Date: 09/12/2024
Severity: Critical
Summary
Beginning on February 11, a massive ransomware attack targeted 100 hospitals throughout Romania. The attackers exploited vulnerabilities in the hospitals' systems, compelling them to shut down critical infrastructure. The malware behind this attack is part of the Phobos family and is identified as BackMyData ransomware.
Indicators of Compromise (IOC) List
File Created | “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\” |
Registry values | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ |
Command line | vssadmin delete shadows /all /quiet wmic shadowcopy delete |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype = "4663" ) AND winmessage like "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" |
Detection Query 2 | (technologygroup = "EDR") AND winmessage like "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" |
Detection Query 3 | (Resourcename = "Windows Security" AND eventtype = "4657") AND winmessage In ( "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run","HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\") |
Detection Query 4 | (technologygroup = "EDR") AND winmessage In ( "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run","HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\") |
Detection Query 5 | (Resourcename = "Windows Security" AND eventtype = "4688" ) AND winmessage In ("vssadmin delete shadows /all /quiet","wmic shadowcopy delete") |
Detection Query 6 | (technologygroup = "EDR") AND winmessage In ("vssadmin delete shadows /all /quiet","wmic shadowcopy delete") |
Reference:
https://gurucul.com/blog/backmydata-ransomware/