System Shutdown/Reboot
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload
).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
Procedure Examples |
|
Name | Description |
---|---|
AcidRain |
AcidRain reboots the target system once the various wiping processes are complete.(Citation: AcidRain JAGS 2022) |
DCSrv |
DCSrv has a function to sleep for two hours before rebooting the system.(Citation: Checkpoint MosesStaff Nov 2021) |
BFG Agonizer |
BFG Agonizer uses elevated privileges to call |
MultiLayer Wiper |
MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery.(Citation: Unit42 Agrius 2023) |
LockerGoga |
LockerGoga has been observed shutting down infected systems.(Citation: Wired Lockergoga 2019) |
DustySky |
DustySky can shutdown the infected machine.(Citation: Kaspersky MoleRATs April 2019) |
Olympic Destroyer |
Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
APT38 |
APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.(Citation: FireEye APT38 Oct 2018) |
Maze |
Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.(Citation: Sophos Maze VM September 2020) |
APT37 |
APT37 has used malware that will issue the command |
LookBack |
LookBack can shutdown and reboot the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019) |
Apostle |
Apostle reboots the victim machine following wiping and related activity.(Citation: SentinelOne Agrius 2021) |
WhisperGate |
WhisperGate can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` flag.(Citation: Cisco Ukraine Wipers January 2022) |
KillDisk |
KillDisk attempts to reboot the machine by terminating specific processes.(Citation: Trend Micro KillDisk 2) |
NotPetya |
NotPetya will reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
Latrodectus |
Latrodectus has the ability to restart compromised hosts.(Citation: Elastic Latrodectus May 2024) |
CHIMNEYSWEEP |
CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.(Citation: Mandiant ROADSWEEP August 2022) |
Lazarus Group |
Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: US-CERT SHARPKNOT June 2018) |
Shamoon |
Shamoon will reboot the infected system once the wiping functionality has been completed.(Citation: Unit 42 Shamoon3 2018)(Citation: McAfee Shamoon December 2018) |
HermeticWiper |
HermeticWiper can initiate a system shutdown.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
AvosLocker |
AvosLocker’s Linux variant has terminated ESXi virtual machines.(Citation: Trend Micro AvosLocker Apr 2022) |
Detection
Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. Unexpected or unauthorized commands from network cli on network devices may also be associated with shutdown/reboot, e.g. the reload
command.
References
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
- Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
- Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
- Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
- Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
- Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
- Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
Связанные риски
Риск | Связи | |
---|---|---|
Неработоспособность операционной системы
из-за
возможности выключения или перезагрузки
в оборудовании
Доступность
Отказ в обслуживании
|
|
|
Неработоспособность операционной системы
из-за
возможности выключения или перезагрузки
в операционной системе
Доступность
Отказ в обслуживании
|
1
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.