9월 13, 2018
How Ryuk Ransomware Targets AV Solutions, Not Just Your Files
Since mid-August, the recent Ryuk ransomware has netted a tidy sum for its authors and shown that simply having AV and backup solutions on board may not be enough.
Linked to the notorious APT Lazarus group and the earlier HERMES variant of ransomware, Ryuk's bitcoin wallets have already accumulated over $640,000 in bitcoins, indicating just how successful their strategy has been so far. The particular sample we tested is responsible for 50.41 BTC (316,265 dollars as of today).
Ryuk’s attempts would be ineffective against the SentinelOne agent, as it has several detection layers and anti-tampering protections.
Pre-execution - as seen in the video, once the malware is copied to disk, it is detected. In a real-life scenario, this occurs as the threat is quarantined, ensuring the user never has a chance to execute it.
On execution - this is where the behavioral AI comes into play. As seen in the video, the Ryuk sample is spawning multiple processes, using a bat file to complete its operation. The behavioral AI is capable of connecting all the dots and creating what we call a “group”.
This leads to the third layer that makes a difference, Deep Visibility. The group contains all the files, processes, registry entries (created registry auto run key in this case), and other IOCs related to this malware. Even if the device were set to a Detect-only policy, a SOC analyst would be able to perform a threat hunt operation that would reveal all items related to this threat
-~-
관련 리소스
데이터시트
Singularity™ Complete AI 지원 엔드포인트와 클라우드 보안
점점 더 복잡해지는 보안 아키텍처와 데이터 소스, 제한된 리소스, 더욱 정교해지는 공격에 직면한 보안 팀은 AI 지원 공격 세례에 대비하느라…
지금 읽기
Resource
SentinelOne PartnerOne - America's 2025
⛳️ Last week in Pebble Beach the America's best cybersecurity partners came together for our annual PartnerOne summit. Check out…
View Asset