Analytics Story: Ransomware Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.
Why it matters
Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS CloudTrail | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail CreateKey | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail PutKeyPolicy | AWS | aws:cloudtrail |
aws_cloudtrail |
References
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://github.com/d1vious/git-wild-hunt
- https://www.youtube.com/watch?v=PgzNib37g0M
Source: GitHub | Version: 1