Blog
/

Cloud

/
October 3, 2024

Introducing real-time multi-cloud detection & response powered by AI

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Oct 2024
This blog announces the general availability of Microsoft Azure support for Darktrace / CLOUD, enabling real-time cloud detection and response across dynamic multi-cloud environments. Read more to discover how Darktrace is pioneering AI-led real-time cloud detection and response.

We are delighted to announce the general availability of Microsoft Azure support for Darktrace / CLOUD, enabling real-time cloud detection and response across dynamic multi-cloud environments. Built on Self-Learning AI, Darktrace / CLOUD leverages Microsoft’s new virtual network flow logs (VNet flow) to offer an agentless-first approach that dramatically simplifies detection and response within Azure, unifying cloud-native security with Darktrace’s innovative ActiveAI Security Platform.

As organizations increasingly adopt multi-cloud architectures, the need for advanced, real-time threat detection and response is critical to keep pace with evolving cloud threats. Security teams face significant challenges, including increased complexity, limited visibility, and siloed tools. The dynamic nature of multi-cloud environments introduces ever-changing blind spots, while traditional security tools struggle to provide real-time insights, often offering static snapshots of risk. Additionally, cloud security teams frequently operate in isolation from SOC teams, leading to fragmented visibility and delayed responses. This lack of coordination, especially in hybrid environments, hinders effective threat detection and response. Compounding these challenges, current security solutions are split between agent-based and agentless approaches, with agentless solutions often lacking real-time awareness and agent-based options adding complexity and scalability concerns. Darktrace / CLOUD helps to solve these challenges with real-time detection and response designed specifically for dynamic cloud environments like Azure and AWS.

Pioneering AI-led real-time cloud detection & response

Darktrace has been at the forefront of real-time detection and response for over a decade, continually pushing the boundaries of AI-driven cybersecurity. Our Self-Learning AI uniquely positions Darktrace with the ability to automatically understand and instantly adapt to changing cloud environments. This is critical in today’s landscape, where cloud infrastructures are highly dynamic and ever-changing.  

Built on years of market-leading network visibility, Darktrace / CLOUD understands ‘normal’ for your unique business across clouds and networks to instantly reveal known, unknown, and novel cloud threats with confidence. Darktrace Self-Learning AI continuously monitors activity across cloud assets, containers, and users, and correlates it with detailed identity and network context to rapidly detect malicious activity. Platform-native identity and network monitoring capabilities allow Darktrace / CLOUD to deeply understand normal patterns of life for every user and device, enabling instant, precise and proportionate response to abnormal behavior - without business disruption.

Leveraging platform-native Autonomous Response, AI-driven behavioral containment neutralizes malicious activity with surgical accuracy while preventing disruption to cloud infrastructure or services. As malicious behavior escalates, Darktrace correlates thousands of data points to identify and instantly respond to unusual activity by blocking specific connections and enforcing normal behavior.

Figure 1: AI-driven behavioral containment neutralizes malicious activity with surgical accuracy while preventing disruption to cloud infrastructure or services.

Unparalleled agentless visibility into Azure

As a long-term trusted partner of Microsoft, Darktrace leverages Azure VNet flow logs to provide agentless, high-fidelity visibility into cloud environments, ensuring comprehensive monitoring without disrupting workflows. By integrating seamlessly with Azure, Darktrace / CLOUD continues to push the envelope of innovation in cloud security. Our Self-learning AI not only improves the detection of traditional and novel threats, but also enhances real-time response capabilities and demonstrates our commitment to delivering cutting-edge, AI-powered multi-cloud security solutions.

  • Integration with Microsoft Virtual network flow logs for enhanced visibility
    Darktrace / CLOUD integrates seamlessly with Azure to provide agentless, high-fidelity visibility into cloud environments. VNet flow logs capture critical network traffic data, allowing Darktrace to monitor Azure workloads in real time without disrupting existing workflows. This integration significantly reduces deployment time by 95%1 and cloud security operational costs by up to 80%2 compared to traditional agent-based solutions. Organizations benefit from enhanced visibility across dynamic cloud infrastructures, scaling security measures effortlessly while minimizing blind spots, particularly in ephemeral resources or serverless functions.
  • High-fidelity agentless deployment
    Agentless deployment allows security teams to monitor and secure cloud environments without installing software agents on individual workloads. By using cloud-native APIs like AWS VPC flow logs or Azure VNet flow logs, security teams can quickly deploy and scale security measures across dynamic, multi-cloud environments without the complexity and performance overhead of agents. This approach delivers real-time insights, improving incident detection and response while reducing disruptions. For organizations, agentless visibility simplifies cloud security management, lowers operational costs, and minimizes blind spots, especially in ephemeral resources or serverless functions.
  • Real-time visibility into cloud assets and architectures
    With real-time Cloud Asset Enumeration and Dynamic Architecture Modeling, Darktrace / CLOUD generates up-to-date architecture diagrams, giving SecOps and DevOps teams a unified view of cloud infrastructures. This shared context enhances collaboration and accelerates threat detection and response, especially in complex environments like Kubernetes. Additionally, Cyber AI Analyst automates the investigation process, correlating data across networks, identities, and cloud assets to save security teams valuable time, ensuring continuous protection and efficient cloud migrations.
Figure 2: Real-time visibility into Azure assets and architectures built from network, configuration and identity and access roles.

Unified multi-cloud security at scale

As organizations increasingly adopt multi-cloud strategies, the complexity of managing security across different cloud providers introduces gaps in visibility. Darktrace / CLOUD simplifies this by offering agentless, real-time monitoring across multi-cloud environments. Building on our innovative approach to securing AWS environments, our customers can now take full advantage of robust real-time detection and response capabilities for Azure. Darktrace is one of the first vendors to leverage Microsoft’s virtual network flow logs to provide agentless deployment in Azure, enabling unparalleled visibility without the need for installing agents. In addition, Darktrace / CLOUD offers automated Cloud Security Posture Management (CSPM) that continuously assesses cloud configurations against industry standards.  Security teams can identify and prioritize misconfigurations, vulnerabilities, and policy violations in real-time. These capabilities give security teams a complete, live understanding of their cloud environments and help them focus their limited time and resources where they are needed most.

This approach offers seamless integration into existing workflows, reducing configuration efforts and enabling fast, flexible deployment across cloud environments. By extending its capabilities across multiple clouds, Darktrace / CLOUD ensures that no blind spots are left uncovered, providing holistic, multi-cloud security that scales effortlessly with your cloud infrastructure. diagrams, visualizes cloud assets, and prioritizes risks across cloud environments.

Figure 3: Unified view of AWS and Azure cloud posture and compliance over time.

The future of cloud security: Real-time defense in an unpredictable world

Darktrace / CLOUD’s support for Microsoft Azure, powered by Self-Learning AI and agentless deployment, sets a new standard in multi-cloud security. With real-time detection and autonomous response, organizations can confidently secure their Azure environments, leveraging innovation to stay ahead of the constantly evolving threat landscape. By combining Azure VNet flow logs with Darktrace’s AI-driven platform, we can provide customers with a unified, intelligent solution that transforms how security is managed across the cloud.

Unlock advanced cloud protection

Darktrace / CLOUD solution brief screenshot

Download the Darktrace / CLOUD solution brief to discover how autonomous, AI-driven defense can secure your environment in real-time.

  • Achieve 60% more accurate detection of unknown and novel cloud threats.
  • Respond instantly with autonomous threat response, cutting response time by 90%.
  • Streamline investigations with automated analysis, improving ROI by 85%.
  • Gain a 30% boost in cloud asset visibility with real-time architecture modeling.
  • Learn More:

    References

    1. Based on internal research and customer data

    2. Based on internal research

    Inside the SOC
    Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
    Author
    Adam Stevens
    Director of Product, Cloud Security
    Book a 1-1 meeting with one of our experts
    Share this article

    More in this series

    No items found.

    Blog

    /

    January 16, 2025

    /
    No items found.

    Reimagining Your SOC: How to Achieve Proactive Network Security

    Default blog imageDefault blog image

    Introduction: Challenges and solutions to SOC efficiency

    For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

    74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

    Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

    To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

    1. Full visibility across the modern network expanding into hybrid environments
    2. Have tools that identifies and stops novel threats autonomously, without causing downtime
    3. Apply AI-led analysis to reduce time spent on manual triage and investigation

    Your current solutions might be holding you back

    Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

    Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

    train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

    While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

    The promise and pitfalls of XDR in today's threat landscape

    Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

    However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

    Why settling is risky and how to unlock SOC efficiency

    The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

    While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

    Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

    Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

    Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

    Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

    The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

    AI-led investigations empower your SOC to prioritize what matters

    Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

    Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

    Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

    Containing threats with Autonomous Response

    Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

    Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

    Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

    Unlocking a proactive state of security

    Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

    Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

    Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

    References

    1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

    Continue reading
    About the author
    Mikey Anderson
    Product Marketing Manager, Network Detection & Response

    Blog

    /

    January 15, 2025

    /

    Ransomware

    RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal

    Default blog imageDefault blog image

    What is ShadowSyndicate?

    ShadowSyndicate, also known as Infra Storm, is a threat actor reportedly active since July 2022, working with various ransomware groups and affiliates of ransomware programs, such as Quantum, Nokoyawa, and ALPHV. This threat actor employs tools like Cobalt Strike, Sliver, IcedID, and Matanbuchus malware in its attacks. ShadowSyndicate utilizes the same SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) on many of their servers—85 as of September 2023. At least 52 of these servers have been linked to the Cobalt Strike command and control (C2) framework [1].

    What is RansomHub?

    First observed following the FBI's takedown of ALPHV/BlackCat in December 2023, RansomHub quickly gained notoriety as a Ransomware-as-a-Service (RaaS) operator. RansomHub capitalized on the law enforcement’s disruption of the LockBit group’s operations in February 2024 to market themselves to potential affiliates who had previously relied on LockBit’s encryptors. RansomHub's success can be largely attributed to their aggressive recruitment on underground forums, leading to the absorption of ex-ALPHV and ex-LockBit affiliates. They were one of the most active ransomware operators in 2024, with approximately 500 victims reported since February, according to their Dedicated Leak Site (DLS) [2].

    ShadowSyndicate and RansomHub

    External researchers have reported that ShadowSyndicate had as many as seven different ransomware families in their arsenal between July 2022, and September 2023. Now, ShadowSyndicate appears to have added RansomHub’s their formidable stockpile, becoming an affiliate of the RaaS provider [1].

    Darktrace’s analysis of ShadowSyndicate across its customer base indicates that the group has been leveraging RansomHub ransomware in multiple attacks in September and October 2024. ShadowSyndicate likely shifted to using RansomHub due to the lucrative rates offered by this RaaS provider, with affiliates receiving up to 90% of the ransom—significantly higher than the general market rate of 70-80% [3].

    In many instances where encryption was observed, ransom notes with the naming pattern “README_[a-zA-Z0-9]{6}.txt” were written to affected devices. The content of these ransom notes threatened to release stolen confidential data via RansomHub’s DLS unless a ransom was paid. During these attacks, data exfiltration activity to external endpoints using the SSH protocol was observed. The external endpoints to which the data was transferred were found to coincide with servers previously associated with ShadowSyndicate activity.

    Darktrace’s coverage of ShadowSyndicate and RansomHub

    Darktrace’s Threat Research team identified high-confidence indicators of compromise (IoCs) linked to the ShadowSyndicate group deploying RansomHub. The investigation revealed four separate incidents impacting Darktrace customers across various sectors, including education, manufacturing, and social services. In the investigated cases, multiple stages of the kill chain were observed, starting with initial internal reconnaissance and leading to eventual file encryption and data exfiltration.

    Attack Overview

    Timeline attack overview of ransomhub ransomware

    Internal Reconnaissance

    The first observed stage of ShadowSyndicate attacks involved devices making multiple internal connection attempts to other internal devices over key ports, suggesting network scanning and enumeration activity. In this initial phase of the attack, the threat actor gathers critical details and information by scanning the network for open ports that might be potentially exploitable. In cases observed by Darktrace affected devices were typically seen attempting to connect to other internal locations over TCP ports including 22, 445 and 3389.

    C2 Communication and Data Exfiltration

    In most of the RansomHub cases investigated by Darktrace, unusual connections to endpoints associated with Splashtop, a remote desktop access software, were observed briefly before outbound SSH connections were identified.

    Following this, Darktrace detected outbound SSH connections to the external IP address 46.161.27[.]151 using WinSCP, an open-source SSH client for Windows used for secure file transfer. The Cybersecurity and Infrastructure Security Agency (CISA) identified this IP address as malicious and associated it with ShadowSyndicate’s C2 infrastructure [4]. During connections to this IP, multiple gigabytes of data were exfiltrated from customer networks via SSH.

    Data exfiltration attempts were consistent across investigated cases; however, the method of egress varied from one attack to another, as one would expect with a RaaS strain being employed by different affiliates. In addition to transfers to ShadowSyndicate’s infrastructure, threat actors were also observed transferring data to the cloud storage and file transfer service, MEGA, via HTTP connections using the ‘rclone’ user agent – a command-line program used to manage files on cloud storage. In another case, data exfiltration activity occurred over port 443, utilizing SSL connections.

    Lateral Movement

    In investigated incidents, lateral movement activity began shortly after C2 communications were established. In one case, Darktrace identified the unusual use of a new administrative credential which was quickly followed up with multiple suspicious executable file writes to other internal devices on the network.

    The filenames for this executable followed the regex naming convention “[a-zA-Z]{6}.exe”, with two observed examples being “bWqQUx.exe” and “sdtMfs.exe”.

    Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.
    Figure 1: Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.

    Additionally, script files such as “Defeat-Defender2.bat”, “Share.bat”, and “def.bat” were also seen written over SMB, suggesting that threat actors were trying to evade network defenses and detection by antivirus software like Microsoft Defender.

    File Encryption

    Among the three cases where file encryption activity was observed, file names were changed by adding an extension following the regex format “.[a-zA-Z0-9]{6}”. Ransom notes with a similar naming convention, “README_[a-zA-Z0-9]{6}.txt”, were written to each share. While the content of the ransom notes differed slightly in each case, most contained similar text. Clear indicators in the body of the ransom notes pointed to the use of RansomHub ransomware in these attacks. As is increasingly the case, threat actors employed double extortion tactics, threatening to leak confidential data if the ransom was not paid. Like most ransomware, RansomHub included TOR site links for communication between its "customer service team" and the target.

    Figure 2: The graph shows the behavior of a device with encryption activity, using the “SMB Sustained Mimetype Conversion” and “Unusual Activity Events” metrics over three weeks.

    Since Darktrace’s Autonomous Response capability was not enabled during the compromise, the ransomware attack succeeded in its objective. However, Darktrace’s Cyber AI Analyst provided comprehensive coverage of the kill chain, enabling the customer to quickly identify affected devices and initiate remediation.

    Figure 3: Cyber AI Analyst panel showing the critical incidents of the affected device from one of the cases investigated.

    In lieu of Autonomous Response being active on the networks, Darktrace was able to suggest a variety of manual response actions intended to contain the compromise and prevent further malicious activity. Had Autonomous Response been enabled at the time of the attack, these actions would have been quickly applied without any human interaction, potentially halting the ransomware attack earlier in the kill chain.

    Figure 4: A list of suggested Autonomous Response actions on the affected devices."

    Conclusion

    The Darktrace Threat Research team has noted a surge in attacks by the ShadowSyndicate group using RansomHub’s RaaS of late. RaaS has become increasingly popular across the threat landscape due to its ease of access to malware and script execution. As more individual threat actors adopt RaaS, security teams are struggling to defend against the increasing number of opportunistic attacks.

    For customers subscribed to Darktrace’s Security Operations Center (SOC) services, the Analyst team promptly investigated detections of the aforementioned unusual and anomalous activities in the initial infection phases. Multiple alerts were raised via Darktrace’s Managed Threat Detection to warn customers of active ransomware incidents. By emphasizing anomaly-based detection and response, Darktrace can effectively identify devices affected by ransomware and take action against emerging activity, minimizing disruption and impact on customer networks.

    Credit to Kwa Qing Hong (Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore) and Signe Zahark (Principal Cyber Analyst, Japan)

    Appendices

    Darktrace Model Detections

    Antigena Models / Autonomous Response:

    Antigena / Network / Insider Threat / Antigena Network Scan Block

    Antigena / Network / Insider Threat / Antigena SMB Enumeration Block

    Antigena / Network / Insider Threat / Antigena Internal Anomalous File Activity

    Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

    Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

    Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

    Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

    Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

    Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

    Antigena / Network / External Threat / Antigena Suspicious Activity Block

    Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

    Antigena / Network / External Threat / Antigena File then New Outbound Block


    Network Reconnaissance:

    Device / Network Scan

    Device / ICMP Address Scan

    Device / RDP Scan
    Device / Anomalous LDAP Root Searches
    Anomalous Connection / SMB Enumeration
    Device / Spike in LDAP Activity

    C2:

    Enhanced Monitoring - Device / Lateral Movement and C2 Activity

    Enhanced Monitoring - Device / Initial Breach Chain Compromise

    Enhanced Monitoring - Compromise / Suspicious File and C2

    Compliance / Remote Management Tool On Server

    Anomalous Connection / Outbound SSH to Unusual Port


    External Data Transfer:

    Enhanced Monitoring - Unusual Activity / Enhanced Unusual External Data Transfer

    Unusual Activity / Unusual External Data Transfer

    Anomalous Connection / Data Sent to Rare Domain

    Unusual Activity / Unusual External Data to New Endpoint

    Compliance / SSH to Rare External Destination

    Anomalous Connection / Application Protocol on Uncommon Port

    Enhanced Monitoring - Anomalous File / Numeric File Download

    Anomalous File / New User Agent Followed By Numeric File Download

    Anomalous Server Activity / Outgoing from Server

    Device / Large Number of Connections to New Endpoints

    Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

    Anomalous Connection / Uncommon 1 GiB Outbound

    Lateral Movement:

    User / New Admin Credentials on Server

    Anomalous Connection / New or Uncommon Service Control

    Anomalous Connection / High Volume of New or Uncommon Service Control

    Anomalous File / Internal / Executable Uploaded to DC

    Anomalous Connection / Suspicious Activity On High Risk Device

    File Encryption:

    Compliance / SMB Drive Write

    Anomalous File / Internal / Additional Extension Appended to SMB File

    Compromise / Ransomware / Possible Ransom Note Write

    Anomalous Connection / Suspicious Read Write Ratio

    List of Indicators of Compromise (IoCs)

    IoC - Type - Description + Confidence

    83.97.73[.]198 - IP - Data exfiltration endpoint

    108.181.182[.]143 - IP - Data exfiltration endpoint

    46.161.27[.]151 - IP - Data exfiltration endpoint

    185.65.212[.]164 - IP - Data exfiltration endpoint

    66[.]203.125.21 - IP - MEGA endpoint used for data exfiltration

    89[.]44.168.207 - IP - MEGA endpoint used for data exfiltration

    185[.]206.24.31 - IP - MEGA endpoint used for data exfiltration

    31[.]216.148.33 - IP - MEGA endpoint used for data exfiltration

    104.226.39[.]18 - IP - C2 endpoint

    103.253.40[.]87 - IP - C2 endpoint

    *.relay.splashtop[.]com - Hostname - C2 & data exfiltration endpoint

    gfs***n***.userstorage.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration

    w.api.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration

    ams-rb9a-ss.ams.efscloud[.]net - Hostname - Data exfiltration endpoint

    MITRE ATT&CK Mapping

    Tactic - Technqiue

    RECONNAISSANCE – T1592.004 Client Configurations

    RECONNAISSANCE – T1590.005 IP Addresses

    RECONNAISSANCE – T1595.001 Scanning IP Blocks

    RECONNAISSANCE – T1595.002 Vulnerability Scanning

    DISCOVERY – T1046 Network Service Scanning

    DISCOVERY – T1018 Remote System Discovery

    DISCOVERY – T1083 File and Directory Discovery
    INITIAL ACCESS - T1189 Drive-by Compromise

    INITIAL ACCESS - T1190 Exploit Public-Facing Application

    COMMAND AND CONTROL - T1001 Data Obfuscation

    COMMAND AND CONTROL - T1071 Application Layer Protocol

    COMMAND AND CONTROL - T1071.001 Web Protocols

    COMMAND AND CONTROL - T1573.001 Symmetric Cryptography

    COMMAND AND CONTROL - T1571 Non-Standard Port

    DEFENSE EVASION – T1078 Valid Accounts

    DEFENSE EVASION – T1550.002 Pass the Hash

    LATERAL MOVEMENT - T1021.004 SSH

    LATERAL MOVEMENT – T1080 Taint Shared Content

    LATERAL MOVEMENT – T1570 Lateral Tool Transfer

    LATERAL MOVEMENT – T1021.002 SMB/Windows Admin Shares

    COLLECTION - T1185 Man in the Browser

    EXFILTRATION - T1041 Exfiltration Over C2 Channel

    EXFILTRATION - T1567.002 Exfiltration to Cloud Storage

    EXFILTRATION - T1029 Scheduled Transfer

    IMPACT – T1486 Data Encrypted for Impact

    References

    1.     https://www.group-ib.com/blog/shadowsyndicate-raas/

    2.     https://www.techtarget.com/searchsecurity/news/366617096/ESET-RansomHub-most-active-ransomware-group-in-H2-2024

    3.     https://cyberint.com/blog/research/ransomhub-the-new-kid-on-the-block-to-know/

    4.     https://www.cisa.gov/sites/default/files/2024-05/AA24-131A.stix_.xml

    Continue reading
    About the author
    Qing Hong Kwa
    Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore
    Your data. Our AI.
    Elevate your network security with Darktrace AI