Replies: 2 comments 1 reply
-
Hello KompTi Thank you for using Wazuh and bringing to our attention this development I have analyzed the report in the link you shared relating to the attack on Chilean Judiciary and can confirm that this attack has no connection with the latest Lockbit 3.0 attacks that has been reported thus far. VirusTotal could not detect 2 of the IOCs in the report (123.cmd and lbb.dll) while injector.exe that was detected had no connection to ransomware activity as per the report and comments. I have tried to obtain the files to test this attack however the files are not available on various malware repository websites I would be glad to assist if you have further information to share to aid my analysis however the current information related to this attack does not really portray the attack pattern of Lockbit 3.0 seen thus far. Also Wazuh can be configured to detect the attack by adding the IOCs to detection rules. For example, you can configure FIM to monitor the directories on the system to detect thes files. See example below Add the following rules to /var/ossec/etc/rules/local_rules.xml file on the Wazuh server Kindly restart Wazuh server after adding the rules. Also as demonstrated in the blog post, you can define leverage VirusTotal, YARA and define your own custom rules to detect the ransomware Please let me know if you have further queries Best Regards |
Beta Was this translation helpful? Give feedback.
-
Thank a lot for your answer! |
Beta Was this translation helpful? Give feedback.
-
Hi everyone, have a nice day
We are customizing the wazuh rules to detect Lockbit ransomware because, recently this RaaS affected all the systems of Chilean Judiciary. Actually the rules in wazuh has no connection with the Lockbit 3.0 attacks reported in your blog website.
Please, take a few minute to read the CSIRT report
They explain and bring important details to detect it
So, is very important develope a rule that avalible for enterprise and government institutions on the wazuh repositories
Best regards for you!
Beta Was this translation helpful? Give feedback.
All reactions