IronNet Security Incident

Back to IronNet Blog Threat Research How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware By IronNet Threat Analysis and Research Teams, including lead contributors Morgan Demboski, Joey Fitzpatrick, and Peter Rydzynski Tweet Share Nov 16, 2021 Table of Contents REvil intrusion Conti intrusion Earlier this year, the DFIR Report published two separate articles outlining ransomware attacks by Conti and REvil, both of which leveraged the IcedID trojan in their intrusions. Using the PCAP (Packet Capture) from these reports, IronNet replayed the intrusions in our proprietary testing environment to test how IronDefense and our behavioral analytics detect malicious activity by these groups. REvil To start, we'll dive in to REvil ransomware, how it traversed the network in this intrusion, and how our analytics detected this activity. First observed in April 2019, REvil (aka Sodinokibi) is an infamous Russia-based cybercrime syndicate responsible for several notable attack campaigns, including the ransomware attacks against Kaseya and JBS Foods. Operating under a ransomware-as-a-service (RaaS) model, REvil was ranked first among the most common ransomware variants in the first half of 2021 with 14.2% of the total market share. In October 2021, REvil reportedly shut down its operations following the arrest of several of its members and the hijacking of its infrastructure by law enforcement. Figure 1: REvil malicious traffic and IronNet behavioral analytics The threat actors begin with a malspam campaign to deliver a malicious XLSM file. Upon opening the macro, it initiates a WMIC (Windows Management Interface Command) command that executes IcedID from a remote executable posing as a GIF. The initial compromised host (172.31.5.31) downloads the malicious file hosting IcedID, which is flagged by our knowledge-based rules. IronNets knowledge-based detection uses Suricata rules to analyze netflow and detect common malicious behavior. Knowledge-based detection...

... (truncated for display)