Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-06-04
  • Author: Teoderick Contreras, Splunk
  • ID: 817cae42-f54b-457a-8a36-fbf45521e29e

Narrative

Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.

Detections

Name Technique Type
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Modification Of Wallpaper Defacement TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
Wbemprox COM Object Execution Signed Binary Proxy Execution, CMSTP TTP

Reference

source | version: 1