MVISION Insights: Darkside Ransomware
Technical Articles ID:
KB93354
Last Modified: 9/10/2020
Last Modified: 9/10/2020
MVISION Insights: Darkside Ransomware
Technical Articles ID:
KB93354
Last Modified: 9/10/2020 Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.
Summary
Description of Campaign DarkSide ransomware uses Salsa20 and RSA encryption and appends a random extension to encrypted files. The ransom note reports that the threat actor stole more than 100 GB of data, and threatens to publish the information if the ransom is not paid. Victims are presented with How to use this article:
Minimum Content Versions:
Detection Summary
Minimum set of Manual Rules to improve protection to block this campaign IMPORTANT: Always follow best practices when you enable new rules and signatures. When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration. For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules. Endpoint Security - Advanced Threat Protection: Rule ID: 4 Use GTI file reputation to identify trusted or malicious files
Endpoint Security - Exploit Prevention:
Rule ID: 6151 Unmanaged Powershell Detected - II
Rule ID: 6086 Powershell Command Restriction - Command
Host Intrusion Prevention:
Rule ID: 6073 Execution Policy Bypass in Powershell Rule ID: 6073 Execution Policy Bypass in Powershell
Rule ID: 6086 Powershell Command Restriction - Command Aggressive set of Manual Rules to improve protection to block this campaign IMPORTANT: Always follow best practices when you enable new rules and signatures. When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration. For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules. Endpoint Security - Dynamic Application Containment: Modifying the Services registry location
Host Intrusion Prevention:
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1020 Windows Agent Shielding - File Access Rule ID: 6010 Generic Application Hooking Protection Rule ID: 1003 Windows Agent Shielding - Process Access Affected Products |
|