Ransomware Techniques in ATT&CK

by | Jan 16, 2021

UNDERSTAND ADVERSARY TACTICS & TECHNIQUES

MITRE ATT&CK® is a globally-accessible, structured knowledge base of adversary cyber tactics, techniques, and sub-techniques that is based on real-world observations.  Tactics represent the “why” of an ATT&CK technique or sub-technique.  Techniques represent “how” an adversary achieves a tactical objective by performing an action.  Sub-techniques further break down behaviors described by techniques into more specific descriptions of how behavior is used to achieve an objective.  By using this structured knowledge of how real-world adversaries operate in cyber space to attack their victims, defenders can better prepare for, detect, and protect against those wishing to do them harm.

The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. For this Ransomware Resource Center, we have created a specific view within the ATT&CK Navigator that highlights the known ransomware actors, software, and their tactics and techniques that are presently documented in ATT&CK.  ATT&CK primarily focuses on APT groups though it may also include other advanced groups such as financially motivated actors.  Many of the ransomware actors are small-scale cyber criminals, this list is not comprehensive.  However, most of the tactics and techniques that are presented here are likely representative of behaviors exhibited by other groups and actors that are not presently cataloged in ATT&CK.

MITRE also publishes Deploying Cyber Analytics, which can provide a means to detect known adversary behavior.  For this Ransomware Resource Center, we have identified the relevant analytics that pertain to the techniques and subtechniques highlighted in the Navigator view, below.

Below are the techniques, software, and groups that are presently documented in ATT&CK.  This information continues to evolve.  Feedback on relevant information from the user community is welcome at HealthCyber@mitre.org.

Common Ransomware Techniques in ATT&CK

T1566: Phishing

    1. Description: A common entry point for ransomware is through phishing via malicious email attachments and/or links.
    2. Detection: There are several tools to help aid in detecting phishing avenues, such as anti-virus software to examine potentially malicious documents/files, network intrusion detection systems, and third-party services that leverage TLS/SSL inspection. URL inspection within emails can also help detect whether links are malicious.
    3. Mitigation: Several mitigations exist for this behavior. Proper user training is critical for being able to prevent users being socially engineered. Antivirus software, network intrusion prevention systems, and restrictions on web-based contents can also aid in the prevention of ransomware infiltrating an environment.

T1486: Data Encrypted for Impact

    1. Description: This technique is indicative of ransomware. Adversaries will encrypt specific data and files in order to then request the ransom for the files to be decrypted.
    2. Detection: Monitor and search for large quantities of file modifications in user directories as well as processes. Systems that centralize file storage in an organization are the best place to implement this type of detection.
    3. Mitigation: The main mitigation is to implement a data backup and recovery plan.

T1083: File and Directory Discovery

    1. Description: Most ransomware will search for specific file extensions and folders on a system before determining what to encrypt and lock for ransom.
    2. Detection: Monitor processes and command-line arguments to search for actions that are indicative of file and directory reconnaissance.
    3. Mitigation: There are no mitigations for this type of behavior.

T1041: Exfiltration over C2

    1. Description: This involves the ransomware exfiltrating the information to extort the victim by threatening to publish the stolen data.
    2. Detection: Analyze network data for uncommon data flows.
    3. Mitigation: Implement a network intrusion detection and prevention system to use signatures for blocking transmissions by specific adversary malware. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection and prevention by common defensive tools.

T1490:  Inhibit System Recovery

    1. Description: Adversaries might delete or disable system recovery features to increase the impact of other ransomware techniques.
    2. Detection: Monitor processes and execution of command line parameters, as well as the status of services involved in system recovery.
    3. Mitigation: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1562.001: Impair Defenses – Disable or Modify Tools

    1. Description: Adversaries may disable security tools to avoid detection.
    2. Detection: Monitor processes ensure security tools are running. The Registry can also be monitored for changes made to critical services or startup programs.
    3. Mitigation: Several mitigations exist for this activity. Restricting file/directory and Registry permissions as well as properly configuring user permissions is important.

T1485: Data Destruction

    1. Description: Individual files are destroyed or overwritten to make data irrecoverable, increasing the impact of locking files for ransom.
    2. Detection: Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as SDelete.
    3. Mitigation: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1489: Service Stop

    1. Description: This technique involves the stopping of critical services (e.g., anti-virus, backup).
    2. Detection: Monitor processes and command-line arguments. Review edits to services, the Registry, and the service binary path.
    3. Mitigation: Restrict the file/directory and Registry permissions. Limit privileges for user accounts with respect to changing service configurations.

Ransomware Software in ATT&CK

Groups in ATT&CK That Use Ransomware

Ransomware Campaigns

The ATT&CK Navigator image, below, highlights the techniques in ATT&CK associated with ransomware software, groups that use ransomware, or both according to the legend. Click the image to open ATT&CK Navigator in a new browser window. For a tutorial on how to use the navigator, click on the ? in the upper right corner. To see details, right click on the technique for a menu of options, and select “view technique” or “view tactic”.

LEGEND:

graySoftware groupsGroups CampaignsCampaignsGreen = All 3 (SW, Groups, Campaigns)Green = All 3 (Software, Groups, Campaigns)

orange = groups and softwareGroups & Software blue = Campaigns and SoftwareCampaigns & Softwarered = Campaigns and GroupsCampaigns & Groups

Click image to open ATT&CK in new browser window.

Click to open ATT&CK Navigator in new browser window.

Ransomware Activity Heat Map

The following ATT&CK Navigator image presents techniques that have been leveraged by ransomware threat groups in roughly the last year and a half, based on open-source reporting not limited to ATT&CK. Darker shades represent techniques that have been observed more frequently. Techniques leveraged in the last few months, or those that are present only in third-party software, may not be reflected here. Click image to open Ransomware Activity Heatmap in a new browser window.

LEGEND: 

Legend
Click to view Heatmap

Click to open Ransomware Activity Heatmap in new browser window.

ATTACK FLOW

Attack Flow is a language for describing how cyber adversaries combine and sequence various offensive techniques to achieve their goals. Attack Flows help defenders and leaders understand how adversaries operate and improve their own defensive posture. This project is created and maintained by the MITRE Engenuity Center for Threat-Informed Defense in futherance of our mission to advance the state of the art and the state of the practice in threat-informed defense globally. An example of an Attack Flow is seen below in REvil Attack.

REvil ATTACK Flow

""

Click image to view full flow in new window.

Download REvil flow:  JSON  |  PNG

Ransomware: Getting Started Guide and Deep Dive into REvil

Pin It on Pinterest