Fortifying Cyber Defenses: Correlating Data Leaks, LLMs, and Official Guidelines to Combat Ransomware

Background: I came across an interesting method that highlights why integrating Threat Intelligence, Official Recommendations, and LLMs can create a more robust perimeter to combat threats like ransomware and enhance resilience against such attacks. The key signal for this approach was the announcement that BlackBasta's internal chat data had been leaked. A community member from the Hudson Rock team further revealed that they had used this leaked data to train an LLM model. Before these events, CISA had published its recommendations on how to fight against BlackBasta ransomware.

Method: In a method, let's use CISA recommendations, leaked data, and LLM model capabilities. Let's take as example with initial access, where the LLM identifies data that was visible in the leak.

Let's take a look to CISA recommendations

• Phishing - RDP & VPN - Black Basta affiliates have used spearphishing emails to obtain initial access
• Phishing and Social Engineering - Vishing, phishing - Black Basta affiliates have used spearphishing phone and Microsoft Teams calls to trick users into
• Public Service Exploitation - ESxi and other pipleline soultions - Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.

Building threat landscape:

• Email systems should be monitored 24/7, and it is essential to implement an email protection gateway. At the same time, proactive threat hunting should be conducted over the email flow to identify and mitigate potential security risks.
• Staff should undergo awareness training at least once a month to build resilience against threats such as social engineering. Additionally, the principle of least privilege should be implemented across all company users to minimize access risks and enhance overall security.
• Patch management should be implemented and executed on a weekly basis, especially for critical access point systems. It is essential to stay aware of and promptly apply new updates. Additionally, robust protection measures should be in place for access systems and critical infrastructure, with 24/7 monitoring to ensure continuous security and threat detection.
• Threat hunters must deploy ongoing monitoring to detect leaked credentials from infostealers and other similar malicious code. This proactive approach helps identify compromised credentials and mitigate potential risks before they can be exploited by attackers.
• Workstations should be equipped with XDR (Extended Detection and Response) or EDR (Endpoint Detection and Response) solutions to protect against malicious behavioral processes. These tools provide advanced threat detection, real-time monitoring, and response capabilities to identify and mitigate suspicious or harmful activities on endpoints.
• No services such as RDP (Remote Desktop Protocol) or SSH (Secure Shell) should be exposed to the internet. In cases where exposure is unavoidable, proper protection and hardening measures must be implemented.

This analysis has been conducted on only one example, and applying these foundational security practices can help your organization save money on ransomware insurance. These funds can then be redirected to critical areas such as R&D and other business priorities. However, it is important to recognize that the ransomware landscape is far more complex and evolving than it may appear.

Conclusion: Always integrate new technologies into a unified pipeline. In this case, our analysis was built on data leaks, combined with CISA recommendations, while leveraging the capabilities of LLMs (Large Language Models) to enhance threat detection and response. This approach ensures a comprehensive and adaptive security strategy.

Stay Saf3 ! J0k3r !