These days ransomware analysis gets a lot of coverage in commercial and public reports, with vendors issuing dozens of ransomware-related publications each year. These reports provide analysis on specific malware families or new samples, describe the activities of a particular ransomware group, give general tips on how to prevent ransomware from working, and so on. Malware analysts and security professionals can learn a lot from these reports, but not much of the content has an immediate or practical use. With the release of the report Common TTPs of modern ransomware, Kaspersky experts have taken a different approach. We want to familiarize the reader with the different stages of ransomware deployment, how cybercriminals use RATs and other tools across the various stages and what they aim to achieve. The report also provides a visual guide to defending against targeted ransomware attacks, using the most prolific groups as examples, and introduces the reader to the SIGMA detection rules that we created.
What are the ransomware groups?
For the report we selected the eight most common ransomware groups:
- Conti/Ryuk
- Pysa
- Clop (TA505)
- Hive
- Lockbit2.0
- RagnarLocker
- BlackByte
- BlackCat
We analyzed in detail the attacks these groups perpetrated and employed techniques and tactics described in MITRE ATT&CK to identify a large number of shared TTPs. By tracking all the groups and detecting their attacks, we saw that the core techniques remain the same throughout the cyber kill chain. The attack patterns revealed are not accidental because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or victim’s computer, delivering malware, further discovery, account hijacking, deleting shadow copies, removing backups and, finally, achieving their objectives.
To highlight the common components and TTPs shared by the ransomware groups across different attack patterns, we’ve created a common cyber kill chain diagram. It provides a visual representation of the techniques and tactics used by different ransomware operators.
Once the incident data relating to the ransomware groups has been collected, we can identify the TTPs characteristic of each of them and then superimpose these onto the shared cyber kill chain. The arrows indicate the sequence of specific techniques and the colours mark the individual groups that have been known to deploy these techniques.
Whom is the report for?
This report is written for SOC analysts, threat hunting teams, cyberthreat intelligence analysts, digital forensics specialists and cybersecurity specialists that are involved in the incident response process and/or want to protect the environment they are responsible for from targeted ransomware attacks. Our main goal is to help with understanding how ransomware groups generally operate and how to defend against their attacks.
You can use this report as a book of knowledge on the main techniques used by ransomware groups, for writing hunting rules and for auditing your security solutions.
The report contains
- Tactics, techniques and procedures (TTPs) of eight modern ransomware groups: Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat
- A description of how different groups share more than half of the common components and TTPs, with the core attack stages being executed identically across groups
- A cyber kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps
- A detailed analysis of each technique with examples of how they are being used by various groups and a comprehensive list of mitigations
- SIGMA rules based on described TTPs that can be applied to SIEM solutions
Download the full version of the Common TTPs of modern ransomware report (English, PDF)
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
From the same authors
In the same category
Joshua
The Hateful Eight – cool title for report.
Mr Widget
Thank you.
Greg Schaffer
Download request.
Securelist
Hi Greg!
To download report you need to fill in another form. If you don´t see it, please add this page to exceptions in your adblocker and/or browser settings.
Jon
Interesting
Tajik
Great insight as ever
Georgie
Brilliant report!
myyurmwxsbbblbicww@nvhrw.com
download reques
Securelist
To download report you need to fill in another form. If you don´t see it, please add this page to exceptions in your adblocker and/or browser settings.
Vito Alfano
Well done!
Luca
Thanks for sharing the ttps
Sydney
Great.
Steve
Thank you
Jhon Carmack
Very good. Thanks
Joshep Carmi Lau
Interesting
havale
thanks
paquito gomez
Checking the TI
Ransom Aware
Thank you.
catherine
thank you
Dawid K.
Thank you for the very interesting information.
ValdikSS
The form does not show in Firefox. Works in Chrome, but not in Firefox even with the clean profile.
Securelist
Hi Valdikss!
Do you mean by clean profile that privacy settings are set to Standard? As far as we see, Strict anti-tracker settings in Firefox block our forms, but with Standard settings they work. Anyway, adding this page to exceptions should help.
Eric
Thank you for the report
Test
Thanks for your work
Sariv
Thank you!
Cosme Fulanito
THX
Yut
Great report!
Danni
Curious about the content
Securelist
Hi Danni!
If you want to download report you need to fill in another form. If you don’t see it, please add this page to exceptions in your adblocker and/or browser settings.
a1ex
thanks for ttp
jack chen
this is so helpful
Maxim Desmond
fantastic report
bee meruado
could you make getting the report more straightforward? I whitelisted your site, wrote a comment and subscribed to your weekly whatever.. what else is there? buy a 50-years subscription and promise not visit an http page ever just to see a damned download button?
Securelist
Hi Bee!
To get the report you need to fill in one form (a screenshot of the form is here: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/03205911/The-form.png). This form is not loaded if something blocks the script, like strict privacy settings in Firefox do. If whitelisting the page didn’t help you to see the form, we’d suggest you to open this page in Chrome browser with script blocking plugins off. As soon as the form is filled in you will see the report in your browser.
scott dunn
Thank you
Edilson Lima
Good title, very good approach