TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Scattered Ransomware Attribution Blurs Focus on IR Fundamentals

Bill Siegel · 2023-10-30 · Read original ↗

ATT&CK techniques detected

30 predictions
T1486Data Encrypted for Impact
99%
“to follow through on their end goal or to provide cover for a confidentiality breach. this ttp also includes tampering with credentials to deny access to virtual environments like esxi. this is a very common tactic used by ransomware groups akira, noescape and rhysida. data encry…”
T1219Remote Access Tools
99%
“##rrelates to the use of psexec, which is a legitimate windows administrative tool. threat actors leverage this tool to move laterally or to mass deploy malware across multiple machines. command and control [ ta0011 ] : command and control consists of techniques that adversaries …”
T1068Exploitation for Privilege Escalation
97%
“include uninstalling / disabling security software or obfuscating / encrypting data and scripts. adversaries also leverage and abuse trusted processes to hide and masquerade their malware. other tactics ’ techniques are cross - listed here when those techniques include the added …”
T1486Data Encrypted for Impact
95%
“+ 15 % from q2 2023 ), while the median ransom payment also ticked up slightly to $ 200, 000 ( + 5 % from q2 2023 ). we don ’ t ascribe any noteworthy observation to this increase beyond a normal rotation of common variants towards ones that tend to impact larger organizations wi…”
T1486Data Encrypted for Impact
95%
“scattered ransomware attribution blurs focus on ir fundamentals table of contentsscattered spiderpayment ratestypes of ransomwareattack vectors & ttps in q3 of 2023, several high profile attacks against the gaming industry and other large enterprises were carried out by “ scatter…”
T1219Remote Access Tools
95%
“. screenconnect has been used heavily in q3, more so than any other rmm. screenconnect has a ‘ backstage mode ’ feature, which allows for complete access to the windows terminal and powershell without the logged - on user being aware which makes it a particularly effective tool. …”
T1486Data Encrypted for Impact
90%
“of a flaw in the akira encryption schema. why did akira gain more traction attacking companies in q3 vs. q2 when a flaw was publicly disclosed and a decryptor published for the public? ransomware groups actually advertise their encryptors security in order to attract affiliates. …”
T1055.001Dynamic-link Library Injection
90%
“akira using the terminator. sys byovd attack. process injection [ t1055 ] : threat actors may inject code into existing processes, such as rundll32. exe or svchost. exe, in order to evade process - based defenses as well as possibly elevate privileges. execution via process injec…”
T1567.002Exfiltration to Cloud Storage
88%
“a network. this can include compression and encryption. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and control channels. common exfiltration tools used by threat actors include : megasync, rclone, filez…”
T1055Process Injection
84%
“akira using the terminator. sys byovd attack. process injection [ t1055 ] : threat actors may inject code into existing processes, such as rundll32. exe or svchost. exe, in order to evade process - based defenses as well as possibly elevate privileges. execution via process injec…”
T1556.006Multi-Factor Authentication
81%
“to download sensitive data for exfiltration ), the attackers must bypass multi - factor authentication. in the cases we have observed, the threat actor has achieved this in two ways. the employee whose machine was compromised may be socially engineered via a live spoofed phone ca…”
T1021.002SMB/Windows Admin Shares
80%
“multiple systems and accounts to gain access. adversaries might install their own remote access tools to accomplish lateral movement or use legitimate credentials with native network and operating system tools, which may be stealthier and harder to track. favored tactics involve …”
T1621Multi-Factor Authentication Request Generation
80%
“to download sensitive data for exfiltration ), the attackers must bypass multi - factor authentication. in the cases we have observed, the threat actor has achieved this in two ways. the employee whose machine was compromised may be socially engineered via a live spoofed phone ca…”
T1048Exfiltration Over Alternative Protocol
68%
“##n credential exploits were against single - factor authentication only vpn appliances. phishing remains prevalent despite the disruption of the qbot botnet. recent examinations of our data suggest phishing is more likely to be the predecessor to a data - theft - only extortion …”
T1485Data Destruction
66%
“to follow through on their end goal or to provide cover for a confidentiality breach. this ttp also includes tampering with credentials to deny access to virtual environments like esxi. this is a very common tactic used by ransomware groups akira, noescape and rhysida. data encry…”
T1589Gather Victim Identity Information
63%
“the same two or three individuals to perform the social engineering. below are some observed tactics and suggested mitigation strategies that are effective at addressing a major point of ingress : reconnaissance [ ta0043 ] gather victim identity information [ t1589, t1591 ] : the…”
T1598Phishing for Information
61%
“the same two or three individuals to perform the social engineering. below are some observed tactics and suggested mitigation strategies that are effective at addressing a major point of ingress : reconnaissance [ ta0043 ] gather victim identity information [ t1589, t1591 ] : the…”
T1486Data Encrypted for Impact
59%
“are willing to pay threat actors to leave us alone. when cyber extortion actors receive these signals they are substantially more likely to re - attack and re - extort these victims in the future as they are officially the cheapest possible target. one group we track has re - att…”
T1048Exfiltration Over Alternative Protocol
59%
“a network. this can include compression and encryption. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and control channels. common exfiltration tools used by threat actors include : megasync, rclone, filez…”
T1556.006Multi-Factor Authentication
58%
“##1566 ] : the threat actor will target specific employees that have access to common applications that contain sensitive data such as crm applications, cloud based file servers, hr applications, or customer support ticketing applications. the targeted employees may be first cont…”
T1657Financial Theft
56%
“of a flaw in the akira encryption schema. why did akira gain more traction attacking companies in q3 vs. q2 when a flaw was publicly disclosed and a decryptor published for the public? ransomware groups actually advertise their encryptors security in order to attract affiliates. …”
T1055.001Dynamic-link Library Injection
54%
“include uninstalling / disabling security software or obfuscating / encrypting data and scripts. adversaries also leverage and abuse trusted processes to hide and masquerade their malware. other tactics ’ techniques are cross - listed here when those techniques include the added …”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
52%
“##n credential exploits were against single - factor authentication only vpn appliances. phishing remains prevalent despite the disruption of the qbot botnet. recent examinations of our data suggest phishing is more likely to be the predecessor to a data - theft - only extortion …”
T1111Multi-Factor Authentication Interception
50%
“to download sensitive data for exfiltration ), the attackers must bypass multi - factor authentication. in the cases we have observed, the threat actor has achieved this in two ways. the employee whose machine was compromised may be socially engineered via a live spoofed phone ca…”
T1558.003Kerberoasting
44%
“why companies that routinely practice live incident response tabletops fare substantially better during this critical period of time. it turns out that when you practice your ir response, communications and decision making you get better at it! practice should also include the pr…”
T1078Valid Accounts
43%
“which impacted a large volume of victims that are still without their data. on the other end of the spectrum, handing active ransomware variants information on their vulnerabilities for free imposes costs on the good guys. common ransomware attack vectors and tactics in q3 2023 w…”
T1566Phishing
38%
“on by the exact same group of cyber criminal individuals? our price is right answer would be closer to 1 % versus 100 %. readers of this blog will recognize our continued drumbeat on how fluidly cyber extortionists are able to brand shop between known ransomware - as - a - servic…”
T1657Financial Theft
33%
“why companies that routinely practice live incident response tabletops fare substantially better during this critical period of time. it turns out that when you practice your ir response, communications and decision making you get better at it! practice should also include the pr…”
T1219.002Remote Desktop Software
33%
“. screenconnect has been used heavily in q3, more so than any other rmm. screenconnect has a ‘ backstage mode ’ feature, which allows for complete access to the windows terminal and powershell without the logged - on user being aware which makes it a particularly effective tool. …”
T1111Multi-Factor Authentication Interception
32%
“##1566 ] : the threat actor will target specific employees that have access to common applications that contain sensitive data such as crm applications, cloud based file servers, hr applications, or customer support ticketing applications. the targeted employees may be first cont…”

Summary

In Q3 2023 a series of ransomware attacks by similar threat actors created headlines and blurred the lines of attribution.