TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Uber Verdict Raises New Risks for Ransom Payments

Bill Siegel · 2022-10-26 · Read original ↗

ATT&CK techniques detected

22 predictions
T1110Brute Force
98%
"stealth depending on the victim ’ s network structure and defenses remote access software [ t1219 ] : ransomware threat actors will use legitimate software to maintain an interactive session on victim systems. common tools observed in q3 were anydesk, teamviewer, logmein and tigh…"
T1486Data Encrypted for Impact
97%
"common industries impacted by ransomware in q3 2022 the increased prevalence of hive ransomware in q3 2022 accounted for the increase in attacks on health care organizations. unlike some groups, hive does not even attempt to steer clear of impacting health care facilities and dis…"
T1486Data Encrypted for Impact
94%
"forecastable tactic, used principally by small game ransomware actors who can withhold keys from certain systems. the tactic is amateur to the point that most mid - big game hunting ransomware affiliates avoided ever using it out of fear it would damage their reputation. while mo…"
T1486Data Encrypted for Impact
93%
"- 2 hive 13. 5 % + 1 3 black basta 6 % + 2 4 dark angels 3. 8 % new in top variants 4 phobos 3. 8 % + 1 5 vice society 3 % new in top variants 5 avoslocker 3 % - market share of the ransomware attacks the prevalence of hive ransomware during the quarter increased materially, risi…"
T1486Data Encrypted for Impact
92%
"common form of impact observed. this may include forensics logs and artifacts as well that may inhibit an investigation. data destruction [ t1485 ] most of the time, data destruction is aimed at the destruction of forensic artifacts via the use of sdelete or ccleaner. unfortunate…"
T1486Data Encrypted for Impact
91%
"##es? to put it simply, shame is a powerful emotion, and threat actors know how to use it to their advantage. if a company ' s culture enables shame and deceit to drive security incident handling, then they should not be surprised when compounding effects of these incidents culmi…"
T1021.001Remote Desktop Protocol
85%
"open remote desktop ( rdp ) port ( internal or external ) os credential dumping [ t1003 ] : os credential dumping typically occurs after access has already been gained. the most popular tool used by threat actors, regardless of what group they may be associated with is mimikatz, …"
T1657Financial Theft
84%
"common industries impacted by ransomware in q3 2022 the increased prevalence of hive ransomware in q3 2022 accounted for the increase in attacks on health care organizations. unlike some groups, hive does not even attempt to steer clear of impacting health care facilities and dis…"
T1485Data Destruction
81%
"have further embraced a ‘ live off the land ’ philosophy of monetizing access types as they become opportunistically available versus committing to a certain vector. the ‘ unknown ’ vector increased in q3 as conclusive evidence confirming the initial vector becomes hard to pin do…"
T1003OS Credential Dumping
75%
"open remote desktop ( rdp ) port ( internal or external ) os credential dumping [ t1003 ] : os credential dumping typically occurs after access has already been gained. the most popular tool used by threat actors, regardless of what group they may be associated with is mimikatz, …"
T1021.002SMB/Windows Admin Shares
70%
"allow remote access or smb / windows admin shares. admin shares are an easy way to share / access tools and malware. these are hidden from users and are only accessible to administrators. threat actors using cobalt strike almost always place it in an admin share. exploitation of …"
T1657Financial Theft
68%
"##es? to put it simply, shame is a powerful emotion, and threat actors know how to use it to their advantage. if a company ' s culture enables shame and deceit to drive security incident handling, then they should not be surprised when compounding effects of these incidents culmi…"
T1486Data Encrypted for Impact
61%
"incidents on a spectrum that gauges impact vs. legality of the attack. on the green end of the spectrum we could envision a company receiving a responsible disclosure of vulnerability via an established bug bounty program ; there is no measurable impact from this event. another e…"
T1219Remote Access Tools
52%
"open remote desktop ( rdp ) port ( internal or external ) os credential dumping [ t1003 ] : os credential dumping typically occurs after access has already been gained. the most popular tool used by threat actors, regardless of what group they may be associated with is mimikatz, …"
T1657Financial Theft
51%
"incidents on a spectrum that gauges impact vs. legality of the attack. on the green end of the spectrum we could envision a company receiving a responsible disclosure of vulnerability via an established bug bounty program ; there is no measurable impact from this event. another e…"
T1566.004Spearphishing Voice
45%
"open remote desktop ( rdp ) port ( internal or external ) os credential dumping [ t1003 ] : os credential dumping typically occurs after access has already been gained. the most popular tool used by threat actors, regardless of what group they may be associated with is mimikatz, …"
T1657Financial Theft
44%
"- 2 hive 13. 5 % + 1 3 black basta 6 % + 2 4 dark angels 3. 8 % new in top variants 4 phobos 3. 8 % + 1 5 vice society 3 % new in top variants 5 avoslocker 3 % - market share of the ransomware attacks the prevalence of hive ransomware during the quarter increased materially, risi…"
T1486Data Encrypted for Impact
38%
"failures ( i. e one mistake does not cause the resulting impact …. several mistakes blended together do ). when a company has a weak culture of security, compounding happens with very little friction, and impact can mushroom quickly. similarly, paying a ransom exponentially incre…"
T1486Data Encrypted for Impact
37%
"uber verdict raises new risks for ransom payments table of contentsthe uber verdictaverage ransom paymenttypes of ransomwareattack vectors & mitre att & ck tacticscompanies targeted unpacking the uber verdictshortly after the end of q3, joe sullivan, the former uber cso, was conv…"
T1657Financial Theft
37%
"failures ( i. e one mistake does not cause the resulting impact …. several mistakes blended together do ). when a company has a weak culture of security, compounding happens with very little friction, and impact can mushroom quickly. similarly, paying a ransom exponentially incre…"
T1080Taint Shared Content
35%
"common form of impact observed. this may include forensics logs and artifacts as well that may inhibit an investigation. data destruction [ t1485 ] most of the time, data destruction is aimed at the destruction of forensic artifacts via the use of sdelete or ccleaner. unfortunate…"
T1133External Remote Services
32%
"stealth depending on the victim ’ s network structure and defenses remote access software [ t1219 ] : ransomware threat actors will use legitimate software to maintain an interactive session on victim systems. common tools observed in q3 were anydesk, teamviewer, logmein and tigh…"

Summary

The conviction of a high profile security executive who paid to suppress a data leak has created a new dimension of risk for security executives.