It's no longer surprising that ransomware attacks are becoming more sophisticated and threat actors more successful every year. The majority of attacks on businesses are carried out by humans, so it is essential that defenders understand the tactics, techniques and procedures (TTP) used by threat actors to prevent attacks at various stages of the attack lifecycle. Some threat actors may abandon the use of ransomware and instead focus on exfiltrating sensitive data for extortion.

Big Game Hunting will involve multiple state-sponsored threat actors, including those using it for disruptive purposes. Threat actors will begin to attack CIS countries more aggressively, especially countries with extensive business networks. RDP servers are not the only external remote services targeted by brute force ransomware threat actors.

Such techniques were used not only by financially motivated threat actors, but also by state-sponsored hackers. The strategy is not new – the same techniques were used in 2017, when BitPaymer ransomware operators used the infamous Dridex to gain initial ground.

Trickbot

Qakbot

Dridex

IcedID

Zloader (Silent Night)

SDBBot

Buer and Bazar

SocGholish

Custom malware

Hardware additions

Trusted

Relationship

Execution

Command and Scripting

Monitor your network infrastructure for suspicious and malicious powershell.exe, cscript.exe or wscript.exe execution and PowerShell execution policy changes and check if PowerShell logging is disabled.

Native API

Scheduled Task/Job

In addition, some ransomware branches such as Egregor have used PsExec to run various scripts on remote hosts to enable lateral movement and execute Beacon payloads. Track the creation of new services and make sure your team has the ability to detect suspicious and malicious services. Monitor how PsExec is used in your environment so that you can detect suspicious or malicious files being executed, for example during the lateral move stage.

As already mentioned, threat actors were often able to gain an initial foothold on the target network using weaponized email attachments or links, or, in some cases, BadUSB devices. This meant that a victim would simply have to click the link, open the file or insert the USB device to start the infection chain. Attackers were able to obtain privileged accounts early in the kill chain, which meant they could manually run malware and dual-use tools like port scanners.

For example, Dharma affiliates distributed and ran ransomware manually, connecting from an initial server to other hosts via Remote Desktop Protocol.

Windows Management

Boot or Logon Autostart

Persistence

Create or Modify System Process

Event Triggered Execution

If the system was running a newer OS version, it used Image File Execution Options Injection T1546�012 to become persistent. It will first drop mswinload0.dll to C:\Windows\System32, after which it created the VerifierDlls value under HKLM\SOFTWARE\Microsoft\. Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe , set it to “mswinload0.dll” and create the GlobalFlag value and set it to 0x100 to enable Application Verifier.

It is important to note that the persistence mechanisms mentioned above were only used by SDBbot if it had administrator privileges.

Hijack Execution Flow

Because many intrusions resulted from unauthorized RDP access or exploiting a public application, cybercriminals obtained credentials with varying levels of privilege during initial access. Ensure that default or weak credentials are not used, especially for public applications.

Server Software Component

Privilege Escalation

Abuse Elevation Control Mechanism

Exploitation for Privilege Escalation

Defense Evasion

Deobfuscate/

Decode Files

File and Directory Permissions

Such behavior was observed, for example, in the case of the DoppelPaymer ransomware, which used Alternate Data Streams (ADS) to hide data. Custom configuration of shared folders meant that the threat actors could encrypt on shared drives as well as on the local device. To hide files it downloads, Buer Loader made changes to the Windows Defender exclusion list using the following command: add-mppreference -exclusionpath.

In some cases, attackers modified the system firewall T1562�004 to enable RDP connections on remote hosts. Make sure an additional password is required to disable security tools in your environment.

Indicator Removal on Host

Obfuscated Files or Information

Signed Binary

Subvert Trust Controls

Trusted Developer Utilities Proxy

Virtualization/

Credential Access

Credentials from Password Stores

OS Credential Dumping

Steal or Forge

Unsecured

Discovery

Lateral Movement

Exploitation of Remote

Lateral Tool Transfer

As noted above, RDP T1021.001 was not only the most common initial access vector, but also a common way to move laterally through the network. Some ransomware operators even had scripts in their arsenal to enable RDP on remote hosts. SMB/Windows Admin Shares T1021.002 were also used due to the popularity of PsExec and similar post-exploitation frameworks.

Many post-exploitation frameworks also allowed threat actors to use the Distributed Component Object Model T1021�003 and Windows Remote Management T1021�006 for lateral movement. During one of Group-IB's responses to incidents involving Maze operators, the company witnessed the group exploiting Windows Remote Management (WinRM) via Cobalt Strike. Some threat actors (e.g. RansomEXX operators) have also attacked Linux infrastructure by having the corresponding ransomware versions.

Use Alternate Authentication

Collection

Archive Collected Data

Data from Local System

Data from Network Shared Drive

Command and Control

Application Layer Protocol

Fallback Channels and Multi-Stage

Ingress Tool Transfer

Remote Access Software

Protocol Tunneling and Proxy

Exfiltration

Data Transfer Size Limits

Exfiltration Over Web Service

Transfer Data

Impact

Many ransomware samples had long lists of processes and services that had to be stopped before the encryption routine could begin. Despite the fact that some families, such as EKANS, contained unusual applications such as those related to industrial control systems (ICS), most focused on conventional applications. For example, the most common processes stopped by ransomware samples were related to Microsoft Office, Outlook, and Oracle, while the most common services stopped by ransomware samples were related to Acronis and Microsoft SQL Server.

It's important to note that many RaaS programs offered to tailor ransomware to partner needs, meaning such lists can easily be customized to the target infrastructure, especially for high-profile attacks. Instead, they used built-in tools designed for full disk encryption, such as BitLocker, or open-source tools such as DiskCryptor. Focus on winword.exe/excel.exe and create suspicious folders and files or start processes such as rundll32.exe and regsvr32.exe.

Analyze executables and scripts placed in the Startup folder, added to the Run keys, or run through scheduled tasks. Make sure your security checks can detect command lines typical of credential dumping tools like Mimikatz. Make sure you can detect Cobalt Strike Beacons and similar payloads typical of post-exploitation frameworks in your environment, at least those launched with common command-line arguments and from common locations.

You can also use known Cobalt Strike team server lists obtained for example from your Cyber ​​​​Threat Intelligence provider. Search for new service creation opportunities related to PsExec, SMBExec and other dual use or offensive security tools. Hunts executables that pose as common system files (eg svchost.exe ) but have unusual execution parents or locations.

Look for cloud storage client installation events and cloud storage access events and check if they are legitimate.

Tips for Threat

Detection and Hunting

Experiencing a breach?

Help us detect ransomware by reporting malware, TTPs, IOCs, and tools you've come across in your responses, and we'll even throw in a free gift.

Everyone has a story

SHARE YOUR STORY

All information will be used for research purposes only� Group-IB does not release the names of the companies or people attacked�. According to IDC, Gartner and Forrester, Group-IB is among the top threat intelligence providers in the world. Group-IB is one of the world's leading developers of solutions designed to identify and prevent cyber attacks, detect fraud and protect intellectual property online.

17 years

About Group-IB

GROUP-IB PRODUCTS

PREVENTION

EDUCATION

RESPONSE

INVESTIGATION

INTELLIGENCE-DRIVEN SERVICES