Research

The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs

These days ransomware analysis gets a lot of coverage in commercial and public reports, with vendors issuing dozens of ransomware-related publications each year. These reports provide analysis on specific malware families or new samples, describe the activities of a particular ransomware group, give general tips on how to prevent ransomware from working, and so on. Malware analysts and security professionals can learn a lot from these reports, but not much of the content has an immediate or practical use. With the release of the report Common TTPs of modern ransomware, Kaspersky experts have taken a different approach. We want to familiarize the reader with the different stages of ransomware deployment, how cybercriminals use RATs and other tools across the various stages and what they aim to achieve. The report also provides a visual guide to defending against targeted ransomware attacks, using the most prolific groups as examples, and introduces the reader to the SIGMA detection rules that we created.

What are the ransomware groups?

For the report we selected the eight most common ransomware groups:

  1. Conti/Ryuk
  2. Pysa
  3. Clop (TA505)
  4. Hive
  5. Lockbit2.0
  6. RagnarLocker
  7. BlackByte
  8. BlackCat

We analyzed in detail the attacks these groups perpetrated and employed techniques and tactics described in MITRE ATT&CK to identify a large number of shared TTPs. By tracking all the groups and detecting their attacks, we saw that the core techniques remain the same throughout the cyber kill chain. The attack patterns revealed are not accidental because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or victim’s computer, delivering malware, further discovery, account hijacking, deleting shadow copies, removing backups and, finally, achieving their objectives.

To highlight the common components and TTPs shared by the ransomware groups across different attack patterns, we’ve created a common cyber kill chain diagram. It provides a visual representation of the techniques and tactics used by different ransomware operators.

Once the incident data relating to the ransomware groups has been collected, we can identify the TTPs characteristic of each of them and then superimpose these onto the shared cyber kill chain. The arrows indicate the sequence of specific techniques and the colours mark the individual groups that have been known to deploy these techniques.

Whom is the report for?

This report is written for SOC analysts, threat hunting teams, cyberthreat intelligence analysts, digital forensics specialists and cybersecurity specialists that are involved in the incident response process and/or want to protect the environment they are responsible for from targeted ransomware attacks. Our main goal is to help with understanding how ransomware groups generally operate and how to defend against their attacks.

You can use this report as a book of knowledge on the main techniques used by ransomware groups, for writing hunting rules and for auditing your security solutions.

The report contains

  • Tactics, techniques and procedures (TTPs) of eight modern ransomware groups: Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat
  • A description of how different groups share more than half of the common components and TTPs, with the core attack stages being executed identically across groups
  • A cyber kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps
  • A detailed analysis of each technique with examples of how they are being used by various groups and a comprehensive list of mitigations
  • SIGMA rules based on described TTPs that can be applied to SIEM solutions

Fill the form below to download the Common TTPs of modern ransomware report (English, PDF)

The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs

Your email address will not be published.

 

  1. Joshua

    The Hateful Eight – cool title for report.

  2. Mr Widget

    Thank you.

  3. Greg Schaffer

    Download request.

    1. Securelist

      Hi Greg!

      To download report you need to fill in another form. If you don´t see it, please add this page to exceptions in your adblocker and/or browser settings.

  4. Jon

    Interesting

  5. Tajik

    Great insight as ever

  6. Georgie

    Brilliant report!

  7. myyurmwxsbbblbicww@nvhrw.com

    download reques

    1. Securelist

      To download report you need to fill in another form. If you don´t see it, please add this page to exceptions in your adblocker and/or browser settings.

  8. Vito Alfano

    Well done!

  9. Luca

    Thanks for sharing the ttps

  10. Sydney

    Great.

  11. Steve

    Thank you

  12. Jhon Carmack

    Very good. Thanks

  13. Joshep Carmi Lau

    Interesting

  14. havale

    thanks

  15. paquito gomez

    Checking the TI

  16. Ransom Aware

    Thank you.

  17. catherine

    thank you

  18. Dawid K.

    Thank you for the very interesting information.

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox