Scribd
Upload
15 views

Updated Ransomware Analysis Document

vbvzfxvbx

Uploaded by

carmafia111
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views

Updated Ransomware Analysis Document

vbvzfxvbx

Uploaded by

carmafia111
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Black Basta (FIN7)

Stage Description and Behavior Associated TTPs (MITRE


ATT&CK References)
Initial Access Malware / Phishing: Black T1566.001 – Phishing:
Basta infections begin with Spear phishing Attachment
Qakbot delivered by email
and macro-based MS Office
documents
Execution Cobeacon, using a fileless T1059.001 - Command and
PowerShell script with Scripting Interpreter:
multiple layers of PowerShell
obfuscation (Base64-
encoded)

Petya
Stage Description and Behavior Associated TTPs (MITRE
ATT&CK References)
Initial Access Delivered through T1192 - Spearphishing Link,
compromised Ukrainian tax T1189 - Drive-by
software M.E.Doc, or via Compromise, T1060 -
email. Executes via Registry Run Keys / Startup
`rundll32.exe`. Folder
Execution Overwrites the Master Boot T1064 - Scripting, T1059 -
Record (MBR), encrypts the Command and Scripting
Master File Table (MFT), Interpreter
and displays ransom note.

Lapsus$
Stage Description and Behavior Associated TTPs (MITRE
ATT&CK References)
Initial Access Used stolen SSO T1078 - Valid Accounts,
authentication cookies, T1133 - External Remote
insider recruitment, and Services, T1190 - Exploit
VPN access to gain entry. Public-Facing Application,
T1199 - Trusted
Relationship
Execution Used legitimate tools for T1059 - Command and
operations, such as RVTools Scripting Interpreter,
for VM operations and T1204 - User Execution
ADExplorer for
reconnaissance.
Executive Summary
This document provides a comprehensive analysis of the tactics, techniques, and
procedures (TTPs) associated with three notorious cyber threats: Black Basta, Petya, and
Lapsus$. Black Basta is known for its use of Qakbot and macro-based MS Office documents
for initial access. Petya, distinguishable by its MBR encryption, is notorious for its use of the
EternalBlue exploit and Mimikatz for credential theft. Lapsus$, while not a traditional
ransomware group, focuses on extortion through data exfiltration and disruption,
highlighting the use of social engineering and insider threats. The cumulative assessment of
these groups provides insights into the evolving cyber threat landscape and underscores
the importance of robust cybersecurity measures to protect against a wide range of attack
vectors.
Bad Rabbit Ransomware
Stage Description and Behavior Associated TTPs (MITRE
ATT&CK References)
Initial Access Drive-by Compromise via T1190 - Exploit Public-
fake Adobe Flash installer; Facing Application, T1204 -
requires user execution User Execution
Execution Uses `rundll32.exe` to T1085 - Rundll32, T1059 -
execute `infpub.dat`, which Command and Scripting
then executes `dispci.exe` Interpreter
Persistence Creates scheduled tasks; T1060 - Registry Run Keys /
modifies boot process to Startup Folder, T1053 -
load DiskCryptor driver Scheduled Task
`cscc.dat`
Privilege Escalation Attempts to bypass UAC; T1548 - Abuse Elevation
uses DiskCryptor for full Control Mechanism, T1068 -
disk encryption Exploitation for Privilege
Escalation
Defense Evasion Masquerades as legitimate T1027 - Obfuscated Files or
Flash installer; clears Information, T1070 -
Windows event logs; uses Indicator Removal on Host,
legitimate DiskCryptor for T1562.001 - Impair
encryption Defenses: Disable or Modify
Tools
Credential Access Uses Mimikatz-like T1003 - OS Credential
functionality to dump Dumping, T1056 - Input
credentials Capture
Discovery Enumerates SMB shares T1087 - Account Discovery,
and open ports; uses UPnP T1135 - Network Share
for system fingerprinting Discovery, T1046 - Network
Service Scanning
Lateral Movement Brute forces SMB logons; T1077 - Windows Admin
attempts remote service Shares, T1021 - Remote
execution with WMI Services, T1047 - Windows
Management
Instrumentation
Collection - -
Command and Control Uses a Tor hidden service T1071 - Application Layer
for command and control Protocol, T1090 - Proxy,
T1132 - Data Encoding
Exfiltration - -
Impact Encrypts files and disks; T1486 - Data Encrypted for
modifies MBR to display Impact, T1490 - Inhibit
ransom note System Recovery
References for Bad Rabbit:

MITRE ATT&CK: https://attack.mitre.org/software/S0368/


Palo Alto Networks Unit 42: https://unit42.paloaltonetworks.com/unit42-petya-
ransomware/
Lapsus$ Ransomware
Stage Description and Behavior Associated TTPs (MITRE
ATT&CK References)
Initial Access Used stolen SSO T1078 - Valid Accounts,
authentication cookies, T1133 - External Remote
insider recruitment, and Services, T1190 - Exploit
VPN access to gain entry. Public-Facing Application,
T1199 - Trusted
Relationship
Execution Used legitimate tools for T1059 - Command and
operations, such as RVTools Scripting Interpreter,
for VM operations and T1204 - User Execution
ADExplorer for
reconnaissance.
References for Lapsus$:

NCC Group Research: https://research.nccgroup.com/2022/04/28/lapsus-recent-


techniques-tactics-and-procedures/

Picus Security: https://www.picussecurity.com/blog/lapsus-group-chaotic-start-of-


ransomware-free-extortion

Security Intelligence: https://securityintelligence.com/posts/how-to-defend-against-


extortion-groups-like-lapsus/

You might also like