TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

It’s Not Safe To Pay SafePa

2024-11-14 · Read original ↗

ATT&CK techniques detected

28 predictions
T1548.002Bypass User Account Control
98%
"configuration change - sample submission privilege escalation the adversary likely used a well - known uac bypass privilege escalation technique, often utilized by several other ransomware groups such as lockbit and blackcat / alphv. this technique results in an elevated process …"
T1486Data Encrypted for Impact
98%
"##py delete both of these commands were detected and alerted via the huntress platform, but by that point, the file encryption process was already underway. incident 2 while investigating incident 2, analysts determined that the huntress agent deployment was extremely limited, in…"
T1560.001Archive via Utility
98%
". nc1 - x *. metadata - x *. dg - x *. inp - x *. dat - x *. tiff - x *. tiger - x *. pcp - x *. rvt - x *. rws - x *. nwc - x *. tif - x *. frx - x *. dyf - x *. rcs - x *. diff c : \ [ redacted ]. rar \ \ [ redacted ] \ c $ \ users \ this was observed across three different hos…"
T1486Data Encrypted for Impact
96%
"disable windows defender. rather, in this instance, windows defender did detect the ransomware process, but recorded a microsoft - windows - windows defender / 1119 failure event, as illustrated in figure 7. unfortunately, the ransomware execution was not prevented, and as with t…"
T1486Data Encrypted for Impact
92%
"it ’ s not safe to pay safepa background during october 2024, huntress analysts observed two incidents involving the deployment of safepay ransomware across disparate customer infrastructures separated by business vertical and geography. in both incidents, the encrypted file exte…"
T1134Access Token Manipulation
92%
"onedrive - sqlmangr service termination ransomware attempts to stop services that are running via controlservice. below are services it attempts to stop : - vss - sqlsvc - memtas - mepocs - msexchange - sophos - veeam - backup - gxvss - gxblr - gxfwd - gxcvd - gxcimgr privilege a…"
T1486Data Encrypted for Impact
91%
", and was not observed enabling rdp, nor creating new user accounts, nor creating any other persistence. during incident 1, the threat actor was observed using a freely available powershell script to map accessible shares, which were then fed to the file encryption process. acros…"
T1489Service Stop
86%
"string encryption most of the strings throughout the binary are obfuscated with a simple three - step xor loop consisting of a random single - byte key, the index of the character, and the first byte of kernel32. dll ( ‘ m ’ ). process termination malware attempts to stop certain…"
T1134.001Token Impersonation/Theft
82%
"way they are implementing this is by calling duplicatetoken to obtain an impersonation ( thread ) token from a primary ( process ) token. we can see this in the code snippet below : after this token handle is set to a global variable, it is then used in another function that call…"
T1048Exfiltration Over Alternative Protocol
81%
". this activity looks like potential data exfiltration from the network — collected and archived with winrar and then possibly exfiltrated out using ftp ( no network evidence of this activity was collected ). finally, on the second day following the use of the powershell script, …"
T1486Data Encrypted for Impact
79%
". this activity looks like potential data exfiltration from the network — collected and archived with winrar and then possibly exfiltrated out using ftp ( no network evidence of this activity was collected ). finally, on the second day following the use of the powershell script, …"
T1560.001Archive via Utility
77%
"##iving files can be seen as follows : winrar. exe a - v5g - ed - r - tn1000d - m0 - mt5 - x *. rar - x *. jpeg - x *. raw - x *. psd - x *. tiff - x *. bmp - x *. gif - x *. jpg - x *. mov - x *. pst - x *. fit - x *. fil - x *. mp4 - x *. avi - x *. mov - x *. mdb - x *. iso - …"
T1078Valid Accounts
75%
"##py delete both of these commands were detected and alerted via the huntress platform, but by that point, the file encryption process was already underway. incident 2 while investigating incident 2, analysts determined that the huntress agent deployment was extremely limited, in…"
T1548.002Bypass User Account Control
74%
"are settings such as automatic file submission and real - time threat protection. normally, these settings are set by group policy, local security policies, or by custom configurations during initial setup of the system. changes made by administrators will typically be made throu…"
T1021.001Remote Desktop Protocol
69%
"##py delete both of these commands were detected and alerted via the huntress platform, but by that point, the file encryption process was already underway. incident 2 while investigating incident 2, analysts determined that the huntress agent deployment was extremely limited, in…"
T1059.001PowerShell
68%
". this activity looks like potential data exfiltration from the network — collected and archived with winrar and then possibly exfiltrated out using ftp ( no network evidence of this activity was collected ). finally, on the second day following the use of the powershell script, …"
T1134.002Create Process with Token
66%
"way they are implementing this is by calling duplicatetoken to obtain an impersonation ( thread ) token from a primary ( process ) token. we can see this in the code snippet below : after this token handle is set to a global variable, it is then used in another function that call…"
T1486Data Encrypted for Impact
61%
"string encryption most of the strings throughout the binary are obfuscated with a simple three - step xor loop consisting of a random single - byte key, the index of the character, and the first byte of kernel32. dll ( ‘ m ’ ). process termination malware attempts to stop certain…"
T1059.001PowerShell
57%
"simply lists past victims to be clicked on and expanded for more details. at the time of writing, there are 22 victims listed. clicking on their name opens a modal to either download a text file that lists the filenames and folder structure for the stolen data, or the data itself…"
T1059.003Windows Command Shell
57%
") 2. are scripting interpreters ( cmd, powershell, etc ). 3. can be used for system binary proxy execution these methods can be used to find signs of potential privilege escalation using this com object uac bypass method. we created a couple of new sigma rules to detect some of t…"
T1560.001Archive via Utility
50%
". this activity looks like potential data exfiltration from the network — collected and archived with winrar and then possibly exfiltrated out using ftp ( no network evidence of this activity was collected ). finally, on the second day following the use of the powershell script, …"
T1080Taint Shared Content
50%
"##py delete both of these commands were detected and alerted via the huntress platform, but by that point, the file encryption process was already underway. incident 2 while investigating incident 2, analysts determined that the huntress agent deployment was extremely limited, in…"
T1679Selective Exclusion
44%
"disable windows defender. rather, in this instance, windows defender did detect the ransomware process, but recorded a microsoft - windows - windows defender / 1119 failure event, as illustrated in figure 7. unfortunately, the ransomware execution was not prevented, and as with t…"
T1003OS Credential Dumping
42%
"##py delete both of these commands were detected and alerted via the huntress platform, but by that point, the file encryption process was already underway. incident 2 while investigating incident 2, analysts determined that the huntress agent deployment was extremely limited, in…"
T1055.003Thread Execution Hijacking
39%
"way they are implementing this is by calling duplicatetoken to obtain an impersonation ( thread ) token from a primary ( process ) token. we can see this in the code snippet below : after this token handle is set to a global variable, it is then used in another function that call…"
T1546.008Accessibility Features
37%
"are settings such as automatic file submission and real - time threat protection. normally, these settings are set by group policy, local security policies, or by custom configurations during initial setup of the system. changes made by administrators will typically be made throu…"
T1134Access Token Manipulation
32%
"way they are implementing this is by calling duplicatetoken to obtain an impersonation ( thread ) token from a primary ( process ) token. we can see this in the code snippet below : after this token handle is set to a global variable, it is then used in another function that call…"
T1080Taint Shared Content
31%
"simply lists past victims to be clicked on and expanded for more details. at the time of writing, there are 22 victims listed. clicking on their name opens a modal to either download a text file that lists the filenames and folder structure for the stolen data, or the data itself…"

Summary

Huntress has observed Akira ransomware affiliates in action, as well as ReadText34 and INC ransomware being deployed.