TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Ransomware Initial Access Brokers Exposed

2025-04-10 · Read original ↗

ATT&CK techniques detected

20 predictions
T1110Brute Force
97%
"through static iocs or ttps. conclusion ransomware continues to disrupt businesses large and small alike. for many security professionals, a brute force is a “ bread and butter ” technique that ' s been covered and written about for many years. many analysts may see a brute force…"
T1003.001LSASS Memory
90%
"incident : a successful brute force occurs, the threat actor lands in the network, and proceeds to enumerate said network prior to being discovered and shut down by the soc. this time, however, upon reviewing other bits of telemetry after isolating the network, we discovered some…"
T1110Brute Force
89%
"intrusions are often written about in a linear fashion, neatly mapped to frameworks like att & ck, the reality is that analysts often receive signals for intrusions that are normally found in the “ middle ” of a threat actor ' s kill chain. this means that once a signal is receiv…"
T1486Data Encrypted for Impact
88%
"lens of techniques, tactics, procedures, and other abstract elements. we often hear terms like “ initial access brokers ” but often don ' t get an inside view into their operations, particularly through an infrastructure lens. in this case, we can see how these nefarious actors o…"
T1021.001Remote Desktop Protocol
87%
"ransomware initial access brokers exposed every intrusion that we comb over here at huntress is different in its own way. although there are definitely discernible patterns when it comes to intrusions, us analysts are often left guessing as to threat actors ' intentions and motiv…"
T1003.004LSA Secrets
87%
"hard evidence, we can only offer educated speculation as to why this dynamic plays out the way it does. our hypothesis is that most threat actors have a playbook that ' s followed. extracting passwords from the registry or from lsass can be performed in a playbook - type fashion,…"
T1110Brute Force
87%
"multitude of accounts were targeted via this brute force attack, only one account was successfully compromised. using this compromised account as a pivot point, we discovered that the account had been compromised from multiple ip addresses. this dynamic is at least somewhat atypi…"
T1003.001LSASS Memory
83%
"hard evidence, we can only offer educated speculation as to why this dynamic plays out the way it does. our hypothesis is that most threat actors have a playbook that ' s followed. extracting passwords from the registry or from lsass can be performed in a playbook - type fashion,…"
T1003OS Credential Dumping
75%
"incident : a successful brute force occurs, the threat actor lands in the network, and proceeds to enumerate said network prior to being discovered and shut down by the soc. this time, however, upon reviewing other bits of telemetry after isolating the network, we discovered some…"
T1563.002RDP Hijacking
54%
"ransomware initial access brokers exposed every intrusion that we comb over here at huntress is different in its own way. although there are definitely discernible patterns when it comes to intrusions, us analysts are often left guessing as to threat actors ' intentions and motiv…"
T1486Data Encrypted for Impact
54%
"image showing pivot from certificate fingerprint hash to additional domains interestingly, this domain name is very similar to the legitimate vpn site, but without the extra “ s ” after “ 1vpn ” : https [ : ] / / 1vpn [. ] org / some domain names mean nothing and are random but h…"
T1219Remote Access Tools
51%
"ransomware initial access brokers exposed every intrusion that we comb over here at huntress is different in its own way. although there are definitely discernible patterns when it comes to intrusions, us analysts are often left guessing as to threat actors ' intentions and motiv…"
T1110.004Credential Stuffing
47%
"intrusions are often written about in a linear fashion, neatly mapped to frameworks like att & ck, the reality is that analysts often receive signals for intrusions that are normally found in the “ middle ” of a threat actor ' s kill chain. this means that once a signal is receiv…"
T1486Data Encrypted for Impact
43%
"ransomware initial access brokers exposed every intrusion that we comb over here at huntress is different in its own way. although there are definitely discernible patterns when it comes to intrusions, us analysts are often left guessing as to threat actors ' intentions and motiv…"
T1021.001Remote Desktop Protocol
42%
"multitude of accounts were targeted via this brute force attack, only one account was successfully compromised. using this compromised account as a pivot point, we discovered that the account had been compromised from multiple ip addresses. this dynamic is at least somewhat atypi…"
T1133External Remote Services
37%
"multitude of accounts were targeted via this brute force attack, only one account was successfully compromised. using this compromised account as a pivot point, we discovered that the account had been compromised from multiple ip addresses. this dynamic is at least somewhat atypi…"
T1080Taint Shared Content
34%
"ransomware initial access brokers exposed every intrusion that we comb over here at huntress is different in its own way. although there are definitely discernible patterns when it comes to intrusions, us analysts are often left guessing as to threat actors ' intentions and motiv…"
T1110.004Credential Stuffing
34%
"multitude of accounts were targeted via this brute force attack, only one account was successfully compromised. using this compromised account as a pivot point, we discovered that the account had been compromised from multiple ip addresses. this dynamic is at least somewhat atypi…"
T1021.001Remote Desktop Protocol
33%
"intrusions are often written about in a linear fashion, neatly mapped to frameworks like att & ck, the reality is that analysts often receive signals for intrusions that are normally found in the “ middle ” of a threat actor ' s kill chain. this means that once a signal is receiv…"
T1133External Remote Services
32%
"intrusions are often written about in a linear fashion, neatly mapped to frameworks like att & ck, the reality is that analysts often receive signals for intrusions that are normally found in the “ middle ” of a threat actor ' s kill chain. this means that once a signal is receiv…"

Summary

Discover how a seemingly simple brute force attack led to the uncovering of a suspected ransomware-as-a-service operation. This ecosystem appears to be leveraged by initial access brokers, driving an illicit and complex network of cybercrime.