Uptycs, provider of the first cloud-native security analytics platform enabling cloud and endpoint security from a common solution, announced the results of its completed MITRE Engenuity ATT&CK® Enterprise Evaluation, Round 4. This round of independent ATT&CK Evaluations for enterprise cybersecurity solutions emulated the Wizard Spider and Sandworm threat groups. Wizard Spider is responsible for the infamous Ryuk ransomware family, and Sandworm is a Russian cyber military unit behind the 2017 NotPetya attacks.
“Ransomware is a growing scourge for all types of organizations and the focus of these MITRE Engenuity ATT&CK Evaluations could not come at a more appropriate time,” said Ganesh Pai, Co-founder and CEO at Uptycs. “Security teams can use these evaluation results to identify gaps in their detection coverage. Our strong performance in both the Windows and Linux portions of the evaluation demonstrate how Uptycs helps these Security teams to detect even advanced ransomware actors, in addition to the hardening needed to minimize the risk of ransomware in the first place.”
Also Read: Securing the Future of Payments: PCI SSC Publishes PCI Data Security Standard v4.0
The MITRE Engenuity evaluations team chose to emulate two threat groups that abuse the Data Encrypted For Impact (T1486) technique. In Wizard Spider’s case, they have leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446). Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with their NotPetya malware (S0368) that disguised itself as ransomware. While the common thread to this year’s evaluations is “Data Encrypted for Impact,” both groups have substantial reporting on a broad range of post-exploitation tradecraft.
New advanced detection capabilities helped Uptycs perform strongly in the Wizard Spider and Sandworm evaluation, including:
Ransomware detection – Uptycs provides generic detection and protection against ransomware attacks on Windows operating systems. The capability analyzes telemetry inside the endpoint agent so it can protect against the attacks in offline mode.
Process code injection / DLL injection and process hollowing – Uptycs provides generic detection to process code injection and process hollowing on both Windows and Linux endpoints. Process code injection is a technique used by attackers to inject malicious code inside a trusted running process to evade detection.
Master boot record (MBR) overwrite – Uptycs provides generic detection of MBR overwrite on Windows-based endpoints. MBR overwrite is a technique used by adversaries where the goal is to disrupt operations and make the system unusable.
Lsass.exe memory credential dumping – To detect attacker attempts to steal credentials, Uptycs provides generic detection of lsass.exe (Local Security Authority Subsystem Service) memory credential dumping on Windows-based endpoints.
For full results and more information about the evaluations, please visit: https://attackevals.mitre-engenuity.org/enterprise/wizard-spider-and-sandworm/.
Sign up for our Uptycs Live webinar to learn more about our participation in the MITRE ATT&CK Evaluations and how our solution protects against ransomware.
About MITRE Engenuity
MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for the public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.