MITRE ATT&CK® is a globally-accessible, structured knowledge base of adversary cyber tactics, techniques, and sub-techniques that is based on real-world observations. Tactics represent the “why” of an ATT&CK technique or sub-technique. Techniques represent “how” an adversary achieves a tactical objective by performing an action. Sub-techniques further break down behaviors described by techniques into more specific descriptions of how behavior is used to achieve an objective. By using this structured knowledge of how real-world adversaries operate in cyber space to attack their victims, defenders can better prepare for, detect, and protect against those wishing to do them harm.

The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. For this Ransomware Resource Center, we have created a specific view within the ATT&CK Navigator that highlights the known ransomware actors, software, and their tactics and techniques that are presently documented in ATT&CK. ATT&CK primarily focuses on APT groups though it may also include other advanced groups such as financially motivated actors. Many of the ransomware actors are small-scale cyber criminals, this list is not comprehensive. However, most of the tactics and techniques that are presented here are likely representative of behaviors exhibited by other groups and actors that are not presently cataloged in ATT&CK.

MITRE also publishes the Cyber Analytics Repository (CAR), which can provide a means to detect known adversary behavior. For this Ransomware Resource Center, we have identified the relevant analytics that pertain to the techniques and subtechniques highlighted in the Navigator view, below.

Below are the techniques, software, and groups that are presently documented in ATT&CK. This information continues to evolve. Feedback on relevant information from the user community is welcome at HealthCyber@mitre.org.

Common Ransomware Techniques in ATT&CK

T1566: Phishing

    1. Description: A common entry point for ransomware is through phishing via malicious email attachments and/or links.
    2. Detection: There are several tools to help aid in detecting phishing avenues, such as anti-virus software to examine potentially malicious documents/files, network intrusion detection systems, and third-party services that leverage TLS/SSL inspection. URL inspection within emails can also help detect whether links are malicious.
    3. Mitigation: Several mitigations exist for this behavior. Proper user training is critical for being able to prevent users being socially engineered. Antivirus software, network intrusion prevention systems, and restrictions on web-based contents can also aid in the prevention of ransomware infiltrating an environment.

T1486: Data Encrypted for Impact

    1. Description: This technique is indicative of ransomware. Adversaries will encrypt specific data and files in order to then request the ransom for the files to be decrypted.
    2. Detection: Monitor and search for large quantities of file modifications in user directories as well as processes. Systems that centralize file storage in an organization are the best place to implement this type of detection.
    3. Mitigation: The main mitigation is to implement a data backup and recovery plan.

T1083: File and Directory Discovery

    1. Description: Most ransomware will search for specific file extensions and folders on a system before determining what to encrypt and lock for ransom.
    2. Detection: Monitor processes and command-line arguments to search for actions that are indicative of file and directory reconnaissance.
    3. Mitigation: There are no mitigations for this type of behavior.

T1041: Exfiltration over C2

    1. Description: This involves the ransomware exfiltrating the information to extort the victim by threatening to publish the stolen data.
    2. Detection: Analyze network data for uncommon data flows.
    3. Mitigation: Implement a network intrusion detection and prevention system to use signatures for blocking transmissions by specific adversary malware. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection and prevention by common defensive tools.

T1490:  Inhibit System Recovery

    1. Description: Adversaries might delete or disable system recovery features to increase the impact of other ransomware techniques.
    2. Detection: Monitor processes and execution of command line parameters, as well as the status of services involved in system recovery.
    3. Mitigation: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1562.001: Impair Defenses – Disable or Modify Tools

    1. Description: Adversaries may disable security tools to avoid detection.
    2. Detection: Monitor processes ensure security tools are running. The Registry can also be monitored for changes made to critical services or startup programs.
    3. Mitigation: Several mitigations exist for this activity. Restricting file/directory and Registry permissions as well as properly configuring user permissions is important.

T1485: Data Destruction

    1. Description: Individual files are destroyed or overwritten to make data irrecoverable, increasing the impact of locking files for ransom.
    2. Detection: Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as SDelete.
    3. Mitigation: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1489: Service Stop

    1. Description: This technique involves the stopping of critical services (e.g., anti-virus, backup).
    2. Detection: Monitor processes and command-line arguments. Review edits to services, the Registry, and the service binary path.
    3. Mitigation: Restrict the file/directory and Registry permissions. Limit privileges for user accounts with respect to changing service configurations.

Ransomware Software in ATT&CK

The ATT&CK Navigator view below highlights the techniques in ATT&CK associated with ransomware software, groups that use ransomware or both according to the legend. For a tutorial on how to use the navigator, click on the ? in the upper right corner. To see details, right click on the technique for a menu of options, and select “view technique” or “view tactic”.

LEGEND: graySoftware GroupsGroups Green = BothBoth

Pin It on Pinterest