Engage Report: Termite Ransomware

Subject: Engage Report: Termite Ransomware

Tactics: TA0040 Impact

Technique: T1490 Inhibit System Recovery

Procedure:

The Termite ransomware attempts to delete all Shadow Copies on the victim’s machine by executing the vssadmin.exe process with the necessary arguments. This is done to prevent the victim from recovering their system to a state before the files were encrypted.

Vulnerability: EAV0016 When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation., EAV0018 When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user.

Engagement Opportunity:

Organizations can deploy deception technologies that create fake Shadow Copies. These decoys can be designed to appear legitimate and valuable, enticing attackers to interact with them. When the Termite ransomware attempts to delete these fake Shadow Copies, it would trigger an alert, allowing defenders to detect the attack and take appropriate action.

Threat Actor: Termite Ransomware Group

Threat Objective:

Financial Gain – The Termite ransomware group aims to encrypt victim’s files and demand a ransom for their decryption.

Deception Opportunity:

Decoy files can be placed in strategic locations within the network. These files can mimic sensitive documents or critical system files. When Termite attempts to encrypt these decoy files, an alert is generated, providing early warning of the attack and enabling a proactive response.

Sensor Data Placement: User-Mode

Observable Level: Core to Pre-Existing Tool

Scoring Rationale:

The vssadmin.exe process is a legitimate tool that exists on Windows systems. The Termite ransomware’s use of this tool for malicious purposes makes it a valuable indicator for detection. The data required for this analytic is likely to be found in User-Mode, as it involves monitoring process execution and command-line arguments.

Link to Report:

Link to Report II.:

Additional Comments:

The Termite ransomware exhibits behaviors that suggest it is a variant of the Babuk ransomware. Understanding these similarities can aid in developing effective countermeasures.

Possible elements: Honeyfiles with Deceptive Content

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]:[Tactic]-[Technique]-[Procedure]([Observable Level])

# Edge Format:
# [Source Node ID]–>[Destination Node ID]([Exploited Vulnerability])

[1]:Impact-T1490 Inhibit System Recovery-Execute vssadmin.exe to delete all Shadow Copies.(Core to Pre-Existing Tool)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

function Impact_T1490_Inhibit_System_Recovery():
#Execute vssadmin.exe to delete all Shadow Copies.
return Shadow Copies deleted

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense