Video

eSentire 24/7 SOC Cyber Analysts in Action

Malicious BestCrypt Detection Uncovers Full Blown Ransomware Attack at 3am

 

Recently, eSentire’s Security Operations Center (SOC) and Threat Response Unit (TRU) disrupted an active ransomware attack in which threat actors attempted to leverage the BestCrypt and BitLocker tools to deploy ransomware across 250+ workstations and servers.

The adversary used a combination of remote desktop protocol (RDP), Windows Management Instrumentation (WMI), and PsExec to:

  • Enable and configure Windows BitLocker to disable backup and recovery features.
  • Use BitLocker to encrypt attached drives using a randomized password for each host.
  • Copy Jetico’s BestCrypt Volume Encryption Manager software from the staging host and encrypt attached drives on file servers.
  • Drop a ransom note (“readme.txt”).
  • Disable all administrator accounts.

The ransomware attack was first detected by eSentire Managed Detection and Response (MDR) for Endpoint using detection content developed by TRU. Once our SOC Cyber Analysts detected the attack, they conducted a threat investigation, alerted the customer, blocked the BestCrypt executable across all endpoints and isolated the impacted systems.

Watch this video as Spence Hutchinson, Principal Threat Researcher with eSentire’s TRU team, and Brandon Stencell, SOC Incident Handler Lead, review the NahumVoronkov ransomware attack and how our 24/7 SOC Cyber Analysts and TRU responded to the incident on the customer’s behalf.

Watch The Video