Threat Research | LogRhythm

Nathaniel “Q” Quist Incident Response Engineer

Detecting Drupalgeddon 2.0

Despite a patch being released for the recent Drupal vulnerability, entities are still feeling its impacts. In this post, we’ll review what is known about Drupalgeddon and present detection methods.

Nathaniel “Q” Quist Incident Response Engineer

Time to Reset Your Router? Understanding and Removing VPNFilter Malware

VPNFilter Malware has compromised more than 500,000 endpoints. To help you detect VPNFilter, LogRhythm Labs has implemented VPNFilter malware alarms within the Current Active Threat (CAT) Module.

Erika Noerenberg

Take a Deep Dive into PlugX Malware

Although there have been several variants over the years, an analysis of the timeline of variants discussed demonstrates the "original" PlugX variant continues to be used today.

LogRhythm Labs

Detecting Memcached DDoS Attacks Targeting GitHub

On February 28 and March 5, 2018, Memcached DDoS attacks targeted GitHub. LogRhythm Labs performed an investigation into the cause, effect, and outcome of these attacks.

LogRhythm Labs

Bad Rabbit Ransomware Technical Analysis

On October 24, 2017, a new strain of ransomware dubbed "Bad Rabbit" emerged. This blog provides an in-depth analysis, recommendations for mitigation, IOCs, and LogRhythm AI Engine rules and NetMon queries for detection.

LogRhythm Labs

Mamba Ransomware Analysis

The LogRhythm Labs team provides analysis on Mamba—a strain of ransomware identified in 2016—after its recent resurgence. This goal of this in-depth analysis is to ensure users are prepared to protect their systems and to help prevent future infection of this malware variant.

Erika Noerenberg

NotPetya Technical Analysis

Although initially labeled as ransomware due to the ransom message that is displayed after infection, it appears now that NotPetya functions more as a destructive wiper-like tool than actual ransomware. This post reviews an in-depth technical analysis of NotPetya, including recommended security measures.

LogRhythm Labs

Detecting Petya/NotPetya Ransomware

On the morning of June 27, 2017, Petya, a new ransomware outbreak—similar to the recent WannaCry malware—was discovered in the Ukraine. The malware quickly spread across Europe. This post discusses the TTPs of Petya / NotPetya and how to detect it using LogRhythm AI Engine rules.

Rob McGovern Technical Product Manager

Detect WannaCry Initial Exploit Traffic with NetMon

The WannaCry ransomware campaign is just the latest wave of malware to target exploits in core networking protocols. Fortunately, the SMB dropper traffic is very easy to detect with NetMon using a simple Query Rule.

LogRhythm Labs

A Technical Analysis of WannaCry Ransomware

Ransomware that has been publicly named "WannaCry," “WCry” or "WanaCrypt0r" (based on strings in the binary and encrypted files) has spread to at least 74 countries as of Friday 12 May 2017. This blog addresses the technical analysis of the ransomware, mitigation, LogRhythm signatures, Network Monitor (NetMon) query rules, and indicators of compromise.