Ransomware Attack Against Government


Government Ministry

Entry Point:

Infected Email


Attack against full network using Eternal Blue selfpropagating exploit

Detection Method:

Advanced Network Traffic Analysis with event correlation

Secondary Detection:

Known signature of Eternal Blue exploit

At a government ministry, an employee received an email which contained an attachment marked as “invoice.” Presuming it to be legitimate, he opened the attachment, unknowingly releasing a ransomware payload. This ransomware did not take immediate action to ransom the recipient’s laptop, but started preparing for a larger attack against the full network.
As part of this preparation, the ransomware downloaded TOR and began to communicate with an outside IP address. Both of these anomalous actions were identified by MENDEL as they happened. MENDEL automatically alerted the ministry’s security team, who used MENDEL to identify the device, and MENDEL’s integration with Active Directory to identify the employee in question. The machine was sanitized and returned to service before it could cause damage.
The ransomware in question used the Eternal Blue exploit, which infects other devices across the network without having to be spread by careless users. Eternal Blue was a key component of the WannaCry ransomware which effected networks worldwide in 2017. MENDEL detects this exploit by name, and it identifies ransomware using similar, unknown exploits by their actions, escalating their seriousness based on these actions if necessary, through event correlation.
Attacks of this nature; using advanced malware against governments, critical corporate assets, and infrastructure, are becoming more common. They are nearly impossible to detect by commonly used security tools. MENDEL helps defend the network against them.