TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments

Bill Siegel · 2023-07-21 · Read original ↗

ATT&CK techniques detected

16 predictions
T1486Data Encrypted for Impact
99%
“teams ). the skills to do this may come from multiple members of a threat actor group, so the costs are magnified by the number of people associated with the labor. this also means any potential ransom must be split several ways, which decreases potential profit if a ransom is pa…”
T1021.002SMB/Windows Admin Shares
98%
“services [ t1021 and t1210 ], which is primarily the use of vnc ( like tightvnc ) to allow remote access or smb / windows admin shares. admin shares are an easy way to share / access tools and malware. these are hidden from users and are only accessible to administrators. threat …”
T1486Data Encrypted for Impact
97%
“0 6. 2 % + 1 4 akira 5. 4 % new in top variants 5 silent ransom 3. 1 % new in top variants 5 cactus 3. 1 % new in top variants market share of the ransomware attacks second, it was observed that the more technically sophisticated affiliates that previously used both dharma and / …”
T1057Process Discovery
96%
“advanced ip scanners to identify what network hosts are available. process discovery ( t1057 ) : tools commonly abused are process explorer or process hacker, which allow threat actors to check active processes and kill them. system owner / user discovery ( t1033 ) : a tactic use…”
T1486Data Encrypted for Impact
95%
“may become. threat actors that spend this much on a single attack will likely calculate a very high demand in an effort to recoup their costs and turn a profit. the horizontal axis is the total expected profit to the threat actor. it is a product of multiplying the probability th…”
T1485Data Destruction
94%
“business and operational processes. techniques used for impact can include destroying or tampering with data. in some cases, business processes can look fine, but may have been altered to benefit the adversaries ’ goals. these techniques might be used by adversaries to follow thr…”
T1486Data Encrypted for Impact
94%
“it is likely that the clop group may earn $ 75 - 100 million dollars just from the moveit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments. this is a dangerous and staggering sum of money for one, relatively small gro…”
T1135Network Share Discovery
93%
“services [ t1021 and t1210 ], which is primarily the use of vnc ( like tightvnc ) to allow remote access or smb / windows admin shares. admin shares are an easy way to share / access tools and malware. these are hidden from users and are only accessible to administrators. threat …”
T1518.001Security Software Discovery
88%
“advanced ip scanners to identify what network hosts are available. process discovery ( t1057 ) : tools commonly abused are process explorer or process hacker, which allow threat actors to check active processes and kill them. system owner / user discovery ( t1033 ) : a tactic use…”
T1486Data Encrypted for Impact
87%
“##itate notifications. nas device encryption cve attacksimpact = low / medium ( p ) = medium ( $ ) = ( p ) ( $ ) = low / medium nas ( network attached storage ) encryption attacks leverage similar mass scanning techniques as database deletion attacks. these mass exploits scan for…”
T1657Financial Theft
84%
“0 6. 2 % + 1 4 akira 5. 4 % new in top variants 5 silent ransom 3. 1 % new in top variants 5 cactus 3. 1 % new in top variants market share of the ransomware attacks second, it was observed that the more technically sophisticated affiliates that previously used both dharma and / …”
T1570Lateral Tool Transfer
78%
“, threat actors often package it to avoid detection while exfiltrating it from the bounds of a network. this can include compression and encryption. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and contro…”
T1486Data Encrypted for Impact
60%
“business and operational processes. techniques used for impact can include destroying or tampering with data. in some cases, business processes can look fine, but may have been altered to benefit the adversaries ’ goals. these techniques might be used by adversaries to follow thr…”
T1685.001Disable or Modify Windows Event Log
44%
“defenses. indicator removal on host - clear windows event logs [ t1070 ] involves 2 common event logs that get cleared by threat actors, security and system. security primarily records authentication, so if cleared, evidence of new account creations, remote access, or lateral mov…”
T1486Data Encrypted for Impact
38%
“ransom monetization rates fall to record low despite jump in average ransom payments table of contentscyber extortion opportunity cost curvetypes of ransomwareattack vectors & ttpsindustries impacted in the second quarter of 2023, the percentage of ransomware attacks that resulte…”
T1685Disable or Modify Tools
31%
“defenses. indicator removal on host - clear windows event logs [ t1070 ] involves 2 common event logs that get cleared by threat actors, security and system. security primarily records authentication, so if cleared, evidence of new account creations, remote access, or lateral mov…”

Summary

As ransomware affiliates are paid less frequently, they have adapted their strategies to compensate for the shifting dynamics of cyber extortion.