Ransomware hits healthcare - Robbinhood activity

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential ransomware activity associated with the Robbinhood campaign through distinct evasion and execution behaviors, indicating an adversary attempting to establish persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ransomware attacks targeting healthcare organizations before significant data loss occurs.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where InitiatingProcessFileName =~ "winlogon.exe"  
| where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net", 
"robbin", "vssadmin", "bcdedit", "wevtutil")

Analytic Rule Definition

id: 61ca48de-5973-4f9d-8f9c-e24776b6ba45
name: Ransomware hits healthcare - Robbinhood activity
description: |
  Find distinct evasion and execution activities.
  Associated with the Robbinhood ransomware campaign.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d) 
  | where InitiatingProcessFileName =~ "winlogon.exe"  
  | where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net", 
  "robbin", "vssadmin", "bcdedit", "wevtutil")

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Robbinhood activity.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that mimics ransomware behavior, such as encrypting files or modifying registry keys.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"schtasks.exe"
Scenario: Admin Performing Disk Cleanup or Backup
Description: An administrator uses a tool like DISM or VSS to clean up temporary files or perform a backup, which may trigger file encryption or modification alerts.
Filter/Exclusion: process.name:"dism.exe" or process.name:"vssadmin.exe"
Scenario: User-Initiated File Encryption for Compliance
Description: A user uses a legitimate encryption tool like BitLocker or Veracrypt to encrypt sensitive data, which may be flagged due to similar behavior to ransomware.
Filter/Exclusion: process.name:"bitlocker.exe" or process.name:"veracrypt.exe"
Scenario: Patching or Software Update Activity
Description: A patching tool like Windows Update or Chocolatey runs scripts that modify system files or registry, which may be mistaken for ransomware activity.
Filter/Exclusion: process.name:"wuauclt.exe" or process.name:"choco.exe"
Scenario: Database Backup or Replication Task
Description: A database backup tool like SQL Server Backup or MySQL Dump performs operations that involve copying or encrypting files, which may trigger the ransomware detection.
Filter/Exclusion: process.name:"sqlbackup.exe" or process.name:"mysqldump.exe"