Kaspersky's Threat Intelligence team conducts an analysis of the most common tactics, techniques and procedures (TTPs) used by the 8 most active ransomware groups, such as Conti and Lockbit2.0, during their attacks. The research reveals that the different groups share more than half of the so-called 'cyber kill chain' and execute the core stages of attacks identically. This ransomware study will help to understand how these groups operate and how to defend against their attacks.
The analysis focuses on the activity of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups have operated primarily in the United States, Britain and Germany, and have targeted more than 500 organisations in sectors focused on manufacturing, software development and small businesses between March 2021 and March 2022.
Over 150 pages, the practical guide explains the stages of ransomware deployment, how cybercriminals use their preferred tools or the targets they hope to achieve. It also includes advice on how to defend against targeted ransomware attacks and SIGMA's detection rules, which can be used to develop preventative measures against attackers.
Kaspersky's Threat Intelligence team analysed how ransomware groups employed the techniques and tactics described in MITRE ATT&CK and found many similarities between their TTPs along the cyber kill chain. The forms of attack turned out to be fairly predictable, with ransomware following a pattern that includes targeting the victim's corporate network or computer, delivering malware, subsequent discovery, accessing credentials, deleting backups, and finally achieving their goals.
Analysts also explain the similarity between the attacks:
- The emergence of a phenomenon called "Ransomware-as-a-Service" (RaaS), where ransomware groups do not deliver the malware themselves, but only provide the data encryption services. Those sending the malicious files save themselves 'work' by using template delivery methods or automation tools to gain access.
- Reusing old and similar tools makes life easier for attackers and reduces the preparation time for an attack.
- Reusing common TTPs makes hacking easier. While it is possible to detect these techniques, it is much more difficult to do so pre-emptively across all possible threat vectors.
- Slow installation of updates and patches among victims.
The systematisation of the various TTPs used by attackers has led to the formation of a general set of SIGMA rules according to MITRE ATT&CK that help prevent such attacks.
"In recent years, ransomware has become a nightmare for the entire cybersecurity industry, with constant developments and improvements by ransomware operators. Cybersecurity specialists find it challenging and time-consuming to study each ransomware group and track the activities and developments of each, in an attempt to win the race between attackers and defenders. We have been tracking the activity of several ransomware groups for a long time, and this report represents the results of a huge amount of analysis. It is intended to serve as a guide for cybersecurity professionals working in all types of organisations, making their work easier," says Nikita Nazarov, Team Lead of Kaspersky's Threat Intelligence team.
This report is aimed at SOC analysts, threat detection teams, cyber threat intelligence analysts, digital forensic specialists and cybersecurity experts who are involved in the incident response process and/or those who want to protect the environment they are responsible for from targeted ransomware attacks.
In order for businesses to protect themselves from these ransomware attacks, Kaspersky recommends:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary, and always use strong passwords for them.
- Promptly install available patches for commercial VPN solutions that provide access to remote employees and act as gateways into the network.
- Always keep software updated on all devices to prevent ransomware from exploiting vulnerabilities.
- Focus the defence strategy on detecting lateral movement and exfiltration of data to the Internet, as well as paying special attention to outbound traffic to detect cybercriminal connections.
- Back up data regularly and ensure that data can be accessed quickly in case of emergency.
- Use solutions that help identify and stop the attack in the early stages, before cybercriminals reach their ultimate targets.
- Train employees to protect the corporate environment.
- Use a reliable endpoint security solution.
- Use the latest Threat Intelligence information to stay on top of the actual TTPs used by threat actors.