CrowdStrike Alert Details
Alert ID: CS-RANSOMWARE-1486-7842 Alert Time: 2024-03-03 11:30:22 EST Severity: CRITICAL (99/100) Source: CrowdStrike Falcon EDR Rule: “Ransomware Behavior Detected – Mass File Encryption” MITRE ATT&CK: T1486 – Data Encrypted for Impact
Alert Details:
Detection: Process encrypting multiple files and appending .locked extension
Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 11:15-11:30 EST
Process Details:
Process: C:\Windows\Temp\encrypt.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: cmd.exe
File Encryption Events:
11:15-11:30: 2,847 files encrypted
File extensions changed to .locked
Locations affected:
C:\Users\rpatel\Documents*.* – 1,234 files
C:\Users\rpatel\Desktop*.* – 456 files
C:\Users\rpatel\Downloads*.* – 234 files
D:\engineering_data*.* – 923 files
Ransom Note:
File: README_LOCKED.txt (created in each folder)
Content:
YOUR FILES ARE ENCRYPTED!
All your documents, photos, databases and other important files have been encrypted with RSA-2048.
To recover your files, send 0.5 BTC to: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Then contact: decrypt@onionmail.org with your personal ID: ENG-7842-045
Detection Logic:
Mass file encryption (2,847 files in 15 minutes)
File extension changes (.locked)
Ransom note dropped
Process from Temp folder
Pattern matches ransomware attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed ransomware encryption
2. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
3. Network Block
Block C2 communication
Palo Alto
Blocked outbound connections from host
4. Ransomware Analysis
Identify ransomware variant
CrowdStrike Sandbox
LockBit 3.0 ransomware
5. Backup Restoration
Restore encrypted files
Veeam Backup
All 2,847 files restored
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-163 Summary: T1486 – LockBit Ransomware Encrypts 2,847 Files on Engineering Workstation Status: RESOLVED Resolution: MALICIOUS – Files Encrypted, Restored from Backups Priority: P1 – CRITICAL Labels: T1486, ransomware, data-encrypted, lockbit, crowdstrike Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Ransomware Behavior Detected – Mass File Encryption”.
Host: ENG-WS-045 (Engineering, user rpatel).
Files: 2,847 files encrypted with .locked extension.
Ransomware: LockBit 3.0.
Time: 2024-03-03 11:30 EST.
Technique: MITRE ATT&CK T1486 – Data Encrypted for Impact.
2. Technical Analysis:
Attack Chain:
10:30 – rpatel account compromised via phishing
10:45 – Attacker logs into ENG-WS-045 via RDP
10:50 – Attacker downloads encrypt.exe (LockBit ransomware)
11:00 – Attacker executes ransomware
11:15-11:30 – Encryption of 2,847 files
11:30 – CrowdStrike detects
Ransomware Analysis:
Variant: LockBit 3.0
Encryption: RSA-2044 + AES-256
Extension: .locked
Note: README_LOCKED.txt
Wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Contact: decrypt@onionmail.org
Files Encrypted (2,847):
Engineering documents (1,234) – project files, specs
Desktop files (456) – various
Downloads (234) – various
D:\engineering_data (923) – source code, designs, IP
Network Activity:
Attempted C2 communication (blocked)
No lateral movement detected
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50 – Ransomware downloaded
11:00-11:30 – Encryption
11:30 – CrowdStrike alert
11:32 – SOC investigates
11:33 – Host isolated
11:35 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\encrypt.exe (SHA256: a1b2c3d4…)
– README_LOCKED.txt (multiple locations)
– *.locked files (2,847)
Network:
– C2 attempt (blocked)
– Bitcoin wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
– Email: decrypt@onionmail.org
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked outbound connections from host.
Terminated encrypt.exe process.
Disabled rpatel account.
Reset password.
Data Recovery:
Restored all 2,847 encrypted files from Veeam backups.
Verified file integrity.
Host reimaged before returning to service.
Enterprise-wide Actions:
Scanned for other ransomware indicators (none found).
Enhanced email filtering for phishing.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to ransomware execution.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
User had local admin rights (allowed ransomware to run).
6. Business Impact:
Operational Impact: Engineering host offline for 3 hours.
Data Exposure: 2,847 files encrypted but restored from backups.
Financial Impact: No ransom paid; recovery costs.
7. Remediation & Prevention:
Completed Actions:
Ransomware stopped.
Files restored.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Removed local admin rights from standard users.
Implemented application control.
Enhanced backup frequency.
8. Conclusion:
An attacker compromised an engineering account and deployed LockBit ransomware, encrypting 2,847 files on a local workstation. CrowdStrike detected the ransomware behavior within minutes, enabling isolation and restoration from backups. No ransom was paid.
Closure Rationale: Files encrypted; files restored from backups; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 12:30 EST