If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.
tl;dr
After becoming ever-more frustrated by intelligence producers naming the same ransomware slightly differently, and with ATT&CK missing lots of ransomware types, I finally got around to trying to solve the problem.
Overview
Ransomware is extensively tracked and covered by various sources. However, many often follow slightly different naming conventions.
For example, take one of my previous posts where I showed ransomwhe.re data, and more specifically a ransomware name they print in their data
[
"Netwalker (Mailto)"
]
However, in other source, for example, MITRE ATT&CK, it is just referred to as Netwalker.
In other places it’s referred to as Mailto (albeit with an alias NetWalker).
As such, trying to join references from different sources to the same ransomware quickly becomes problematic.
MITRE ATT&CK also solves the issue of joining different types of data together (for example, describing the techniques a threat actor uses) in a standardised way.
Will Thomas recently took on one element of this problem for ransomware with the Ransomware Tool Matrix linking common tools ransomware gangs use in addition to ransomware.
However, whilst an amazing resource, this does not integrate directly into the tooling I’m already using.
MITRE ATT&CK solves this problem by using STIX 2.1 objects to represent the data.
Inspired by all of these things, I wanted to create a standard knowledgebase for describing ransomware, linking it back to MITRE ATT&CK where possible (e.g. using MITRE ATT&CK Techniques to describe how ransomware works).
So I started on an initial implementation of Ransomware KB.
Ransomware KB
Ransomware KB’s aim is to provide a standard library of ransomware operators and group, ransomware and tools they use, and eventually victims. The aim is to also contribute these objects to future ATT&CK versions once they’ve been fully developed.
Here is how the data in the knowledge base is currently structured as STIX objects;
- Groups (STIX
intrusion-setobjects, ID in formatGXXXX): that describe ransomware operators and groups, which have relationships to;- Ransomware (STIX
malwareobjects, ID in formatRXXXX): that describe the ransomware itself used by the Groups - Tools (STIX
toolobjects, ID in formatTXXXX): that describe the Tools used by the Groups to achieve their objectives
- Ransomware (STIX
Here is a visual representation of how these objects are linked;
This graph shows how a small subset of how this looks for real data in Ransomware KB;
You can grab the entire bundle of objects here (it’s too large to load in this graph).
Having the data in a structured format like this makes it easy to insert and work with it in a database.
For example, you can use stix2arango to store it in a graph database (ArangoDB) for querying and retrieval as needed.
Here is an example stix2arango command to import a bundle (make sure to replace path/to/ransomware-kb-bundle.json with the correct path);
python3 stix2arango.py \
--file path/to/ransomware-kb-bundle.json \
--database blog_demo \
--collection ransomware_kb
Some example queries might include…
Show me all ransomware groups and their aliases;
FOR doc IN ransomware_kb_vertex_collection
FILTER doc.type == "intrusion-set"
LET ransomware_kb_id = (
FOR ref IN doc.external_references
FILTER ref.source_name == "ransomware-kb"
RETURN ref.external_id
)
LET mitre_attack_id = (
FOR ref IN doc.external_references
FILTER ref.source_name == "mitre-attack"
RETURN ref.external_id
)
RETURN {
"name": doc.name,
"aliases": doc.aliases,
"ransomware_kb_id": ransomware_kb_id[0], // Assumes only one match for "ransomware-kb"
"mitre_attack_id": mitre_attack_id[0] // Assumes only one match for "mitre-attack", or null if none exists
}
[
{
"name": "Karakurt",
"aliases": [
"Karakurt Lair"
],
"ransomware_kb_id": "G0002",
"mitre_attack_id": null
},
{
"name": "Scattered Spider",
"aliases": [
"Storm-0875",
"Roasted 0ktapus",
"Octo Tempest"
],
"ransomware_kb_id": "G0003",
"mitre_attack_id": "G1015"
},
{
"name": "Vice Society",
"aliases": [
"DEV-0832",
"Vanilla Tempest"
],
"ransomware_kb_id": "G0004",
"mitre_attack_id": null
},
However, where it gets really useful is being able to ask the questions about the relationships between objects.
In this query I use the Ransomware KB Group ID, I then search for any relationships this ID is the source_ref of in a relationship, I then lookup what the target_ref objects inside the relationship are by name;
FOR doc IN ransomware_kb_vertex_collection
FILTER doc.type == "intrusion-set"
LET ransomware_kb_id = (
FOR ref IN doc.external_references
FILTER ref.source_name == "ransomware-kb" AND ref.external_id == "G0007"
RETURN ref.external_id
)
FILTER LENGTH(ransomware_kb_id) > 0
LET intrusion_set_id = doc.id
LET target_refs = (
FOR edge_doc IN ransomware_kb_edge_collection
FILTER edge_doc.source_ref == intrusion_set_id
RETURN edge_doc.target_ref
)
FOR target_id IN target_refs
FOR target_doc IN ransomware_kb_vertex_collection
FILTER target_doc.id == target_id
AND target_doc.type == "malware"
RETURN target_doc.name
[
"Conti",
"Ryuk",
"Diavol"
]
Improving this project
The script to generate the STIX 2.1 objects is designed to be fairly flexible.
At the moment it is the underlying data in the spreadsheet used to generate the data that needs updating to create a rich network graph.
Including;
- adding new groups / ransomware / tools
- defining the links between these object
- adding references to corroborate the data
You find more information about contributing in the Ransomware KB repository on Github here.
Discuss this post
Head on over to the DOGESEC community to discuss this post.
Never miss an update
Sign up to receive new articles in your inbox as they published.