Blackbit ransomware detection with Wazuh

| by | Wazuh 4.6.0
Post icon

Blackbit ransomware is a variant of the LokiLocker ransomware. It utilizes sophisticated techniques to encrypt and obstruct data recovery. The ransomware is built on the Ransomware-as-a-service (RaaS) model. RaaS is a subscription-based business model where ransomware groups lease out their infrastructure to ransomware affiliates or cybercriminals to launch cyberattacks. 

The Blackbit ransomware uses .NET Reactor to obfuscate its code. This system is employed to prevent code analysis and make it difficult to detect. The ransomware employs several methods of presenting payment information to its victims. These methods include displaying pop-ups when a victim tries to open an encrypted file, dropping ransom notes, and presenting an HTML Applications (HTA) page via mshta.exe.

In this blog post, we use Wazuh to detect and remove Blackbit ransomware on an infected Windows endpoint.

Blackbit ransomware behavior

Blackbit ransomware exhibits several behaviors when it infects a Windows endpoint. These behaviors include the following:

  • Renames itself as winlogon.exe and copies its executable file to the Startup folders to establish persistence. 
  • Uses the schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users<user>\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F command to ensure the ransomware runs every time a user logs into the system. 
  • Disables data backup in quiet mode using several commands like vssadmin delete shadows /all /quiet, wmic shadowcopy delete, and wbadmin delete catalog -quiet.
  • Disables the Windows Defender Firewall using the command netsh advfirewall set currentprofile state off.
  • Disables the Microsoft Defender by making changes to several registry keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring: 0x00000001.
  • Disables the Task Manager by dropping a batch file named wvtymcow.bat in the Startup folder located at C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup to prevent monitoring of processes and activities.
  • Renames the files it encrypts as [RickyMonkey@onionmail.org] [Unique System ID]Actual -FileName.BlackBit and drops a ransom note named Restore-My-Files.txt

Analyzed IOC file

TypeValue
Hash (SHA256)1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f
Hash (SHA256)2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21

Infrastructure

We use the following infrastructure to demonstrate the detection of the Blackbit ransomware behaviors in an infected Windows endpoint.

  • A pre-built, ready-to-use Wazuh OVA 4.6.0. Follow this guide to download the virtual machine. This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
  • A Windows 11 victim endpoint with Wazuh agent 4.6.0 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the following installation guide

Detection with Wazuh

We use the following techniques to detect the Blackbit ransomware on the infected Windows endpoint:

Detection rules

We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the malicious activities of Blackbit ransomware activities.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using the Powershell command below. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the   C:\Program Files (x86)\ossec-agent\ossec.conf file. This configures the Wazuh agent to collect and forward Sysmon event logs to the Wazuh server.

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to create detection rules on the Wazuh server.

1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file:

<group name="blackbit_ransomware,">

  <rule id="100101" level="15">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.eventType" type="pcre2" >^SetValue$</field>
    <field name="win.eventdata.targetObject" type="pcre2" >HKCR\\\\BlackBit\\\\shell\\\\open\\\\command\\\\\(Default\)</field>
    <description>Changes were made to the registry settings on the $(win.system.computer) endpoint. Blackbit ransomware detected.</description>   
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>

  <rule id="100102" level="15">
    <if_sid>61614</if_sid>
    <field name="win.eventdata.eventType" type="pcre2" >^CreateKey$</field>
    <field name="win.eventdata.targetObject" type="pcre2" >HKCR\\\\BlackBit\\\\shell\\\\open</field>
    <description>Changes were made to the registry settings on the $(win.system.computer) endpoint. Blackbit ransomware detected.</description>   
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>

<!-- Suspicious .bat file creation -->
  <rule id="100103" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Roaming\\\\Microsoft\\\\.+\\\\Startup\\\\.*bat</field>
    <description>The file $(win.eventdata.targetFilename) has been added to the Startup folder by $(win.eventdata.image). Potential Blackbit ransomware activity detected</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>

<!-- Suspicious .exe file creation -->
  <rule id="100104" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Windows\\\\winlogon.exe</field>
    <description>The file $(win.eventdata.targetFilename) has been added to the Windows folder by $(win.eventdata.image). Potential Blackbit ransomware activity detected</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>

<!-- Suspicious .exe file creation -->
  <rule id="100105" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\ProgramData\\\\.*\\\\Startup\\\\winlogon.exe</field>
    <description>The file $(win.eventdata.targetFilename) has been added to the startup folder by $(win.eventdata.image) for persistence. Potential Blackbit ransomware detected</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>

<!-- Suspicious file creation -->
  <rule id="100106" level="15">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">C:\\\\Windows\\\\system32\\\\svchost.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\System32\\\\Tasks\\\\BlackBit</field>
    <description>The file $(win.eventdata.targetFilename) created by $(win.eventdata.image). Blackbit ransomware activity detected</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>

  <rule id="100107" level="15">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.eventType" type="pcre2">^SetValue$</field>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\BlackBit\\\\.*</field>
    <description>Changes were made to registry settings on $(win.system.computer). Blackbit ransomware detected.</description>   
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>

  <rule id="100108" level="15">
    <if_sid>61614</if_sid>
    <field name="win.eventdata.eventType" type="pcre2">^CreateKey$</field>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\BlackBit</field>
    <description>Changes were made to the registry settings on $(win.system.computer). Blackbit ransomware detected.</description>   
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>

  <rule id="100109" level="15">
    <if_sid>92032</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)schtasks\s\s\/CREATE\s\/SC\sONLOGON\s\/TN\sBlackBit\s\/TR</field>
    <description>A Task Scheduler entry is created for persistence. Blackbit ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100110" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)\/C\snetsh\sadvfirewall\sset\scurrentprofile\sstate\soff</field>
    <description>Windows Defender Firewall disabled. Possible Blackbit ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100111" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)\/C\swmic\sshadowcopy\sdelete</field>
    <description>Shadow copies have been deleted. Possible Blackbit ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <!-- Ransom note file creation -->
  <rule id="100112" level="12" timeframe="100" frequency="2">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\Restore-My-Files.txt</field>
    <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. Blackbit ransomware detected.</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>

  <rule id="100113" level="12">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.eventType" type="pcre2">^SetValue$</field>
     <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetObject" type="pcre2" >HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\.*</field>
    <description>Windows Defender disabled by making several changes to the registry settings on $(win.system.computer). Potential Blackbit ransomware detected.</description>   
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>
  
</group>

Where:

  • Rule ID 100101 and 100102 are triggered when the Blackbit ransomware creates and changes the registry settings.
  • Rule ID 100103 and 100105 are triggered when the Blacbit ransomware adds .bat and .exe files to the startup folder.
  • Rule ID 100104 is triggered when the Blackbit ransomware adds winlogon.exe to the C\Windows folder.
  • Rule ID 100106 is triggered when the Blackbit ransomware exploits the svchost.exe file on the Windows endpoint to store the task scheduler entry created in the C\Windows\System32\Tasks\BlackBit file. 
  • Rule ID 100107 and 100108 are triggered when the Blackbit ransomware changes the Task Scheduler registry settings after creating an entry on the Windows endpoint.
  • Rule ID 100109 is triggered when the Blackbit ransomware creates a task scheduler entry to maintain persistence.
  • Rule ID 100110 is triggered when the Blackbit ransomware disables the Windows Defender firewall.
  • Rule ID 100111 is triggered when the Blackbit ransomware deletes all the shadow copies of the files and folders on the Windows endpoint.
  • Rule ID 100112 is triggered when the Blackbit ransomware drops a ransom note with the file name Restore-My-Files.txt in various folders.
  • Rule ID 100113 is triggered when the Blackbit ransomware changes the Microsoft Defender registry settings.

2. Restart the Wazuh server for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

The screenshot below shows the alerts generated on the Wazuh dashboard when the Blackbit ransomware is executed on the victim endpoint.

From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.

Blackbit Ransomware

Detecting and removing malicious files with YARA integration

Wazuh can be integrated with YARA, a tool for detecting and classifying malware artifacts. This integration scans files that are added or modified on the Windows endpoint and checks if such files contain malware. 

The Wazuh File Integrity Monitoring module is configured to monitor a directory for changes. The Wazuh Active response module will automatically trigger YARA to scan the files in the directory and detect potentially malicious files that match defined rules. 

Windows endpoint

Download and install the following packages on the victim endpoint. These packages are required to download and install YARA.

1. Python v 3.8.7 or later (with pip pre-installed). Select the following boxes on the Python installation dialog box:

  • Install launcher for all users.
  • Add Python.exe to PATH. This places the interpreter in the execution path.

2. Microsoft Visual C++ 2015 Redistributable.

After installing the above packages, follow the steps below to download the YARA executable.

1. Launch PowerShell with administrator privileges and download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip

2. Extract the YARA executable:

> Expand-Archive v4.3.2-2150-win64.zip

3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Follow the steps below to download YARA rules:

1. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. The valhallaAPI is used to retrieve the public signature-base YARA ruleset:

> pip install valhallaAPI

2. Create the file download_yara_rules.py, and copy the following script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

3. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:

> python download_yara_rules.py 
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

4. Edit the C:\Program Files e(x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar file and add the following Blackbit YARA rules:

rule _Blackbit_ransomware {
   meta:
      description = "Blackbit executable detection"
      author = "Anthony Faruna"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2023-08-21"
      hash1 = "1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f"
      hash2 = "2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21"
   strings:
      $s1 = "<requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s2 = "<assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s3 = "Type Descriptor'" fullword ascii
      $s4 = "constructor or from DllMain." fullword ascii
      $s5 = "<trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s6 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii
      $s7 = "Base Class Descriptor at (" fullword ascii
      $s8 = "Class Hierarchy Descriptor'" fullword ascii
      $s9 = "Complete Object Locator'" fullword ascii
      $s10 = "<requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s11 = "svchost" fullword wide /* Goodware String - occurred 17 times */
      $s12 = "Broken pipe" fullword ascii /* Goodware String - occurred 742 times */
      $s13 = "Permission denied" fullword ascii /* Goodware String - occurred 823 times */
      $s14 = "D$<RSP" fullword ascii /* Goodware String - occurred 1 times */
      $s15 = "delete[]" fullword ascii
      $s16 = "</trustInfo>" fullword ascii
      $s17 = "T$h9T$" fullword ascii /* Goodware String - occurred 1 times */
      $s18 = "L$PQSV" fullword ascii /* Goodware String - occurred 1 times */
      $s19 = "B|BxBtBpBlBhBdB`B\\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B" fullword wide
      $s20 = "ForceRemove" fullword ascii /* Goodware String - occurred 1167 times */
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 8 of them )
      ) or ( all of them )
}

5. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf file and add the below configuration within the <syscheck> block to monitor the Downloads folders of all users in real-time:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, the Downloads folders of all users are monitored. However, you can configure other folders you wish to monitor.

6. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder. The active response module automatically executes this file to perform YARA scans for malware detection and removal:

:: This script deletes Blackbit ransomware as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b

7. Restart the Wazuh agent using PowerShell for the changes to take effect:

> Restart-Service -Name wazuh

Wazuh server

Follow the steps below to configure rules, custom decoders, and active response on the Wazuh server.

1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules will generate alerts about files that are added or modified in the Downloads directory on the monitored endpoint:

<group name= "syscheck,">
  <rule id="100029" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="100030" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

Where:

  • Rule ID 100029 is triggered when a file is modified in the Downloads directory.
  • Rule ID 100030 is triggered when a file is added to the Downloads directory.

2. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:

<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>100029,100030</rules_id>
</active-response>

The Wazuh active response module executes the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies the name of the command being called in the active response section.
  • <executable> specifies the executable file to run.
  • <command> specifies the command that will be used by the active response.
  • The <active response> block calls the <command> block when the rule ID 100029 or 100030 is triggered.
  • <location> specifies where the active response script is executed.

3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to alert when there is a YARA active response action:

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100031" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="100032" level="12">
    <if_sid>100031</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="100033" level="12">
    <if_sid>100031</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100034" level="12">
    <if_sid>100031</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

  • Rule ID 100031 is the base rule for detecting YARA events.
  • Rule ID 100032 is triggered when YARA scans and detects a malicious file.
  • Rule ID 100033 is triggered when the detected file has been successfully removed by Wazuh active response.
  • Rule ID 100034 is triggered when the detected file is not removed successfully by Wazuh active response.

5. Restart the Wazuh manager for the changes to take effect:

$ sudo systemctl restart wazuh-manager

Detection results

The Wazuh dashboard generates alerts when Blackbit ransomware is downloaded to the Downloads folder of the victim endpoint. Navigate to the Security events tab to view the generated alerts.

Blackbit Ransomware Detection

Conclusion

In this blog post, we demonstrated how to detect Blackbit ransomware activities and remove the ransomware with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect malicious activities associated with Blackbit ransomware. We also used YARA integration with Wazuh to detect and remove Blackbit ransomware once downloaded to the monitored endpoint.

Blackbit ransomware is a variant of LokiLocker ransomware with built-in features like obfuscating its code, renaming its executable to stay hidden, and persistence mechanisms. Therefore, it is critical to continuously monitor and protect your infrastructures and follow security best practices to stay ahead of these threats. 

Wazuh is a free and open source security platform with several capabilities to monitor and secure your infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.

References