TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Big Game Hunting is back despite decreasing Ransom Payment Amounts

Bill Siegel · 2023-04-28 · Read original ↗

ATT&CK techniques detected

23 predictions
T1021.002SMB/Windows Admin Shares
99%
“[ t1021 ], which is primarily the use of vnc ( like tightvnc ) to allow remote access or smb / windows admin shares. admin shares are an easy way to share / access tools and malware. these are hidden from users and are only accessible to administrators. threat actors using cobalt…”
T1486Data Encrypted for Impact
98%
“size companies that may be easier to disrupt, threat actors have shown a preference for simply abandoning the encryption element altogether and focusing their efforts on data - theft - based extortion alone. this has become especially true in today ’ s climate where ransomware ac…”
T1486Data Encrypted for Impact
97%
“’ s attack choose to not even bother engaging with the clop threat actors. this is why clop did not climb the market share charts, despite impacting 130 companies in a single quarter. most commonly observed ransomware variants in q1 2023 rank ransomware type market share % change…”
T1657Financial Theft
92%
“cyber extortion economy has been in contraction for several quarters. given the potential uptick in participants and the perceived lack of risk, ransomware threat actors are making up for lost earnings by going back up - market. they are targeting larger companies and working to …”
T1486Data Encrypted for Impact
84%
“big game hunting is back despite decreasing ransom payment amounts table of contentsaverage ransom paymenttypes of ransomwareattack vectors & mitre att & ck tacticsindustries impacted midway through q1 the winds of progress shifted, and we observed a material increase in attacks …”
T1486Data Encrypted for Impact
77%
“, or backup replication to maximize the impact of encryption. data destruction [ t1485 ] : most of the time, data destruction is aimed at the destruction of forensic artifacts via the use of sdelete or ccleaner. unfortunately, sometimes ransomware actors destroy production data s…”
T1485Data Destruction
72%
“dynamic phishing campaigns are crafted to deploy the qbot trojan within victim environments, providing the initial foothold black basta ultimately uses to stage and carry out their attacks ( usually a combination of data exfiltration and subsequent encryption ). below are the mos…”
T1021.002SMB/Windows Admin Shares
72%
“, or backup replication to maximize the impact of encryption. data destruction [ t1485 ] : most of the time, data destruction is aimed at the destruction of forensic artifacts via the use of sdelete or ccleaner. unfortunately, sometimes ransomware actors destroy production data s…”
T1585.002Email Accounts
68%
“of a new variant or raas brand does not mean the affiliates of that brand are themselves new. there is no longer any loyalty from a given affiliate to a single raas brand. affiliates are typically able to use several different types of ransomware in a given attack. as an example,…”
T1071.001Web Protocols
66%
“when establishing command and control, actors will commonly install external tools onto the controlled endpoint in order to further proliferate their movement inside a network. proxy : multi - hop [ t1090 ] tactics are used to direct network traffic to an intermediary server to a…”
T1657Financial Theft
61%
“similar type of product called goanywhere mft. clop claimed to have breached 130 enterprises in this attack, stealing terabytes of data from victims and holding it as leverage for extortion. in the accellion attack of 2021, we estimate between 50 - 65 % of victims ended up paying…”
T1055.001Dynamic-link Library Injection
58%
“. indicator removal on host - clear windows event logs [ t1070 ] involves 2 common event logs that get cleared by threat actors, security and system. security primarily records authentication, so if cleared, evidence of new account creations, remote access, or lateral movement ca…”
T1486Data Encrypted for Impact
56%
“dynamic phishing campaigns are crafted to deploy the qbot trojan within victim environments, providing the initial foothold black basta ultimately uses to stage and carry out their attacks ( usually a combination of data exfiltration and subsequent encryption ). below are the mos…”
T1486Data Encrypted for Impact
56%
“of a new variant or raas brand does not mean the affiliates of that brand are themselves new. there is no longer any loyalty from a given affiliate to a single raas brand. affiliates are typically able to use several different types of ransomware in a given attack. as an example,…”
T1657Financial Theft
54%
“dynamic phishing campaigns are crafted to deploy the qbot trojan within victim environments, providing the initial foothold black basta ultimately uses to stage and carry out their attacks ( usually a combination of data exfiltration and subsequent encryption ). below are the mos…”
T1685.001Disable or Modify Windows Event Log
53%
“. indicator removal on host - clear windows event logs [ t1070 ] involves 2 common event logs that get cleared by threat actors, security and system. security primarily records authentication, so if cleared, evidence of new account creations, remote access, or lateral movement ca…”
T1219Remote Access Tools
44%
“exfiltrating it from the bounds of a network. this can include compression and encryption. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and control channels. exfiltration over web service [ t1567 ] is the…”
T1588.001Malware
39%
“of a new variant or raas brand does not mean the affiliates of that brand are themselves new. there is no longer any loyalty from a given affiliate to a single raas brand. affiliates are typically able to use several different types of ransomware in a given attack. as an example,…”
T1570Lateral Tool Transfer
38%
“[ t1021 ], which is primarily the use of vnc ( like tightvnc ) to allow remote access or smb / windows admin shares. admin shares are an easy way to share / access tools and malware. these are hidden from users and are only accessible to administrators. threat actors using cobalt…”
T1048Exfiltration Over Alternative Protocol
36%
“exfiltrating it from the bounds of a network. this can include compression and encryption. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and control channels. exfiltration over web service [ t1567 ] is the…”
T1080Taint Shared Content
34%
“, or backup replication to maximize the impact of encryption. data destruction [ t1485 ] : most of the time, data destruction is aimed at the destruction of forensic artifacts via the use of sdelete or ccleaner. unfortunately, sometimes ransomware actors destroy production data s…”
T1070Indicator Removal
32%
“. indicator removal on host - clear windows event logs [ t1070 ] involves 2 common event logs that get cleared by threat actors, security and system. security primarily records authentication, so if cleared, evidence of new account creations, remote access, or lateral movement ca…”
T1486Data Encrypted for Impact
32%
“when establishing command and control, actors will commonly install external tools onto the controlled endpoint in order to further proliferate their movement inside a network. proxy : multi - hop [ t1090 ] tactics are used to direct network traffic to an intermediary server to a…”

Summary

Ransomware threat actors are moving back up-market in search of lost profits as the cyber extortion economy seeks to halt its contraction.