REvil

Scenario:

You are a Threat Hunter working for a cybersecurity consulting firm. One of your clients has been recently affected by a ransomware attack that caused the encryption of multiple of their employees' machines. The affected users has reported encountering a ransom note on their desktop and a changed desktop background. You are tasked with using Splunk SIEM containing Sysmon event logs of one of the encrypted machines to extract as much information as possible.

Incident Walkthrough:

Reading the scenario, we know that a ransomware infection has occurred on the device.

Note: I skipped identifying the environment since it consists of only one computer.

To begin our investigation, we need to identify the ransomware. Since we have Sysmon, the best way to search for the ransomware is by checking Event ID 1 (Process Creation), as it logs details when the ransomware is executed.

index=revil "event.code"=1 
| table _time winlog.event_data.ParentCommandLine winlog.event_data.CommandLine

We can see that the file "facebook assistant.exe" executed a PowerShell command that deletes all existing Volume Shadow Copies (VSS snapshots). Ransomware often does this to disrupt system recovery methods and prevent victims from restoring their files.

Next, we need to identify what actions the malware performs on the system.

index=revil "facebook assistant.exe"

We need to investigate each event to determine what the ransomware did to the system.

Checking Event ID 11 (File Creation), which logs file creation activities. By analyzing these events, we can identify the files the ransomware has created on the system.

index=revil "facebook assistant.exe" "event.code"=11 
| table _time winlog.event_data.Image winlog.event_data.TargetFilename

We notice a file named "5uizv5660t-readme.txt", which appears to be the decryption and payment note left behind by the ransomware.

For Event ID 13 (Registry Value Set), we found the following:

index=revil "facebook assistant.exe" "event.code"=13 
| table _time winlog.event_data.Image winlog.event_data.TargetObject

This registry key indicates that PowerShell was used during the attack, which aligns with our earlier observation when the ransomware deleted the shadow copies.

To gather more information about the ransomware, we need to obtain its hash. This will allow us to check if the ransomware has been seen in other environments using threat intelligence platforms like VirusTotal and ANY.RUN.

index=revil winlog.event_data.Image="*facebook assistant.exe" "event.code"=1 
| table _time winlog.event_data.ProcessId winlog.event_data.Image winlog.event_data.Hashes

After checking ANY.RUN, we can see that it contains valuable information regarding the ransomware.

We notice that the ransomware tries to connect to a domain with a .onion address, indicating it is only accessible through the Tor network.

That concludes the investigation.

I hope you enjoyed it! :)

Lab Link: REvil Lab