Attack Chain

1. Initial compromise of the target system via unspecified means (e.g., phishing, exploitation of public-facing application).
2. Execution of arbitrary commands on the compromised system.
3. The adversary uses schtasks.exe to query the list of scheduled tasks to identify the Raccine Rules Updater task.
4. schtasks.exe is then used with the delete parameter to remove the “Raccine Rules Updater” scheduled task.
5. The operating system removes the scheduled task entry.
6. Ransomware is deployed on the system without Raccine’s protection.
7. Ransomware encrypts files on local and network shares.
8. A ransom note is dropped, demanding payment for decryption.

Impact

Successful deletion of the Raccine scheduled task can lead to a successful ransomware attack. This can result in data encryption, system downtime, and potential financial losses due to ransom payments or recovery costs. The severity of the impact depends on the extent of the data encryption and the organization’s ability to recover from backups. Organizations without Raccine deployed are not directly affected but remain vulnerable to ransomware.

Recommendation

• Deploy the provided Sigma rules to detect the execution of schtasks.exe deleting tasks containing “Raccine” in the task name or description (schtasks_raccine_deletion).
• Enable process monitoring and command-line logging via Sysmon or similar EDR solutions to ensure visibility into process executions.
• Investigate any instances of schtasks.exe being used to delete scheduled tasks, especially those related to security tools.
• Review and harden scheduled task permissions to prevent unauthorized modifications.
• Monitor parent processes of schtasks.exe for suspicious activity.