Adversaries may decrypt and execute StoneDrill ransomware samples to exfiltrate data or encrypt files, indicating potential lateral movement or data compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware activity early, preventing data loss and operational disruption.
YARA Rule
rule StoneDrill_main_sub {
meta:
author = "Kaspersky Lab"
description = "Rule to detect StoneDrill (decrypted) samples"
hash = "d01781f1246fd1b64e09170bd6600fe1"
hash = "ac3c25534c076623192b9381f926ba0d"
version = "1.0"
strings:
$code = {B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF
30 8F 44 24 ?? 8B ?? 24 [1 - 4] 2B ?? 24 [6] F7 ?1 [5 - 12] 00}
condition:
uint16(0) == 0x5A4D and
$code and
filesize < 5000000
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate decryption of encrypted files by a third-party tool
Description: A third-party file recovery tool (e.g., Recuva, EaseUS Data Recovery Wizard) may decrypt files during a data recovery operation, which could trigger the StoneDrill detection rule.
Filter/Exclusion: Exclude processes associated with known data recovery tools using their full path or process name (e.g., C:\Program Files\Recuva\Recuva.exe).
Scenario: Scheduled backup job decrypting files for archive
Description: A scheduled backup job (e.g., Veeam Backup & Replication, Commvault) may decrypt files as part of a backup process, which could be mistaken for StoneDrill activity.
Filter/Exclusion: Exclude processes running under the backup service account or filter based on the job name (e.g., VeeamBackupJob).
Scenario: Admin task decrypting files for forensic analysis
Description: A system administrator may use a decryption tool (e.g., 7-Zip, WinRAR) to decrypt files for forensic or compliance purposes, which could be flagged by the rule.
Filter/Exclusion: Exclude processes associated with compression/decompression tools or filter based on user context (e.g., User: SYSTEM or User: Admin).
Scenario: Legitimate encryption/decryption during software update
Description: A software update process (e.g., Microsoft Windows Update, Adobe Acrobat Update) may involve decrypting files as part of the update mechanism, which could trigger the rule.
Filter/Exclusion: Exclude processes related to known update services (e.g., svchost.exe with Windows Update service) or filter by file paths associated with updates.
**Scenario: Test environment decrypting files for development