CrowdStrike Alert Details
Alert ID: CS-RANSOMWARE-1486-7842 Alert Time: 2024-03-13 14:15:33 EST Severity: CRITICAL (99/100) Source: CrowdStrike Falcon EDR Rule: “Ransomware Behavior Detected – Mass File Encryption” MITRE ATT&CK: T1486 – Data Encrypted for Impact
Alert Details:
Detection: Process encrypting multiple files and appending .encrypted extension
Host: FILESRV-02 (File Server) User: SYSTEM (via compromised admin account) Process: C:\Windows\Temp\encryptor.exe (PID: 4789) SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 14:10-14:15 EST
File Encryption Events:
14:10-14:15: 12,847 files encrypted
File extensions changed to .encrypted
Locations affected:
\filesrv\finance*.* – 3,456 files (23 GB)
\filesrv\hr*.* – 2,891 files (15 GB)
\filesrv\r&d*.* – 4,234 files (28 GB)
\filesrv\executive*.* – 1,234 files (8 GB)
\filesrv\backups*.* – 1,032 files (4 GB)
Ransom Note:
File: README_ENCRYPTED.txt (created in each folder)
Content:
YOUR FILES ARE ENCRYPTED!
All your documents, databases and other important files have been encrypted with RSA-2048.
To recover your files, send 2 BTC to: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Then contact: decrypt@onionmail.org with your server ID: FILESRV-02
You have 72 hours. Do not attempt to recover files yourself, you will lose them.
Detection Logic:
Mass file encryption (12,847 files in 5 minutes)
File extension changes (.encrypted)
Ransom note dropped
Process from Temp folder
Pattern matches ransomware attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed ransomware encryption
2. Immediate Action
Isolate file server
CrowdStrike, Network ACLs
FILESRV-02 quarantined
3. Process Termination
Kill encryptor.exe
CrowdStrike
Process terminated
4. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Backup Restoration
Restore encrypted files from off-site backups
Veeam Backup
All files restored
6. Incident Response
Activate disaster recovery
Management, Legal
Ransomware incident declared
Jira Incident Report
Ticket: SOC-2024-212 Summary: T1486 – Ransomware Encrypts 12,847 Files on File Server Status: RESOLVED Resolution: MALICIOUS – Files Encrypted, Restored from Backups Priority: P1 – CRITICAL Labels: T1486, ransomware, data-encrypted, crowdstrike, compromised-admin Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Ransomware Behavior Detected – Mass File Encryption”.
Host: FILESRV-02 (Primary File Server).
Process: C:\Windows\Temp\encryptor.exe.
Files: 12,847 files encrypted, 78 GB total.
Ransom Note: README_ENCRYPTED.txt.
Time: 2024-03-13 14:15 EST.
Technique: MITRE ATT&CK T1486 – Data Encrypted for Impact.
2. Technical Analysis:
Attack Chain:
13:30 – Domain admin account (jsmith) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
14:00 – Attacker uses PsExec to copy encryptor.exe to FILESRV-02
14:05 – encryptor.exe executed with SYSTEM privileges
14:10-14:15 – Mass encryption of files
14:15 – CrowdStrike detects
Ransomware Analysis:
Name: encryptor.exe (custom variant)
SHA256: a1b2c3d4…
Encryption: RSA-2048 (public key embedded)
Extension: .encrypted
Ransom Note: README_ENCRYPTED.txt
Bitcoin Address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Data Encrypted:
Finance: 3,456 files (financial records, reports)
HR: 2,891 files (employee records, payroll)
R&D: 4,234 files (source code, designs)
Executive: 1,234 files (board minutes, strategy)
Backups: 1,032 files (on-server backups)
Total: 12,847 files, 78 GB
Attacker Intent:
Financial gain via ransom
Business disruption
Data destruction if ransom not paid
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
14:00 – Tool deployed
14:10-14:15 – Encryption
14:15 – Alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Process terminated
14:20 – Admin account disabled
14:30 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\encryptor.exe (SHA256: a1b2c3d4…)
– README_ENCRYPTED.txt (multiple locations)
– *.encrypted files (12,847)
Network:
– Bitcoin wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
– Email: decrypt@onionmail.org
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Isolated FILESRV-02.
Terminated encryptor.exe.
Disabled compromised admin account.
Reset password.
Blocked outbound connections from the server.
Data Recovery:
Restored all 12,847 encrypted files from off-site Veeam backups (previous night).
Verified file integrity.
File server back online at 16:30.
Enterprise-wide Actions:
Scanned for other ransomware indicators (none found).
Reset all admin passwords.
Enforced MFA for all admins.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to file server.
Backups were available (off-site), preventing data loss.
6. Business Impact:
Operational Impact: File server offline for 2 hours.
Data Exposure: Data encrypted but restored; no permanent loss.
Financial Impact: No ransom paid; recovery costs.
7. Remediation & Prevention:
Completed Actions:
Ransomware stopped.
Files restored.
Admin account secured.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Implemented application control.
Enhanced backup frequency and testing.
8. Conclusion:
An attacker compromised a domain admin account and deployed ransomware on a file server, encrypting 12,847 files. CrowdStrike detected the ransomware behavior within minutes, enabling isolation and restoration from backups. No ransom was paid, and no data was permanently lost.
Closure Rationale: Files encrypted; files restored from backups; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 15:30 EST