How AI stopped a WastedLocker intrusion before ransomware deployedhttps://cybersecureforum.co.uk/wp-content/uploads/2021/03/Darktrace-1024x681.png 1024 681 Stuart O'Brien Stuart O'Brien https://secure.gravatar.com/avatar/81af0597d5c9bfe2231f1397b411745a?s=96&d=mm&r=g
By Max Heinemeyer, Director of Threat Hunting, Darktrace
Since first being discovered in May 2020, WastedLocker has made quite a name for itself, quickly becoming an issue for businesses and cyber security firms around the world. WastedLocker is known for its sophisticated methods of obfuscation and steep ransom demands.
Its use of ‘living off the land’ techniques makes a WastedLocker attack extremely difficult for legacy security tools to detect. As ransomware dwell time shrinks to hours rather than days, security teams are increasingly relying on artificial intelligence to stop threats from escalating at the earliest signs of compromise – containing attacks even when they strike at night or on the weekend.
This article examines a WastedLocker intrusion that targeted a US agricultural organization in December.
The initial infection appears to have taken place when an employee was deceived into downloading a fake browser update. Attempted reconnaissance began just 11 minutes after the initial intrusion, and the attacker used an existing administrative credential to establish successful administrative and remote connections to other internal devices. Several hours later – in the early hours of the morning – the attacker used a temporary admin account to attempt a file transfer.
Darktrace AI detected every stage of this intrusion, picking up on all unusual activity for the organization and unusual user behavior, including HTTP connections to anomalous external destinations and highly unusual connections between internal devices.
With Darktrace’s real-time detections – and Cyber AI Analyst investigating and reporting on the incident in a number of minutes – the security team were able to contain the attack, taking the infected devices offline.
Without Darktrace in place, the ransomware would have been successful in encrypting files, preventing business operations at a critical time and possibly inflicting huge financial and reputational losses to the organization.
Darktrace’s AI detects and stops ransomware in its tracks without relying on threat intelligence. Ransomware has thrived this year, with attackers constantly coming up with new attack TTPs. However, the above threat find demonstrates that even targeted, sophisticated strains of ransomware can be stopped with AI technology.
For more information on Darktrace, click here.