May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution