Full Report
Overview Ransomware attacks are still on the rise in 2024. Threat actors continue to launch ransomware attacks because victims infected with ransomware often pay a ransom to recover their data, allowing the attackers to gain profit significantly. Threat actors maintain their anonymity by demanding ransom payments through cryptocurrency, making it difficult for law enforcement […] 게시물 Change of Recovery Disruption Techniques in Ransomware이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: Ransomware Attack (General Trend Summary)
## Overview
This summary focuses on the general trends and life cycle of ransomware attacks observed in 2024, including distribution methods, propagation, execution techniques, and extortion strategies, rather than detailing a single specific malware binary. Ransomware actors profit by infecting victims who are willing to pay ransoms, often demanding payment in cryptocurrency for anonymity.
## Technical Details
- Type: Attack Chain/Methodology
- Platform: Multi-platform (targeting Windows primarily for execution, but initial access and reconnaissance can span various connected systems including IoT)
- Capabilities: Data encryption, data exfiltration (double extortion), system recovery sabotage.
- First Seen: N/A (Describing ongoing trends)
## MITRE ATT&CK Mapping
The description covers multiple stages of an attack lifecycle, mapping to several tactics:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Implied via vulnerability exploitation for initial access)
- T1078 - Valid Accounts (Implied for maintaining access)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Implied for maintaining access via backdoors)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Implied for spreading across the network)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied for C2 communication if backdoors are used)
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
- T1070.004 - Indicator Removal on Host: File Deletion (Deleting restore points/backups)
## Functionality
### Core Capabilities
- **Reconnaissance:** Collecting victim system/network information, including vulnerability discovery, and utilizing tools like Shodan to find Internet-connected devices (e.g., IoT) potentially using default credentials or outdated software.
- **Initial Foothold:** Deploying backdoor malware or escalating privileges to maintain persistent access.
- **Data Encryption:** Targeting and encrypting critical file types (databases, documents, images).
### Advanced Features
- **Lateral Movement:** Spreading the infection across the entire organization, not just the initially compromised system.
- **Recovery Sabotage:** Deleting system restore points, disabling recovery tools, and damaging backup files to complicate recovery efforts.
- **Double Extortion:** Threatening external leakage (exfiltration) of sensitive data in addition to file encryption.
- **Ransomware-as-a-Service (RaaS):** Facilitating attacks by threat actors with low technical proficiency.
## Indicators of Compromise
(Note: Specific IOCs are not provided in the context as it describes general methodology. The following are examples of indicators associated with the *methods* described.)
- File Hashes: [Not specified]
- File Names: [Not specified—depends on specific ransomware variant used]
- Registry Keys: [Not specified—depends on backdoor/persistence mechanism]
- Network Indicators: [Not specified—relies on C2 infrastructure used by the specific RaaS/actor]
- Behavioral Indicators: Evidence of large-scale file modification/encryption, deletion of Volume Shadow Copies (`vssadmin delete shadows`), network scanning (using tools similar to Shodan locally), and communication with known C2 infrastructure during the post-exploitation phase.
## Associated Threat Actors
- Threat actors leveraging the RaaS model.
- Cybercriminal groups engaged in financially motivated attacks.
## Detection Methods
- **Signature-based detection:** Dependent on the specific ransomware binary deployed.
- **Behavioral detection:** Monitoring for rapid, widespread file encryption activities, modification/deletion of shadow copies, and attempts to establish persistent backdoors. Monitoring for the use of legitimate tools (living off the land) for lateral movement.
- **YARA rules:** [Not specified]
## Mitigation Strategies
- **Prevention measures:** Robust patching, strong network segmentation to limit lateral movement, strict monitoring of outbound connections, and strict control over the use of administrative tools.
- **Hardening recommendations:** Implementing strong multi-factor authentication (MFA), enforcing least privilege, disabling unnecessary services, and regularly testing and isolating backups offline.
## Related Tools/Techniques
- **Reconnaissance Tools:** Shodan (used externally for mapping ingress points).
- **Techniques:** Lateral Movement (T1021), Data Encrypted for Impact (T1486), Ransomware-as-a-Service (RaaS).