Ransomware Hunter

Spot and Stop Ransomware as early as possible
Register   or   Login


Ransomware is malware for data kidnapping, an exploit which the attacker encrypts data of a victim and demands payment for the decryption key. Ransomware can target any PC, MAC or Mobile systems, whether it is a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider. There is no guarantee that paying the ransom will give access to your data again. Law enforcement agencies and CERTs worldwide and FBI highly recommend to not pay the ransom for to the adversaries as decryption is by no means guaranteed and paying up actually encourages more ransomware attacks and threats. In 2016 the world has seen ransomware used as part of APT attacks on Critical Infrastructure in Israel as well as many other countries and organizations.

According to Symantec ISTR report, ransomware has become increasingly dominant in recent years:

Ransomware discoveries

Our ransomware detection Use Case is based on our own research and review of more than 50 reverse-engineering reports of most common ransomware malware samples by companies like Symantec, Trend Micro, Kaspersky, Intel Security, ESET and others.

Register   or   Login

Ransomware Hunter by SOC Prime is a SIEM security Use Case

Ransomware detection requires advanced cybersecurity skills and deep analysis of both internal infrastructure and external threats, yet with Ransomware Hunter organization are able to achieve high detection rate at minimal costs. We use statistical profiling and Behavioral methods, which allow to associate events in a time period and correlate them with each other. Feeds from specialized cyber security public Ransomware Tracker by abuse.ch help us to detect ransomware before encrypting or locking your files. Ransomware Tracker monitors status of domain names, IP addresses and URLs that are associated with ransomware, such as Botnet C&C servers, distribution sites and payment sites. Hosting and internet service providers (ISPs), national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can operate with data provided by Ransomware Tracker to receive an overview on infrastructure, used by ransomware, and to define whether this infrastructure is actively used by miscreants to commit fraud. SOC Prime experience in creating strictly defined correlation rules and Detect Tor private feed increase accuracy of C2 traffic detection since >50 percent of ransomware use Tor network during various stages of infection.

According to Symantec ISTR report, ransomware has become increasingly dominant in recent years:

CISO Tactical Brief

Early detection of ransomware enables timely Incident Response, Mitigation and prevents further damage, including critical and workstations system downtime, data loss, financial and brand reputation damages. There are a few things to know about this type of malware that may help you in the future:

  1. Most common attack vectors to deploy ransomware are email attachments and drive-by downloads from infected websites.
  2. More sophisticated methods include targeted phishing, social engineering and direct hacking of remote access systems such as VPN, SSH and RDP for an entry point to deploy ransomware at server segments or use central servers such as MS Active Directory to infect domain workstations.
  3. Ransomware is often used as part of APT attacks, VPN & RDP brute forcing. Critical infrastructure is an especially attractive target for adversaries.
  4. Failure to detect and prevent ransomware can disrupt operations of the whole departments and rapidly ramp up the financial losses. With advanced ransomware attacks once the malware is activated, easy and quick solutions are unavailable.

Register   or   Login

Ransomware Hunter report from the field

Visiting customer sites, web-surfing, e-mailing clients - these are all regular activities for people working in HR, Sales and Marketing. Lack of basic knowledge in the field of cyber security and overconfidence can lead to dangerous results such as this window that one of our customers saw after one active "dialogue":

Ransomware Hunter report

Afterwards a decision was made to actively deal with ransomware. As a result of using Ransomware Hunter IT security team found previously unnoticed malware infections and attempts to communicate with Ransomware CC from the corporate network which were promptly stopped.

Register   or   Login

Supported Technologies