Company / Tracking Ransomware within SearchLight

Tracking Ransomware within SearchLight

Tracking Ransomware within SearchLight
Michael Marriott
Read More From Michael Marriott
April 29, 2021 | 4 Min Read

“If it ain’t broke, don’t fix it”. As we predicted last year, ransomware has been one of the most successful business models for cybercriminals in the last year, who have made huge sums from extorting thousands of businesses. It’s of little surprise our most read Photon research, Q1 Ransomware Roundup is on this very topic. Given this “double extortion” ransomware shows no signs of going away, in this blog, I will get specific and show exactly how you can make intelligence on ransomware fully actionable in four ways:

  • Track Emerging Variants
  • Block Malicious Indicators
  • Analyze Popular Targets
  • Map Security Controls

This blog is largely geared towards existing SearchLight users, but if you want to follow along, you can register for Test Drive and get free access for 7 days

Track Emerging Variants

As the whack-a-mole game between law encroachment and ransomware operators continues, it’s tricky to keep up-to-date with the latest active variants. You can see all of the variants actively tracked by  SearchLight by going to Intelligence – Malware and then filtering by “Ransomware” malware type. Each of these will have an in-depth profile, information on targets, techniques, and associated intelligence and indicators–all the context you need to quickly understand what this variant means to you. 

Filtering by ‘Ransomware’ type in the SearchLight Malware Profile List View
SearchLight Malware Profile for Clop Ransomware

Block Malicious Indicators

First, on a very tactical level, we’ve made it pretty easy to export indicators. Each threat profile will have any associated indicators displayed in the “Indicators” tab, which means you can easily export associated hashes, urls, and other indicator types to hunt for in your own environment or block in your security controls. (Note: we provide STIX 2.1 export options if that’s your thing). 

Indicators Tab for the RansomEXX Variant
Indicators Tab for the RansomEXX Variant

Analyze Popular Targets

On a more operational level, it’s important to understand who and where the ransomware operators target. We have some great intelligence on this, with thousands of victims recorded in the SearchLight platform. Obviously, if a variant is targeting your industry or your country, you probably want to know about that. 

The threat profiles combine all of our intelligence reporting related to this malware (Clop in the case of the screenshot below). In the Targets tab, we display the location of the target organizations, and the corresponding Intelligence Updates we have published. You can also slice this by industry. 

It goes beyond just the industry and location, however. Many of our customers have begun to combine this monitoring as part of their third party program. That’s understandable. If your supplier has been compromised and their data is exposed on the ransomware dump sites, you probably want to know about that. 

Analyzing Common Target Locations
Analyzing Common Target Industries
Analyzing Common Target Industries

Map Security Controls

Third, and at a more strategic level, you can begin to drill down into the tactics and techniques used by these different ransomware operations. Each Malware Profile has a dedicated Techniques tab where you can understand how these actors are conducting their attacks, and then map your security controls to see how well protected you would be. 

For example, we might notice that Sodinokibi (shown below) has used PowerShell as part of the Execution stage. Navigating through to the Command and Scripting Interpreter: PowerShell profile will provide further details on mitigating controls. 

Read further on securing PowerShell in our PowerShell Best Practices article.

Techniques tab for the Sodinokibi ransomware variant

Access Intelligence Today

For security practitioners looking to protect against the burgeoning ransomware industry, there are many considerations around backups, response playbooks, ransom negotiations, and so on. Hopefully this blog has articulated where threat intelligence– and specifically SearchLight – ties into this process at a tactical, operational, and strategic level. 

If you’re still reading this and you’re not yet a SearchLight user, it’s time to head over to our portal and Test Drive it for yourself.