Ransomware TTPs Analysis: Interlock, Ghost, and DragonForce Operations

Published March 19, 2026: RedSheep Reports

Ransomware operators continue to evolve their tactics. Three groups, Interlock, Ghost (Cring), and DragonForce, have drawn sustained attention from CISA, the FBI, and private threat intelligence firms over the past year. Each group has refined its approach in distinct ways: Interlock leans on social engineering and patient operations, Ghost burns through targets at speed by exploiting unpatched public-facing systems, and DragonForce runs a franchise model that's pulling in affiliates across sectors. These groups represent distinct operations that share common patterns in their approach to ransomware deployment.

Ransomware groups are getting better at initial access, more creative with infrastructure, and more aggressive with extortion. Defenders need specifics. Here they are.

Interlock: Social Engineering Meets Patient Operations

Interlock was first observed in late September 2024, primarily targeting organizations in North America and Europe [1]. FBI investigations identified indicators of compromise and TTPs as recently as June 2025 [1]. The variant uses a double-extortion model: data gets exfiltrated before encryption begins, giving the operators two levers against victims [1].

What makes Interlock notable is its initial access technique. Operators rely on drive-by downloads and ClickFix social engineering to get a foothold [1]. ClickFix campaigns trick users into executing malicious commands, often by presenting fake browser or software update prompts. Once inside, the group maintains persistence through various methods before deploying ransomware.

Interlock's C2 infrastructure makes use of Cloudflare's temporary tunneling service (trycloudflare.com) [1]. This is a legitimate service, which makes network-level blocking tricky. The final payload is typically named conhost.exe, a filename chosen to blend in with legitimate Windows processes [1]. Ransom notes are deployed via Group Policy Object, a sign the operators achieve domain-level control before pulling the trigger [1].

A DLL file named tmp41.wasd is used post-encryption to delete the ransomware binary and reduce forensic evidence [1]. Encrypted files are appended with .interlock or .1nt3rlock extensions [1].

Ghost (Cring): Speed, Scale, and Rotating Payloads

Ghost actors, based in China, have been conducting financially motivated ransomware operations across more than 70 countries since early 2021 [2]. FBI investigation as recently as January 2025 identified active Ghost IOCs and TTPs [2]. This is a high-volume operation: the group compromises targets fast and doesn't waste time on elaborate social engineering.

Ghost's preferred initial access method is exploiting public-facing applications [2]. The group targets known vulnerabilities in internet-facing systems and moves quickly from exploitation to payload delivery. One of the more operationally significant details: Ghost rarely registers domains. Instead, the group uses IP addresses directly for C2 communication [2]. This reduces their digital footprint and makes traditional domain-based blocking less effective.

For post-exploitation, Ghost deploys Cobalt Strike Beacon for command and control [2]. The group rotates ransomware executable payloads frequently, switches file extensions for encrypted files, and modifies ransom note text across campaigns [2]. Known payload filenames include Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe [2]. This constant rotation is designed to evade static detection signatures.

DragonForce: The Franchise Model

DragonForce emerged in August 2023 as a Ransomware-as-a-Service (RaaS) platform [4]. The group offers affiliates an 80% revenue share, keeping 20% for the platform [4]. Recent campaigns have targeted the UK retail sector, among others [4].

DragonForce affiliates have been observed exploiting CVE-2024-57727, a path traversal vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software [3]. CISA added this CVE to the Known Exploited Vulnerabilities Catalog on February 13, 2025 [3]. The exploitation pattern involves leveraging the SimpleHelp vulnerability to access downstream customers' unpatched RMM installations, a supply-chain-adjacent approach that multiplies the blast radius of a single exploit [3].

Post-compromise, DragonForce affiliates deploy NetSupport RAT for persistent access and exfiltrate data to cloud storage services, specifically Backblaze and MEGA [4]. The ransomware creates a log file at C:\Users\Public\log.log to track infection details [6]. Filenames are encoded with Base32, and encrypted files are appended with either .dragonforce_encrypted [6] or .df_win [4] depending on the variant. C2 communication runs over HTTP/HTTPS to transmit system information back to the operators [6].

Common Threads Across Groups

Several patterns cut across all three operations:

Abuse of legitimate infrastructure. Interlock uses Cloudflare tunnels [1]. Ghost avoids domains entirely, communicating via raw IP addresses [2]. DragonForce affiliates exploit legitimate RMM software to reach victims [3]. All three groups make detection harder by operating within or adjacent to trusted services.

Double extortion is standard. Every group exfiltrates data before encrypting it [1][2][4]. The ransom demand covers both decryption and non-publication of stolen data. This has been the dominant model for several years, and none of these groups are deviating from it.

Anti-forensic measures. Interlock deletes its own binary post-encryption using a purpose-built DLL [1]. Ghost actors clear Windows event logs [2]. DragonForce creates local log files to track infection details [6].

Post-exploitation tooling convergence. Cobalt Strike remains a go-to tool (Ghost uses Beacon directly [2]). NetSupport RAT appears in DragonForce operations [4]. Interlock leverages rundll32.exe for network operations. These are well-known, widely available tools.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Network-level indicators:

• Monitor DNS queries for *.trycloudflare.com subdomains. While the service itself is legitimate, connections from internal hosts that don't normally use Cloudflare tunnels warrant investigation. Correlate with process execution data on the originating host.
• Watch for direct IP-based C2 connections over HTTPS from workstations. Ghost's avoidance of domains means traditional domain reputation feeds won't catch it [2]. Anomalous outbound HTTPS to IP addresses (no SNI, no associated domain) is a signal.
• Flag outbound connections to Backblaze (.backblazeb2.com) and MEGA (.mega.nz, *.mega.co.nz) from servers or workstations that have no business uploading to cloud storage [4].
• Hunt for connections on port 1194 (OpenVPN) to unknown external IPs, specifically 193.161.193.99 [4].

Endpoint-level indicators:

• Look for conhost.exe executing from unusual paths (anything outside C:\Windows\System32) [1].
• Hunt for the creation of C:\Users\Public\log.log, which DragonForce uses to track infection details [6].
• Alert on rundll32.exe making outbound network connections, especially to IP addresses not associated with known Microsoft or enterprise infrastructure [1].
• Monitor for GPO modifications that deploy text files (ransom notes) across the domain [1].
• Track SimpleHelp RMM serviceconfig.xml modifications and anomalous remote sessions [3].

SIEM query logic (Splunk-style pseudocode):

index=proxy OR index=dns (dest="*.trycloudflare.com" OR dest="*.mega.nz" OR dest="*.backblazeb2.com")
| stats count by src_ip, dest, _time
| where count > 5

index=sysmon EventCode=1 Image="*\\rundll32.exe"
| join process_guid [search index=sysmon EventCode=3 dest_port=443]
| table _time, host, Image, dest_ip, dest_port

Analysis

The three groups profiled here represent different operational philosophies that are all thriving simultaneously. Ghost prioritizes speed and breadth, burning through unpatched targets across dozens of countries [2]. Interlock invests in patience, maintaining presence inside networks before deploying ransomware [1]. DragonForce outsources the risk to affiliates while collecting its cut [4].

The exploitation of SimpleHelp RMM by DragonForce affiliates is particularly concerning. RMM tools are trusted by design. They already have the access ransomware operators need. Compromising the RMM platform itself converts a defensive tool into an offensive one, and the blast radius extends to every managed endpoint [3].

Ghost's payload rotation strategy [2] and Interlock's use of legitimate Cloudflare infrastructure [1] both point toward the same trend: ransomware operators are investing more in evasion and less in novel encryption techniques. The encryption itself is table stakes. The competitive advantage is in getting in, staying in, and getting out with the data before anyone notices.

References

1. CISA, "#StopRansomware: Interlock," https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
2. CISA, "#StopRansomware: Ghost (Cring) Ransomware," https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
3. CISA, "Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management," https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
4. Darktrace, "Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack," https://www.darktrace.com/blog/tracking-a-dragon-investigating-a-dragonforce-affiliated-ransomware-attack-with-darktrace
5. [Source removed - could not be verified]
6. Resecurity, "DragonForce Ransomware - Reverse Engineering Report," https://www.resecurity.com/blog/article/dragonforce-ransomware-reverse-engineering-report

Hunt Guide: Hunt Report: Ransomware Operations - Interlock, Ghost, and DragonForce

Hypothesis: If Interlock, Ghost, or DragonForce ransomware operators are active in our environment, we expect to observe Cloudflare tunnel connections, direct IP-based C2 communications, SimpleHelp RMM exploitation artifacts, and data exfiltration to cloud storage services in our DNS, proxy, endpoint, and network telemetry.

Intelligence Summary: Three ransomware groups are demonstrating evolved TTPs: Interlock uses ClickFix social engineering and Cloudflare tunnels for C2, Ghost exploits public-facing applications with rapid payload rotation, and DragonForce operates a RaaS model exploiting SimpleHelp RMM (CVE-2024-57727). All three employ double-extortion tactics with data exfiltration preceding encryption.

Confidence: High | Priority: Critical

Scope

• Networks: All corporate networks with emphasis on DMZ systems running SimpleHelp RMM, internet-facing web applications, and endpoints with external access
• Timeframe: Initial sweep: 90 days historical. Continuous hunting: Real-time correlation with 7-day lookback for behavioral patterns
• Priority Systems: SimpleHelp RMM servers, Domain Controllers, File Servers, Backup Systems, Executive Workstations, Systems with access to cloud storage services

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Ghost exploits unpatched public-facing systems; DragonForce affiliates exploit SimpleHelp RMM CVE-2024-57727 for initial access to downstream targets

Splunk SPL:

index=web_proxy OR index=simplehelp (uri_path="*serviceconfig.xml*" OR uri_path="*CVE-2024-57727*") | stats count by src_ip, dest, uri_path, http_method | where count > 3

Elastic KQL:

event.category:web AND (url.path:*serviceconfig.xml* OR url.path:*CVE-2024-57727*) AND http.request.method:(POST OR PUT)

Sigma Rule:

title: SimpleHelp RMM CVE-2024-57727 Exploitation Attempt
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects exploitation attempts against SimpleHelp RMM CVE-2024-57727
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains:
            - 'serviceconfig.xml'
            - 'SimpleService'
        cs-method:
            - 'POST'
            - 'PUT'
    condition: selection
falsepositives:
    - Legitimate SimpleHelp administration
level: high
tags:
    - attack.initial_access
    - attack.t1190

Monitor for SimpleHelp serviceconfig.xml modifications and unusual remote session initiation. Correlate with process creation of aaa.exe or bbb.exe

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

Interlock uses Cloudflare tunnels (*.trycloudflare.com), Ghost uses direct IP HTTPS without domain resolution, DragonForce uses HTTP/HTTPS to thetavaluemetrics.com

Splunk SPL:

index=proxy OR index=dns (dest="*.trycloudflare.com" OR dest_ip IN ("74.91.125.57", "193.161.193.99") OR dest="thetavaluemetrics.com") | eval is_direct_ip=if(match(dest, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0) | stats count by src_ip, dest, dest_port, is_direct_ip | where count > 5 OR is_direct_ip=1

Elastic KQL:

(destination.domain:*.trycloudflare.com OR destination.ip:(74.91.125.57 OR 193.161.193.99) OR destination.domain:thetavaluemetrics.com) OR (destination.ip:* AND NOT destination.domain:*)

Sigma Rule:

title: Ransomware C2 Communication Patterns
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: stable
description: Detects C2 patterns associated with Interlock, Ghost, and DragonForce ransomware
logsource:
    category: proxy
detection:
    selection_cloudflare:
        c-uri|endswith: '.trycloudflare.com'
    selection_direct_ip:
        c-uri|re: '^https?://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
    selection_dragonforce:
        c-uri|contains:
            - 'thetavaluemetrics.com'
            - '74.91.125.57'
            - '193.161.193.99'
    condition: 1 of selection_*
falsepositives:
    - Legitimate Cloudflare tunnel usage
    - Direct IP access for legitimate services
level: high

Direct IP HTTPS connections without SNI/domain resolution are highly suspicious. Baseline legitimate Cloudflare tunnel usage before alerting

T1567 — Exfiltration Over Web Service (Exfiltration) [P2]

DragonForce exfiltrates victim data to Backblaze and MEGA cloud storage services before encryption

Splunk SPL:

index=proxy (dest="*.backblazeb2.com" OR dest="*.mega.nz" OR dest="*.mega.co.nz") | eval bytes_out_mb=bytes_out/1024/1024 | stats sum(bytes_out_mb) as total_mb, values(dest) as destinations by src_ip | where total_mb > 100

Elastic KQL:

(destination.domain:*.backblazeb2.com OR destination.domain:*.mega.nz OR destination.domain:*.mega.co.nz) AND network.bytes > 104857600

Sigma Rule:

title: Large Data Upload to Cloud Storage Services
id: c3d4e5f6-a7b8-9012-cdef-123456789012
status: stable
description: Detects large data uploads to Backblaze or MEGA which may indicate ransomware exfiltration
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - 'backblazeb2.com'
            - 'mega.nz'
            - 'mega.co.nz'
        sc-bytes: '> 104857600'
    condition: selection
falsepositives:
    - Legitimate backup operations
    - Authorized cloud storage usage
level: medium

Establish baseline for legitimate cloud storage usage. Alert on servers/workstations with no business need for these services

T1486 — Data Encrypted for Impact (Impact) [P1]

All three groups deploy ransomware that encrypts files with specific extensions: .interlock, .1nt3rlock, .dragonforce_encrypted, .df_win

Splunk SPL:

index=sysmon EventCode=11 (TargetFilename="*.interlock" OR TargetFilename="*.1nt3rlock" OR TargetFilename="*.dragonforce_encrypted" OR TargetFilename="*.df_win") | stats count by ComputerName, Image, TargetFilename | where count > 10

Elastic KQL:

event.code:11 AND file.name:(*.interlock OR *.1nt3rlock OR *.dragonforce_encrypted OR *.df_win)

Sigma Rule:

title: Ransomware File Encryption Activity
id: d4e5f6a7-b8c9-0123-defa-234567890123
status: stable
description: Detects file encryption patterns from Interlock, Ghost, and DragonForce ransomware
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|endswith:
            - '.interlock'
            - '.1nt3rlock'
            - '.dragonforce_encrypted'
            - '.df_win'
    timeframe: 1m
    condition: selection | count() > 10
falsepositives:
    - Unknown
level: critical

Mass file renaming to these extensions indicates active ransomware. Immediate isolation required

T1218.011 — Signed Binary Proxy Execution: Rundll32 (Defense Evasion) [P2]

Interlock uses rundll32.exe for network operations to evade detection

Splunk SPL:

index=sysmon EventCode=1 Image="*\\rundll32.exe" | join process_guid [search index=sysmon EventCode=3 | stats values(DestinationIp) as dest_ips, values(DestinationPort) as dest_ports by process_guid] | where isnotnull(dest_ips) | table _time, ComputerName, CommandLine, dest_ips, dest_ports

Elastic KQL:

event.code:1 AND process.name:rundll32.exe AND event.code:3

Sigma Rule:

title: Rundll32 Network Connection
id: e5f6a7b8-c9d0-1234-efab-345678901234
status: stable
description: Detects rundll32.exe making network connections
logsource:
    product: windows
    service: sysmon
detection:
    selection_process:
        EventID: 1
        Image|endswith: '\rundll32.exe'
    selection_network:
        EventID: 3
    condition: selection_process and selection_network
falsepositives:
    - Legitimate Windows updates
    - Some legitimate software
level: medium

Rundll32 making outbound connections to non-Microsoft IPs is suspicious. Whitelist known good destinations

T1070.001 — Clear Windows Event Logs (Defense Evasion) [P2]

Ghost actors clear Windows event logs to hinder forensic analysis

Splunk SPL:

index=wineventlog (EventCode=1102 OR EventCode=104) OR (index=sysmon EventCode=1 (Image="*\\wevtutil.exe" CommandLine="*clear-log*" OR Image="*\\powershell.exe" CommandLine="*Clear-EventLog*"))

Elastic KQL:

(event.code:1102 OR event.code:104) OR (process.name:wevtutil.exe AND process.command_line:*clear-log*) OR (process.name:powershell.exe AND process.command_line:*Clear-EventLog*)

Sigma Rule:

title: Windows Event Log Cleared
id: f6a8b9c0-d0e1-2345-fabc-456789012345
status: stable
description: Detects clearing of Windows event logs
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID:
            - 1102
            - 104
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: medium

Log clearing often occurs late in ransomware attacks. Correlate with other suspicious activity

T1005 — Data from Local System (Collection) [P2]

All three groups stage data for exfiltration before encryption, often creating archives or using specific staging directories

Splunk SPL:

index=sysmon (EventCode=1 (Image="*\\7z.exe" OR Image="*\\rar.exe" OR Image="*\\zip.exe" OR Image="*\\makecab.exe") OR (EventCode=11 TargetFilename="C:\\Users\\Public\\*" AND (TargetFilename="*.zip" OR TargetFilename="*.rar" OR TargetFilename="*.7z")))

Elastic KQL:

(process.name:(7z.exe OR rar.exe OR zip.exe OR makecab.exe)) OR (event.code:11 AND file.path:C\:\\Users\\Public\\* AND file.extension:(zip OR rar OR 7z))

Sigma Rule:

title: Data Staging for Exfiltration
id: a9b0c1d2-e3f4-5678-bcde-567890123456
status: experimental
description: Detects potential data staging activities
logsource:
    product: windows
    service: sysmon
detection:
    selection_compression:
        EventID: 1
        Image|endswith:
            - '\7z.exe'
            - '\rar.exe'
            - '\zip.exe'
            - '\makecab.exe'
    selection_staging:
        EventID: 11
        TargetFilename|startswith: 'C:\Users\Public\'
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
    condition: 1 of selection_*
falsepositives:
    - Legitimate compression activities
level: medium

Monitor for large archives being created in Public folders or temp directories

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=proxy OR index=dns dest="existed-bunch-balance-council.trycloudflare.com" | stats count by src_ip, dest, _time

index=proxy OR index=dns dest="ferrari-rolling-facilities-lounge.trycloudflare.com" | stats count by src_ip, dest, _time

index=proxy OR index=dns dest="ranked-accordingly-ab-hired.trycloudflare.com" | stats count by src_ip, dest, _time

index=proxy OR index=dns dest="thetavaluemetrics.com" | stats count by src_ip, dest, _time

index=firewall OR index=proxy dest_ip="74.91.125.57" | stats count by src_ip, dest_port, action

index=firewall OR index=proxy dest_ip="193.161.193.99" dest_port=1194 | stats count by src_ip, bytes_out

index=sysmon EventCode=1 Image="*\\conhost.exe" NOT Image="C:\\Windows\\System32\\conhost.exe" | table _time, ComputerName, Image, CommandLine, ParentImage

index=sysmon EventCode=11 TargetFilename="*!__README__!.txt" | stats count by ComputerName, Image | where count > 5

index=sysmon (EventCode=7 ImageLoaded="*\\tmp41.wasd" OR EventCode=11 TargetFilename="*\\tmp41.wasd") | table _time, ComputerName, Image, ImageLoaded

index=sysmon EventCode=1 Image="*\\Cring.exe" | table _time, ComputerName, CommandLine, ParentImage

index=sysmon EventCode=1 Image="*\\Ghost.exe" | table _time, ComputerName, CommandLine, ParentImage

index=sysmon EventCode=1 Image="*\\ElysiumO.exe" | table _time, ComputerName, CommandLine, ParentImage

index=sysmon EventCode=1 Image="*\\Locker.exe" | table _time, ComputerName, CommandLine, ParentImage

index=sysmon EventCode=1 Image="*\\aaa.exe" | table _time, ComputerName, CommandLine, ParentImage

index=sysmon EventCode=1 Image="*\\bbb.exe" | table _time, ComputerName, CommandLine, ParentImage

index=sysmon EventCode=11 TargetFilename="C:\\Users\\Public\\log.log" | table _time, ComputerName, Image, ProcessId

YARA Rules

Ransomware_Filename_Patterns — Detects known ransomware executable names and ransom note patterns

rule Ransomware_Filename_Patterns {
    meta:
        description = "Detects Interlock, Ghost, and DragonForce ransomware artifacts"
        author = "Threat Hunt Team"
        date = "2024-03-19"
        reference = "CISA AA25-203A, AA25-050A, AA25-163A"
    
    strings:
        $exe1 = "conhost.exe" ascii wide
        $exe2 = "Cring.exe" ascii wide nocase
        $exe3 = "Ghost.exe" ascii wide nocase
        $exe4 = "ElysiumO.exe" ascii wide nocase
        $exe5 = "Locker.exe" ascii wide nocase
        $exe6 = "aaa.exe" ascii wide
        $exe7 = "bbb.exe" ascii wide
        
        $dll1 = "tmp41.wasd" ascii wide
        
        $note1 = "!__README__!.txt" ascii wide
        $log1 = "C:\\Users\\Public\\log.log" ascii wide
        
        $ext1 = ".interlock" ascii wide
        $ext2 = ".1nt3rlock" ascii wide
        $ext3 = ".dragonforce_encrypted" ascii wide
        $ext4 = ".df_win" ascii wide
    
    condition:
        any of ($exe*) or $dll1 or any of ($note*, $log*) or 2 of ($ext*)
}

DragonForce_Ransomware_Artifacts — Detects specific DragonForce ransomware patterns including Base32 encoding

rule DragonForce_Ransomware_Artifacts {
    meta:
        description = "Detects DragonForce ransomware specific artifacts"
        author = "Threat Hunt Team"
        date = "2024-03-19"
    
    strings:
        $log_path = "C:\\Users\\Public\\log.log" ascii wide
        $extension1 = ".dragonforce_encrypted" ascii
        $extension2 = ".df_win" ascii
        $base32_pattern = /[A-Z2-7]{8,}=*/ // Base32 encoding pattern
        $mutex = "Global\\DragonForceMutex" ascii wide
    
    condition:
        $log_path or (any of ($extension*) and $base32_pattern) or $mutex
}

Suricata Rules

SID 30001 — Detect Cloudflare tunnel C2 traffic for Interlock ransomware

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Interlock Ransomware C2 via Cloudflare Tunnel"; dns.query; content:"trycloudflare.com"; nocase; pcre:"/(?:existed-bunch-balance-council|ferrari-rolling-facilities-lounge|ranked-accordingly-ab-hired)\.trycloudflare\.com/i"; classtype:trojan-activity; sid:30001; rev:1;)

SID 30002 — Detect DragonForce C2 communication to thetavaluemetrics.com

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DragonForce Ransomware C2 Communication"; flow:established,to_server; http.host; content:"thetavaluemetrics.com"; classtype:trojan-activity; sid:30002; rev:1;)

SID 30003 — Detect DragonForce C2 on port 1194 (OpenVPN)

alert tcp $HOME_NET any -> 193.161.193.99 1194 (msg:"ET TROJAN DragonForce Ransomware C2 OpenVPN Connection"; flow:established,to_server; classtype:trojan-activity; sid:30003; rev:1;)

SID 30004 — Detect data exfiltration to MEGA cloud storage

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible Ransomware Exfiltration to MEGA"; flow:established,to_server; tls.sni; pcre:"/\.mega\.(?:nz|co\.nz)$/"; classtype:policy-violation; sid:30004; rev:1;)

SID 30005 — Detect data exfiltration to Backblaze

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible Ransomware Exfiltration to Backblaze"; flow:established,to_server; tls.sni; content:".backblazeb2.com"; classtype:policy-violation; sid:30005; rev:1;)

Data Source Requirements

Sources

• CISA #StopRansomware: Interlock
• CISA #StopRansomware: Ghost (Cring) Ransomware
• CISA Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management
• Darktrace Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack
• Resecurity DragonForce Ransomware - Reverse Engineering Report