Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Overview - Qilin Ransomware Group
Qilin Ransomware Group is a rapidly evolving ransomware-as-a-service (RaaS) operation that first became widely visible in mid-2022 and has since escalated its attacks in both volume and sophistication. According to recent intelligence, Qilin offers affiliates highly customizable ransomware payloads (written in Go and Rust) and supports both Windows and Linux/ESXi targets. They have also matured its business model to include double-extortion tactics, where victims not only face encrypted networks and systems, but also the threat of public data leaks via a dedicated leak site, increasing pressure to pay. Over the last several months, Qilin has increased its affiliate recruitment efforts (especially following disruption of competing RaaS operations), aggressively targeting high-impact sectors such as healthcare, manufacturing, legal and financial services. It is also worthy to note the reach of the threat group's geographical footprint, which includes victims in the United States, United Kingdom, Canada, Germany, France, Japan and Australia (among others globally). These developments reflect a shift from opportunistic encryption attacks toward large-scale, customized, high-value extortion operations that permit malicious actors to gain unauthorized access, steal sensitive data, encrypt critical systems, disrupt operations, and exploit victims for maximum ransom leverage.
TITAN References:
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Qilin Ransomware Group Hunt Collection
Related Hunt Packages
Enabling RDP Connections Through Registry Modification
This content is designed to detect when the registry key that enabled and disables Remote Desktop protocol (RDP) connections (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server) is modified. This type of activity has been seen in the use of the SmokedHam tool from UNC2465 and its affiliates. False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
Single-Character Named Files Used For Execution
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations.
Autorun Or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Driver File Created In Temp Directory - Potential Malware Installation
This Hunt Package is intended to identify when a file write is observed for a .sys file in the AppData temp directory. This can be indicative of malware or an attacker attempting to hide their malware as a "legitimate" driver file, or dropping a legitimate driver that is vulnerable so the attacker can gain necessary execution privileges.
Common Suspicious Powershell Execution Argument Techniques - Bypass And Unrestricted Policies
This Hunt Package is designed to identify suspicious PowerShell execution arguments associated with execution policies "Unrestricted" and "Bypass". Based on research, the method of utilizing "Bypass" is more common in malicious executions, however "Unrestricted" should still be monitored for abuse, such as insider threats. As such, a behavior and detection have been provided in this Hunt Package based on the likelihood of the number of executions between Bypass and Unrestricted. The included flags and parameters in the query logic search for potentially malicious activities that may deviate from standard practices within a specific environment. This can help the analyst discover abnormal or harmful events that are leveraging PowerShell for various purposes, such as launching attacks or maintaining persistence.
MSI File Installation From Suspicious Location
This use case is meant to detect msiexec.exe installing MSI files from directories outside standard/trusted installation paths, which may indicate malicious software installation.
VMware Services and Functions Disabled on ESXi - Potential Ransomware
This package identifies when all Virtual Machine processes on an ESXi host are enumerated and killed, similar to many Ransomware operations.
Mimikatz Non-Interactive Execution
This package will identify when a Mimikatz payload has been executed on a system as one-liner likely to output to a file for collection. This is not the standard way Mimikatz is typically run, but adversaries still execute it in this fashion.
ScreenConnect Relay Mode Engagement - Possible Remote Administration Tool Usage
This hypothesis aims to pinpoint suspicious ScreenConnect activity by surveying command-line arguments and process execution paths that suggest relay mode functionality. In the context of cyber threats, ScreenConnect, while a legitimate remote support tool, can be exploited by adversaries to facilitate unauthorized access, data breaches, or reconnaissance within a target network. For instance, threat actors might employ ScreenConnect in relay mode to covertly manage compromised systems and orchestrate lateral network movements without immediate detection. When these patterns are identified, it's crucial for analysts to investigate as they may indicate an abuse of this otherwise legitimate tool for nefarious purposes.
Remote Services - SMB Share mounts/admin shares/scanning
This use case detects when shares are mapped via "net.exe" within command line. More specifically, hidden administrative shares that can be mapped and used to remote file copy malicious files and/or executables.
Run Registry Key Autorun Created From Public Users Directory
This use case is meant to identify Run registry key modifications which point to a file located within the "C:\Users\Public" folder.
Suspicious Executable or Scripts Launched in Common Configuration or System Related Folders
This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a "legitimate" file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.
Scheduled Task Created
This use case is meant to identify newly created scheduled tasks via specific command-line parameters.
WinRar Archive Created
This package is designed to identify when a WinRar archive has been created. WinRar is often utilized by threat actors to compress and exfiltrate data from a compromised environment. The step of creating the archive is often an indication of 'staging' the data before its offloaded to the attacker's infrastructure. WinRAR is a legitimate application and may be utilized by users for legitimate reasons. Often the difference is the number of files being archived, as threat actors will often create an archive/compress a folder with large amounts of data.
User Added to Default Privileged Windows Security Groups
This package is designed to capture the activity surrounding the execution of command line arguments that add a user to default privileged Windows Security Groups (local and domain).
RDP Restricted Admin Mode Enabled - Registry Key Detection
This package is designed to capture the activity in the event the registry key that controls RDP Restricted Mode is enabled or disabled. This key was seen to be modified during an attack that involved the Gootloader payload.
Excessive Windows Discovery CommandLine Arguments - Potential Malware Installation
This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
WDigest Downgrade Attack - Registry Key Modification
This package is designed to identify when the registry key (SYSTEM\CurrentControlSet\Control\SecurityProviders\ WDigest\UseLogonCredential OR SYSTEM\ControlSet00*\Control\SecurityProviders\ WDigest\UseLogonCredential) is modified signaling a possible WDigest downgrade attack, which was recently seen and attributed to the SmokedHam tool from UNC2465 and its affiliates. False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
Suspicious Child Process - Notepad.exe
This Hunt Package is intended to identify when notepad.exe contains a child process that is unexpected or abnormal for the application. Notepad is often abused by attackers as a "sacrificial" process to inject their malware into to hide from defenses. This typically occurs after the attacker has been able to execute their main payload, and they "migrate" their malware to notepad.exe in order to not draw attention as well as run code from a signed process in memory. In addition to attackers utilizing notepad to hide, meterpreter and other similar attacker simulation (Red team tools) often default to notepad to "migrate" their code to for stability post exploitation.
Windows Defender Tampering - Possible Malware Activity
This package is designed to identify when PowerShell is utilized to tamper with Windows Defender in a way that would make a machine easier to compromise.