Trickbot and Ryuk
With the recent outbreak of Ryuk in hospitals, detecting the precursors to the ransomware has become a more visible priority. Ryuk has a history of being deployed after an enterprise has been compromised by Trickbot. The problems with detecting Ryuk is that once it is detected, it is often too late to save anything. The key is to detect Trickbot or any other malware attackers use before your data starts being encrypted.
This Splunk tutorial will cover the methodology I used to develop and test the detections as well as how to implement and tune them. Also, in case you missed the previous parts of my Splunking with Sysmon tutorial series, make sure to check out parts 1, 2, and 3 too!
Finding Trickbot samples is not hard to do; there are many sources and samples available. I tested 7 different .exe samples that all had been submitted within 3 days of my testing. I ran each sample on my home lab with access to the internet enabled and Sysinternal Process Monitor (procmon) running to monitor what the executable was doing. I segregated my home lab from my personal network to reduce the risk of any malware spreading; please be safe if you want to recreate my testing.
To determine how I’d approach a detection, I divided the analysis of the Trickbot samples that I tested into two different categories. The first category included the samples that fully executed and established a persistence mechanism. The second category’s samples were more evasive, but they did not establish any form of persistence.
The Trickbot samples I analyzed that established persistence had a few different ways that they executed, but they always used Registry Run Keys to establish a persistent hold on the infected system. The simplest sample wrote a file to the users Local Appdata folder and created a run registry key to execute that file on boot. It also did a time stomp to change the file creation time on the executable.