TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Dispelling Ransomware Deployment Myths

2025-10-16 · Read original ↗

ATT&CK techniques detected

21 predictions
T1486Data Encrypted for Impact
99%
“dispelling ransomware deployment myths when a ransomware attack occurs, the focus is most often on the encryption of files. initial access is often glossed over or simply assumed. in addition, actions taken by a threat actor, by a human making decisions ( and sometimes, mistakes …”
T1486Data Encrypted for Impact
99%
“##ware deployment. we see statements such as the one above, saying “ the ransomware can then spread … ” or other phrases that state : “ the ransomware uses stolen credentials to access systems via the remote desktop protocol ( rdp )... ” however, this simply isn ’ t the case at a…”
T1486Data Encrypted for Impact
99%
“. this technique, and similar ones, are not new. this secureworks blog post from 2016 references an incident from the end of 2015 where a ransomware executable was placed on a domain controller, and intended as a distraction. thanks to the likely intentional misspelling of the do…”
T1486Data Encrypted for Impact
99%
“for prevention and detection, and helps to provide insight into appropriate responses. while we ’ ve covered the former two stages in previous posts, today we ’ ll look more closely at how huntress analysts have seen threat actors deploying ransomware in attacks. what does " rans…”
T1486Data Encrypted for Impact
98%
“was using compromised credentials for msp remote monitoring and management ( rmm ) instances in an attempt to deploy the ransomware. the huntress soc became aware of this threat actor methodology when pre - ransomware activity / ttps were identified on several customer infrastruc…”
T1486Data Encrypted for Impact
96%
“ransomware threats, organizations first need to develop an accurate asset inventory of physical and virtual endpoints, as well as applications. then, they should engage in attack surface reduction. this includes considering what needs to be publicly accessible, how protections sh…”
T1486Data Encrypted for Impact
93%
“akira ransomware is deployed in this manner … ” because the deployment mechanism, and the actions leading up to that point, can be vastly different depending upon the affiliate. the purpose of this article is to state clearly and concisely what huntress analysts have observed acr…”
T1219Remote Access Tools
88%
“was using compromised credentials for msp remote monitoring and management ( rmm ) instances in an attempt to deploy the ransomware. the huntress soc became aware of this threat actor methodology when pre - ransomware activity / ttps were identified on several customer infrastruc…”
T1080Taint Shared Content
84%
“akira ransomware is deployed in this manner … ” because the deployment mechanism, and the actions leading up to that point, can be vastly different depending upon the affiliate. the purpose of this article is to state clearly and concisely what huntress analysts have observed acr…”
T1679Selective Exclusion
84%
“dispelling ransomware deployment myths when a ransomware attack occurs, the focus is most often on the encryption of files. initial access is often glossed over or simply assumed. in addition, actions taken by a threat actor, by a human making decisions ( and sometimes, mistakes …”
T1080Taint Shared Content
83%
“##ware deployment. we see statements such as the one above, saying “ the ransomware can then spread … ” or other phrases that state : “ the ransomware uses stolen credentials to access systems via the remote desktop protocol ( rdp )... ” however, this simply isn ’ t the case at a…”
T1486Data Encrypted for Impact
79%
“the c : \ programdata folder, with various names, and almost immediately after, the following child process is observed : powershell. exe - command " get - wmiobject win32 _ shadowcopy | remove - wmiobject " in the case of the crux ransomware, huntress analysts have observed the …”
T1080Taint Shared Content
79%
“was using compromised credentials for msp remote monitoring and management ( rmm ) instances in an attempt to deploy the ransomware. the huntress soc became aware of this threat actor methodology when pre - ransomware activity / ttps were identified on several customer infrastruc…”
T1080Taint Shared Content
77%
“for prevention and detection, and helps to provide insight into appropriate responses. while we ’ ve covered the former two stages in previous posts, today we ’ ll look more closely at how huntress analysts have seen threat actors deploying ransomware in attacks. what does " rans…”
T1080Taint Shared Content
69%
“dispelling ransomware deployment myths when a ransomware attack occurs, the focus is most often on the encryption of files. initial access is often glossed over or simply assumed. in addition, actions taken by a threat actor, by a human making decisions ( and sometimes, mistakes …”
T1679Selective Exclusion
58%
“. this technique, and similar ones, are not new. this secureworks blog post from 2016 references an incident from the end of 2015 where a ransomware executable was placed on a domain controller, and intended as a distraction. thanks to the likely intentional misspelling of the do…”
T1021.002SMB/Windows Admin Shares
41%
“, and its variants, allow an actor with the appropriate privileges to copy executables over to remotely accessible systems and launch them with given parameters. huntress analysts recently observed an incident where the threat actor used a custom tool named ps _ bulk. exe, rename…”
T1080Taint Shared Content
38%
“. this technique, and similar ones, are not new. this secureworks blog post from 2016 references an incident from the end of 2015 where a ransomware executable was placed on a domain controller, and intended as a distraction. thanks to the likely intentional misspelling of the do…”
T1486Data Encrypted for Impact
36%
“##rate data and enumerate the network, obtaining a list of accessible endpoints. then, when they ’ re ready to deploy the ransomware, you ’ ll see a number of processes similar to the following, launched in rapid succession : regsvr32. exe / n / i : " - pass = [ redacted ] - enc …”
T1564.006Run Virtual Instance
31%
“dispelling ransomware deployment myths when a ransomware attack occurs, the focus is most often on the encryption of files. initial access is often glossed over or simply assumed. in addition, actions taken by a threat actor, by a human making decisions ( and sometimes, mistakes …”
T1566.004Spearphishing Voice
30%
“was using compromised credentials for msp remote monitoring and management ( rmm ) instances in an attempt to deploy the ransomware. the huntress soc became aware of this threat actor methodology when pre - ransomware activity / ttps were identified on several customer infrastruc…”

Summary

Huntress analyzes ransomware activity, uncovering attack patterns and key detection opportunities while dispelling ransomware myths.