5 Common Ransomware ATT&CK Techniques - Report

5 Common Ransomware ATT&CK Techniques

December 16, 2021 • Insikt Group®

Insikt Group

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Insikt Group determined MITRE ATT&CK TTPs used by ransomware. The intended audiences for this report are SOC analysts and those interested in threat hunting.

Executive Summary

Ransomware continues to evade detection and infect enterprise networks of every industry. Defenders need to continually mature their dynamic detections, such as Sigma rules, to detect and stop a ransomware attack. Insikt Group analyzed common techniques used by ransomware operators, mapped them to the MITRE ATT&CK framework, and developed 5 Sigma rules to detect these techniques, which are available to Recorded Future clients. 

The ATT&CK techniques highlighted in this research align with Insikt Group’s 2020 Top MITRE ATT&CK Techniques report, where the Defense Evasion tactic was the most commonly seen tactic in 2020. 

The 5 ransomware techniques detailed in this report are as follows:

  • 3 techniques from the Defense Evasion tactic: Disable or Modify Tools, Disable or Modify System Firewall, and Pre-OS Boot
  • 1 technique from the Command and Control tactic: Ingress Tool Transfer
  • 1 technique from the Privilege Escalation tactic: Group Policy Modification

Key Judgments

  • Ransomware operators continue to focus on developing techniques to evade defenses, aligning with Insikt Group’s 2020 Top MITRE ATT&CK Techniques report. 
  • Sigma rules focused on particular TTPs used by threat actors can detect malicious behavior before the deployment of ransomware in many cases.
  • Sigma rules aligned with MITRE ATT&CK can help organizations define mitigations based on specific threat actor TTPs.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

New call-to-action

Related Posts

The People’s Liberation Army in the South China Sea: An Organizational Guide

The People’s Liberation Army in the South China Sea: An Organizational Guide

January 19, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

2021 Adversary Infrastructure Report

2021 Adversary Infrastructure Report

January 18, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

FIN7 Uses Flash Drives to Spread Remote Access Trojan

FIN7 Uses Flash Drives to Spread Remote Access Trojan

January 13, 2022 • Gemini Advisory

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory To read the...