Ransomware Techniques in ATT&CK

by|Jan 16, 2021

UNDERSTAND ADVERSARY TACTICS & TECHNIQUES

MITRE ATT&CK®is a globally-accessible, structured knowledge base of adversary cyber tactics, techniques, and sub-techniques that is based on real-world observations. Tactics represent the “why” of an ATT&CK technique or sub-technique. Techniques represent “how” an adversary achieves a tactical objective by performing an action. Sub-techniques further break down behaviors described by techniques into more specific descriptions of how behavior is used to achieve an objective. By using this structured knowledge of how real-world adversaries operate in cyber space to attack their victims, defenders can better prepare for, detect, and protect against those wishing to do them harm.

ATT&CK Navigator旨在提供ATT&CK矩阵的基本导航和注释,这是人们今天已经在Excel等工具中所做的。对于这个勒索软件资源中心,我们在ATT&CK Navigator中创建了一个特定的视图,该视图突出显示了已知的勒索软件演员,软件及其战术和技术目前在ATT&CK中记录的。ATT&CK主要关注APT小组,尽管它也可能包括其他高级团体,例如以财务动机的参与者。许多勒索软件演员都是小规模的网络罪犯,此列表并不全面。但是,这里提出的大多数策略和技术可能代表了目前尚未在ATT&CK中尚未分类的其他团体和参与者所表现出的行为。

MITRE also publishesDeploying Cyber Analytics, which can provide a means to detect known adversary behavior. For this Ransomware Resource Center, we haveidentified the relevant analyticsthat pertain to the techniques and subtechniques highlighted in theNavigator view, 以下。

Below are the techniques, software, and groups that are presently documented in ATT&CK. This information continues to evolve. Feedback on relevant information from the user community is welcome atHealthCyber@mitre.org.

ATT&CK中的常见勒索软件技术

T1566:Phishing

    1. Description: A common entry point for ransomware is through phishing via malicious email attachments and/or links.
    2. Detection:有几种工具可以帮助检测网络钓鱼大道,例如反病毒软件,以检查潜在的恶意文档/文件,网络入侵检测系统以及利用TLS/SSL检查的第三方服务。电子邮件中的URL检查还可以帮助检测链接是否是恶意的。
    3. 减轻: Several mitigations exist for this behavior. Proper user training is critical for being able to prevent users being socially engineered. Antivirus software, network intrusion prevention systems, and restrictions on web-based contents can also aid in the prevention of ransomware infiltrating an environment.

T1486:Data Encrypted for Impact

    1. Description: This technique is indicative of ransomware. Adversaries will encrypt specific data and files in order to then request the ransom for the files to be decrypted.
    2. Detection: Monitor and search for large quantities of file modifications in user directories as well as processes. Systems that centralize file storage in an organization are the best place to implement this type of detection.
    3. 减轻: The main mitigation is to implement a data backup and recovery plan.

T1083:File and Directory Discovery

    1. Description: Most ransomware will search for specific file extensions and folders on a system before determining what to encrypt and lock for ransom.
    2. Detection: Monitor processes and command-line arguments to search for actions that are indicative of file and directory reconnaissance.
    3. 减轻:对于这种行为没有缓解。

T1041:Exfiltration over C2

    1. Description: This involves the ransomware exfiltrating the information to extort the victim by threatening to publish the stolen data.
    2. Detection:分析不常见数据流的网络数据。
    3. 减轻:实施网络入侵检测和预防系统以使用特定对手恶意软件阻止传输的签名。对手可能会随着时间的流逝而更改工具命令和控制签名,或以这种方式避免通过常见的防御工具检测和预防。

T1490:Inhibit System Recovery

    1. Description: Adversaries might delete or disable system recovery features to increase the impact of other ransomware techniques.
    2. Detection:监视命令行参数的过程和执行,以及系统恢复中涉及的服务状态。
    3. 减轻: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1562.001:Impair Defenses – Disable or Modify Tools

    1. Description:对手可能会禁用安全工具以避免检测。
    2. Detection:监视过程确保安全工具正在运行。还可以监视对关键服务或启动计划的更改。
    3. 减轻:为此活动存在几种缓解。限制文件/目录和注册表权限以及正确配置用户权限很重要。

T1485:数据破坏

    1. Description: Individual files are destroyed or overwritten to make data irrecoverable, increasing the impact of locking files for ransom.
    2. Detection: Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as SDelete.
    3. 减轻: Perform and test backups of data and configurations for the operating system. Backups should be immutable or stored offline to protect them from the ransomware. Taking these precautions can help lessen the impact.

T1489:Service Stop

    1. Description: This technique involves the stopping of critical services (e.g., anti-virus, backup).
    2. Detection:监视过程和命令行参数。查看服务,注册表和服务二进制路径的编辑。
    3. 减轻: Restrict the file/directory and Registry permissions. Limit privileges for user accounts with respect to changing service configurations.

ATT&CK中的勒索软件软件

使用勒索软件的ATT&CK组

The ATT&CK Navigator image, below, highlights the techniques in ATT&CK associated with ransomware software, groups that use ransomware, or both according to the legend. Click the image to open ATT&CK Navigator in a new browser window. For a tutorial on how to use the navigator, click on the ? in the upper right corner. To see details, right click on the technique for a menu of options, and select “view technique” or “view tactic”.

传奇:

gray软件小组Groups广告系列广告系列Green = All 3 (SW, Groups, Campaigns)Green = All 3 (Software, Groups, Campaigns)

orange = groups and softwareGroups & Softwareblue = Campaigns and Software广告系列& Softwarered = Campaigns and Groups竞选和团体

单击图像以在新浏览器窗口中打开ATT&CK。

Click to open ATT&CK Navigator in new browser window.

勒索软件活动热图

以下ATT&CK Navigator图像介绍了勒索软件威胁小组在过去一年半中利用的技术,基于开源报告不限于ATT&CK。深色阴影代表了更频繁地观察到的技术。在过去的几个月中,或仅在第三方软件中存在的技术可能不会反映在这里。单击图像以在新的浏览器窗口中打开勒索软件活动热图。

传奇:

Legend
Click to view Heatmap

Click to open Ransomware Activity Heatmap in new browser window.

资源:

Pin It on Pinterest