emerging threats.
In this post, we’ll dive into the details of how we worked to respond to the Kaseya REvil ransomware attacks, and the specific steps my team and I took to help our customers boost their defenses.
Here’s What Happened
Regarding the Kaseya attacks, we were initially notified about the incident through the Cybersecurity & Infrastructure Security Agency (CISA). In response, we gathered information about the indicators of compromise (IoCs) from various sources and collected additional IoCs from our own testing and research from the actual ransomware sample.
While analyzing the behaviors, it was interesting to note that REvil programmed their ransomware to encrypt files connected to OneDrive cloud accounts. This meant that users who possibly backed up files into a cloud account would have also had their backups encrypted – a clear example of attacker innovation.
Having worked with other types of ransomware such as “Locky” and “Wannacry”, it was surprising to see cloud encrypting capabilities. Initial testing also indicated that the ransomware would rename all files to “readme.txt” which contained the REvil ransom note. For context, ransomware such as “Wannacry” would open a single window displaying the ransom note and instructions.
However, REvil’s ransomware did mass renaming of all the files on the system turning them into hundreds of ransom notes. Knowing that the ransomware would rename files to “readme.txt”, we used queries to look for high numbers of files renamed to “readme.txt” alongside other queries.
Why It Matters
After consolidating all the needed information, we were able to quickly create multiple queries that would allow us to threat hunt and search against thousands of endpoints within a matter of minutes. Because of DTEX platform’s historical data forensics capabilities, we also were able to search for signs of compromise weeks prior to the news of the Kaseya REvil ransomware incident.
Within two hours or less, we were able to verify for multiple customers that we had not detected any signs of the REvil ransomware on their systems. With incidents as such, it usually takes incident responders days to conclude about what might have happened due to the lack of visibility and having to access multiple tools to gather information.
In the case of the Kaseya attacks, the rich dataset provided by our platform enabled us to gather the information needed to answer questions without having to look elsewhere. This is a true differentiator for us and our customers, as it empowers us to help them in real-time and provide the guidance they need to navigate situations like this.