Research

The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs

These days ransomware analysis gets a lot of coverage in commercial and public reports, with vendors issuing dozens of ransomware-related publications each year. These reports provide analysis on specific malware families or new samples, describe the activities of a particular ransomware group, give general tips on how to prevent ransomware from working, and so on. Malware analysts and security professionals can learn a lot from these reports, but not much of the content has an immediate or practical use. With the release of the report Common TTPs of modern ransomware, Kaspersky experts have taken a different approach. We want to familiarize the reader with the different stages of ransomware deployment, how cybercriminals use RATs and other tools across the various stages and what they aim to achieve. The report also provides a visual guide to defending against targeted ransomware attacks, using the most prolific groups as examples, and introduces the reader to the SIGMA detection rules that we created.

What are the ransomware groups?

For the report we selected the eight most common ransomware groups:

  1. Conti/Ryuk
  2. Pysa
  3. Clop (TA505)
  4. Hive
  5. Lockbit2.0
  6. RagnarLocker
  7. BlackByte
  8. BlackCat

We analyzed in detail the attacks these groups perpetrated and employed techniques and tactics described in MITRE ATT&CK to identify a large number of shared TTPs. By tracking all the groups and detecting their attacks, we saw that the core techniques remain the same throughout the cyber kill chain. The attack patterns revealed are not accidental because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or victim’s computer, delivering malware, further discovery, account hijacking, deleting shadow copies, removing backups and, finally, achieving their objectives.

To highlight the common components and TTPs shared by the ransomware groups across different attack patterns, we’ve created a common cyber kill chain diagram. It provides a visual representation of the techniques and tactics used by different ransomware operators.

Once the incident data relating to the ransomware groups has been collected, we can identify the TTPs characteristic of each of them and then superimpose these onto the shared cyber kill chain. The arrows indicate the sequence of specific techniques and the colours mark the individual groups that have been known to deploy these techniques.

Whom is the report for?

This report is written for SOC analysts, threat hunting teams, cyberthreat intelligence analysts, digital forensics specialists and cybersecurity specialists that are involved in the incident response process and/or want to protect the environment they are responsible for from targeted ransomware attacks. Our main goal is to help with understanding how ransomware groups generally operate and how to defend against their attacks.

You can use this report as a book of knowledge on the main techniques used by ransomware groups, for writing hunting rules and for auditing your security solutions.

The report contains

  • Tactics, techniques and procedures (TTPs) of eight modern ransomware groups: Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat
  • A description of how different groups share more than half of the common components and TTPs, with the core attack stages being executed identically across groups
  • A cyber kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps
  • A detailed analysis of each technique with examples of how they are being used by various groups and a comprehensive list of mitigations
  • SIGMA rules based on described TTPs that can be applied to SIEM solutions

Download the full version of the Common TTPs of modern ransomware report (English, PDF)

The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs

Your email address will not be published. Required fields are marked *

 

  1. Joshua

    The Hateful Eight – cool title for report.

  2. Mr Widget

    Thank you.

  3. Greg Schaffer

    Download request.

    1. Securelist

      Hi Greg!

      To download report you need to fill in another form. If you don´t see it, please add this page to exceptions in your adblocker and/or browser settings.

  4. Jon

    Interesting

  5. Tajik

    Great insight as ever

  6. Georgie

    Brilliant report!

  7. myyurmwxsbbblbicww@nvhrw.com

    download reques

    1. Securelist

      To download report you need to fill in another form. If you don´t see it, please add this page to exceptions in your adblocker and/or browser settings.

  8. Vito Alfano

    Well done!

  9. Luca

    Thanks for sharing the ttps

  10. Sydney

    Great.

  11. Steve

    Thank you

  12. Jhon Carmack

    Very good. Thanks

  13. Joshep Carmi Lau

    Interesting

  14. havale

    thanks

  15. paquito gomez

    Checking the TI

  16. Ransom Aware

    Thank you.

  17. catherine

    thank you

  18. Dawid K.

    Thank you for the very interesting information.

  19. ValdikSS

    The form does not show in Firefox. Works in Chrome, but not in Firefox even with the clean profile.

    1. Securelist

      Hi Valdikss!

      Do you mean by clean profile that privacy settings are set to Standard? As far as we see, Strict anti-tracker settings in Firefox block our forms, but with Standard settings they work. Anyway, adding this page to exceptions should help.

  20. Eric

    Thank you for the report

  21. Test

    Thanks for your work

  22. Sariv

    Thank you!

  23. Cosme Fulanito

    THX

  24. Yut

    Great report!

  25. Danni

    Curious about the content

    1. Securelist

      Hi Danni!

      If you want to download report you need to fill in another form. If you don’t see it, please add this page to exceptions in your adblocker and/or browser settings.

  26. a1ex

    thanks for ttp

  27. jack chen

    this is so helpful

  28. Maxim Desmond

    fantastic report

  29. bee meruado

    could you make getting the report more straightforward? I whitelisted your site, wrote a comment and subscribed to your weekly whatever.. what else is there? buy a 50-years subscription and promise not visit an http page ever just to see a damned download button?

    1. Securelist

      Hi Bee!

      To get the report you need to fill in one form (a screenshot of the form is here: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/03205911/The-form.png). This form is not loaded if something blocks the script, like strict privacy settings in Firefox do. If whitelisting the page didn’t help you to see the form, we’d suggest you to open this page in Chrome browser with script blocking plugins off. As soon as the form is filled in you will see the report in your browser.

Reports

APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox