Top Ransomware TTPs
At SCYTHE we are constantly collaborating with industry experts and organizations. Recently, someone reached out as they are building out a ransomware readiness assessment. “We are looking for a consolidated mapping of major ransomware actors on the ATT&CK framework, like SCYTHE does for individual actors on #ThreatThursday. Do you have anything readily findable for that? Also looking for any type of frequency analysis for what techniques are most commonly used by adversaries. If we can get a prioritized list of 3-5 things, that's a lot easier to manage than a best practices guide of 20-100, especially for small organizations that don't have much in the way of IT or infosec staff.”
We took a data driven approach to answer this question by leveraging the ATT&CK Navigator JSON mapping we provide on our #ThreatThursday of Conti, DarkSide, Egregor, Ryuk, and Maze. We then merged them all into a single Navigator view where a score of 100 means all 5 ransomware uses the respective TTP.
Cyber Threat Intelligence
Ransomware is the impact of a malicious attack. Most of the time, we see multiple groups working together: one gains access, one moves laterally, one deploys the ransomware on multiple systems to exfiltrate and ransom files. Our work at SCYTHE is mostly assumed breach so we are going to focus on the business impact which happens when ransomware is deployed.
We leveraged our #ThreatThursday work of Conti, DarkSide, Egregor, Ryuk, and Maze. This involves consuming Cyber Threat Intelligence, mapping it to MITRE ATT&CK, creating an adversary emulation plan, executing the attack, and discussing detection and response. We share the MITRE ATT&CK Navigator as well as the Adversary Emulation plan in our Community Threats GitHub.
Since we already had the ATT&CK mapping and Navigator layer for each of the 5 ransomware we have covered, we just needed to massage the data to merge the layers. Shout out to MITRE for providing the Navigator tool and documentation on how to combine layers. Essentially all you have to do is give each TTP a score for each layer. We gave each TTP a score of 5. The source of those Navigator layers are available on GitHub:
- Open all 5 layers in Navigator
- Create a new tab and Click “Create Layer from other layers”
- Select domain: Enterprise ATT&CK v9
- For score expression input: a + b + c + d + e
- Click Create
We changed some of the colors so green and light green show TTPs used once or twice by the ransomware, yellow, orange is 4 times, and red is the TTPs used by all 5 ransomware. You can view the PNG file here.
Top Ransomware Behaviors & TTPs
The result of our work aggregating the top 5 Ransomware TTPs is available dynamically via ATT&CK Navigator here. We also provide an Excel, JSON, and PNG file in our Community Threats GitHub. For easier reading, below is a table with the top 10 TTPs.
|Description||These are the top 10 ransomware TTPs or behaviors used by Conti, DarkSide, Egregor, Ryuk, and Maze ransomware.|
|Initial Access||T1078 - Valid Accounts|
|Execution||T1059.001 - PowerShell|
|Command and Control||T1071 - Application Layer Protocol and T1573 - Encrypted Channel (HTTPS)|
|Discovery||T1082 - System Information Discovery
T1057 - Process Discovery
|Privilege Escalation||T1053.005 - Scheduled Task/Job: Scheduled Task|
|Collection||T1074.001 - Data Staged: Local Data Staging
T1560 - Archive Collected Data
|Exfiltration||T1041 - Exfiltration Over C2 Channel (HTTPS)|
|Impact||T1486 - Data Encrypted for Impact|
As usual, we built an adversary emulation plan for these TTPs and shared them in our Community Threats GitHub. Below is a video of the emulation.
Detect and Respond
Prevention is a goal, detection is a requirement. These top ransomware TTPs focus on the action on the objective of an attack. Detecting and responding at this stage is late but better than no detection at all. Given these are the top 10 TTPs, we will focus on the top 10 ransomware recommendations:
- Enable multi-factor authentication on all user accounts (Internet first and then internally), especially anywhere requiring privilege access as valid accounts is the main method of initial access.
- Detect and alert on execution of PowerShell which is the top execution method discovered by Ransomware. Tuning will be required to lower the quantity of events due to solutions that leverage PowerShell.
- Implement a proxy for outbound Internet traffic as HTTPS is the top command and control technique.
- Detect and alert on systems that continually call out to a particular domain as this is behavior of command and control traffic.
- Monitor the amount of traffic going outbound to detect exfiltration.
- Detect and alert when new scheduled tasks are created.
- Establish and test backup and recovery from offline sources.
We have used a data driven approach to identify the top ransomware behaviors as per our previous #ThreatThursday work of Conti, DarkSide, Egregor, Ryuk, and Maze. We created an ATT&CK Navigator layer with those TTPs, extracted them, and created an adversary emulation plan so organizations can attack, detect, and respond to these TTPs. As these behaviors are the ones that have the most impact, ideally detection and response can occur as early in the kill chain as possible.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.