Unsecapp.exe is a Microsoft signed process, part of the WMI (Windows Management Instrumentation). WMI is used to communicate with local and remote systems and to perform tactics such as gathering data for Discovery and remote file execution as part of Lateral Movement. The ransomware executes the process Unsecapp.exe via COM. After successfully encrypting all user files, the Revil ransomware modifies the registry key to change the Desktop wallpaper. The ransomware attempting to modify the system registry has been detected by FortiEDR. The ransomware runs the command " netsh.exe advfirewall firewall set rule group=Network Discovery new enable=Yes" to allow network discovery, which is captured by the FortiEDR's automated analysis. The suspicious script execution rule under FortiEDR’s execution prevention policy detects and blocks this activity. With Network Discovery enabled, data transmitted between the connected computers or devices could be intercepted through network sniffing. It also allows to transfer files between the connected devices on the network. The ransomware attempts to enable network discovery using netsh.exe. Network Discovery allows to see other computers and devices connected to the same network. FortiEDR detects and blocks the network activity. The ransomware targeting networked SMB shares , attempting to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found. The Revil ransomware attempts to encrypt the Windows Boot Manager (bootmgr) that prevents the victim from booting the compromised system. The File Encryptor rule under the FortiEDR’s Ransomware Prevention policy detects and blocks the file write operation. Let's take a look at all of the events that FortiEDR has triggered for the Revil ransomware. In Simulation mode, FortiEDR does not block malicious activity, only logs and alerts violations of FortiEDR security policies. FortiEDR detects this variant as W32/Kryptik.HCJV!tr.ransom. When security policy is set to protection mode, FortiEDR prevents the Revil ransomware from being executed as soon as it is accessed. The Revil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi surfaced shortly before GandCrab’s authors supposedly retired and quickly became one of the biggest ransomware threats. It threatens to publish, block, or corrupt data-or prevent a user from accessing their computer unless they meet the attacker’s demands. Ransomware is a specific type of malware that holds data hostage in exchange for a ransom.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |