Ransomware, like most malware, progress through several phases. QRadar SIEM can spot known and unknown ransomware across these phases. Early detection can help prevent damage done in later phases. QRadar provides content extensions that include hundreds of use cases to generate alerts across these phases. Content extensions are delivered through the App Exchange and provide the ability to get the latest use cases. IBM Security® X-Force® Threat Intelligence collections are used as references in use cases to help find the latest known indicators of compromise (IOC), such as IP addresses, malware file hashes, URLs and more.

Most “known” malware and ransomware can be found in the early phases. To detect unknown ransomware, QRadar SIEM provides use cases that focus on detecting ransomware behaviors. Visibility across endpoints, application servers (on premises and cloud) and network devices (firewalls) enables QRadar SIEM Use Case Manager to detect ransomware behavior patterns that span your IT and OT infrastructure. The Use Case Manager can help you visualize if you have use cases, or rules, that span these phases by using the MITRE ATT&CK matrix.

Ransomware looks like other malware during this phase. It is using phishing techniques to lure your unsuspecting employees to click on a link or executable in an email, Honeypot, social media or text message.

Example QRadar SIEM use cases to find distribution behaviors and known ransomware:

• Executable embedded in email
• Email or web communication with hostile host
• Suspicious email subject

This is the moment the stopwatch starts. Ransomware is now in your environment. If the ransomware used a “dropper” to avoid detection in the distribution phase, this is when the dropper calls home and downloads the "real executable” and runs it.

Example QRadar SIEM use cases to find infection behaviors:

• Detection of malicious file or process
• Detection of malicious IOC
• File decode or download followed by suspicious activity

The ransomware is scanning the machine to analyze the administrative rights it could obtain, make itself run at boot, disable recovery mode, delete shadow copies, and more.

Example QRadar SIEM use cases to find staging behaviors:

• Attempt to delete shadow copies, backups
• Recovery disabled in boot configuration

Now that ransomware owns the machine from the starting phase, it will begin a phase of reconnaissance of the network (attack paths), folders and files with predefined extensions, and others.

Example QRadar SIEM use cases to find reconaissance behaviors:

• Attempt to delete shadow copies, backups
• Data transfer size limits

The real damage begins now. Typical actions include: create a copy of each file, encrypt the copies, place the new files at the original location. The original files might be exfiltrated and deleted from the system, which allows the attackers to extort the victim with threats of making their breach public, or even to leak stolen documents. 

Example QRadar SIEM use cases to find encryption behaviors:

• Excessive file deletion or creation
• Suspicious amount of files renamed or moved on the same machine (UNIX)
• Data transfer size limits

Damage is done and the user receives a notification on how to pay the ransom to obtain the decryption key. At this point there is not a lot more to detect, except for the decryption instruction file creation.

Example QRadar SIEM use cases to find ransom notification behaviors:

• Ransomware decryption instruction created

Use Cases to find ransomware are available in the the following Content Extensions found on the App Exchange (link resides outside ibm.com):

• IBM QRadar Phishing and Email Content Extension (link resides outside ibm.com)
  
• IBM QRadar Security Threat Monitoring Content (link resides outside ibm.com)
  
• IBM QRadar Endpoint Content Extension (link resides outside ibm.com)