TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

RaaS devs hurt their credibility by cheating affiliates in Q1 2024

Bill Siegel · 2024-04-17 · Read original ↗

ATT&CK techniques detected

25 predictions
T1219Remote Access Tools
100%
“initial workstations compromised at the onset of the attack, as well as from privileged systems such as domain controllers when staging the ransomware and targets for the encryption. native operating system tools are often used toward this post - compromise information - gatherin…”
T1219Remote Access Tools
99%
“##n and tightvnc. some of these tools have unique feature functions attractive to a ta, such as screenconnect ’ s ‘ backstage mode ’ feature, which allows for complete access to the windows terminal and powershell without the logged - on user being aware which makes it a particul…”
T1486Data Encrypted for Impact
98%
“% - 2 black basta 9 % new in top variants 2 lockbit 3. 0 9 % + 1 3 medusa 6 % + 2 3 phobos 6 % + 4 3 blackcat 6 % - 1 4 rhysida 4 % new in top variants 4 blacksuit 4 % new in top variants 4 inc ransom 4 % new in top variants market share of the ransomware attacks for the third st…”
T1021.001Remote Desktop Protocol
98%
“. successful ransomware attacks require exploring the network to find key assets such as domain controllers, file share servers, databases, and continuity assets that are not properly segmented. reaching these assets often involves pivoting through multiple systems and accounts t…”
T1486Data Encrypted for Impact
95%
“##4. ransomware remains predominantly a crime of opportunity, not a targeted activity, though there is some data to suggest certain groups like blackcat made a concerted effort not to exempt healthcare from their victim portfolios as they may have tried to do in prior quarters. a…”
T1486Data Encrypted for Impact
94%
“recent attacks, and several former raas affiliates using the ubiquitous, and almost free, dharma / phobos services. remain with raas and roll the dice. we are not predicting the death of the raas model, but the events of q1 are not an anomaly. they are actually a continuation of …”
T1486Data Encrypted for Impact
91%
“raas devs hurt their credibility by cheating affiliates in q1 2024 table of contentsraas groupspayment ratestypes of ransomwareattack vectors & ttpsindustries impacted following the fbi disruption of blackcat alphv in q4, a global law enforcement agency ( lea ) consortium also su…”
T1657Financial Theft
90%
“the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their word. during q1, 23 % of victims opted to pay when their incident only involved the publication of stolen data ( i. e., the victim was not faced with needing a decryption k…”
T1486Data Encrypted for Impact
90%
“there is no doubt that one of the healthy by - products of lea takedowns and raas / affiliate swindles has caused some individual affiliates to hang up their cyber crime spurs. most participants in the cyber extortion ecosystems are not hardened criminals, rather they are individ…”
T1486Data Encrypted for Impact
89%
“. first, the lockbit group allowed a dispute about a payment split between operator and affiliate to spill onto the forums. the details of the dispute demonstrated that the group had no issue cutting an affiliate out from their share of a payment. while the actual truth will neve…”
T1588.006Vulnerabilities
84%
“vector may be unidentified by forensics, the initial access is typically just one of a dozen or so tactics necessary to achieve extortion level impact, often chained together ( e. g., email phishing, rdp compromise, software vulnerability ). too often we see victims solely focuse…”
T1486Data Encrypted for Impact
83%
“but may have been altered to benefit the adversaries ’ goals. these techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach, as well as inhibit system recovery by deleting information such as windows volume shad…”
T1059.012Hypervisor CLI
80%
“but may have been altered to benefit the adversaries ’ goals. these techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach, as well as inhibit system recovery by deleting information such as windows volume shad…”
T1048Exfiltration Over Alternative Protocol
80%
“which was leveraged by ransomhouse, blacksuit, play and lockbit to impact netscaler vpn virtual serverscve - 2024 - 1708 - 9, published in february 2024, which is used by mamba and ransomhouse for remote code execution against certain versions of unpatched screenconnect instances…”
T1486Data Encrypted for Impact
74%
“the amount of average payment. it is evident that rather than shoot for the moon with a very high initial demand, many ransomware affiliates are opting for the opposite tactic, and are demanding more reasonable amounts. the intention of this tactic is to keep more victims engaged…”
T1486Data Encrypted for Impact
70%
“the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their word. during q1, 23 % of victims opted to pay when their incident only involved the publication of stolen data ( i. e., the victim was not faced with needing a decryption k…”
T1657Financial Theft
69%
“recent attacks, and several former raas affiliates using the ubiquitous, and almost free, dharma / phobos services. remain with raas and roll the dice. we are not predicting the death of the raas model, but the events of q1 are not an anomaly. they are actually a continuation of …”
T1657Financial Theft
68%
“the amount of average payment. it is evident that rather than shoot for the moon with a very high initial demand, many ransomware affiliates are opting for the opposite tactic, and are demanding more reasonable amounts. the intention of this tactic is to keep more victims engaged…”
T1190Exploit Public-Facing Application
62%
“vector may be unidentified by forensics, the initial access is typically just one of a dozen or so tactics necessary to achieve extortion level impact, often chained together ( e. g., email phishing, rdp compromise, software vulnerability ). too often we see victims solely focuse…”
T1039Data from Network Shared Drive
62%
“of a network. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and control channels, but most commonly use file transfer and synchronization tools combined with exploiting outbound server access ( e. g., 443 …”
T1564.006Run Virtual Instance
51%
“but may have been altered to benefit the adversaries ’ goals. these techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach, as well as inhibit system recovery by deleting information such as windows volume shad…”
T1657Financial Theft
48%
“raas devs hurt their credibility by cheating affiliates in q1 2024 table of contentsraas groupspayment ratestypes of ransomwareattack vectors & ttpsindustries impacted following the fbi disruption of blackcat alphv in q4, a global law enforcement agency ( lea ) consortium also su…”
T1657Financial Theft
42%
“. first, the lockbit group allowed a dispute about a payment split between operator and affiliate to spill onto the forums. the details of the dispute demonstrated that the group had no issue cutting an affiliate out from their share of a payment. while the actual truth will neve…”
T1486Data Encrypted for Impact
41%
“which was leveraged by ransomhouse, blacksuit, play and lockbit to impact netscaler vpn virtual serverscve - 2024 - 1708 - 9, published in february 2024, which is used by mamba and ransomhouse for remote code execution against certain versions of unpatched screenconnect instances…”
T1486Data Encrypted for Impact
33%
“##n and tightvnc. some of these tools have unique feature functions attractive to a ta, such as screenconnect ’ s ‘ backstage mode ’ feature, which allows for complete access to the windows terminal and powershell without the logged - on user being aware which makes it a particul…”

Summary

RaaS developers were caught cheating their affiliates, shaking the trust in the RaaS model following several high profile law enforcement actions.