Techniques, tactics and procedures of ransomware

Deep analysis of modern ransomware allows you to implement universal methods to counter them.

Kaspersky experts have studied the eight most-common ransomware groups and analyzed their techniques, tactics, and procedures in detail.

Kaspersky experts conducted an in-depth analysis of the tactics, techniques and procedures (TTPs) of the eight most widespread ransomware families: Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. Comparing the tools and methods cybercriminals use at different attack stages, they concluded that many groups operate according to much the same schemes. This makes it possible to create effective universal countermeasures to reliably protect your company’s infrastructure against ransomware.

You can find the full report with a detailed analysis and examples of each technique in the Common TTPs of modern ransomware groups document. The study is intended primarily for Security Operations Center (SOC) analysts, threat hunting and threat intelligence experts, and incident response and investigation specialists.

It also contains rules for detecting malicious techniques in SIGMA format. A full version of the report with an expanded set of SIGMA rules is available on the Kaspersky Threat Intelligence Portal to APT, Crimeware or ICS Intelligence report subscribers.

In addition to technique descriptions, the report contains recommendations for protecting a company’s network and data from ransomware attacks and mitigating their consequences. The recommendations are based on both in-house research and the advice of organizations such as NIST, NCSC, CISA, SANS, etc., and reflect the corresponding attack stages:

  • Intrusion prevention: a set of recommendations to stop attackers from penetrating your company’s network in the first place.
  • Malware execution prevention: a set of recommendations to make it harder for attackers to run their tools and malware on your company network hosts, and help defenders detect such tools and malware.
  • Lateral movement prevention: a set of measures to stop malware from infecting neighboring hosts on the network and gaining control over the domain, as well as to detect such attempts.
  • Data loss prevention: a set of tips for backing up and taking other measures to mitigate possible damage from an attack.

Additional recommendations are given on preparing for possible incidents: from identifying key assets that are likely to be targeted to creating an incident response plan, including advice on engaging with regulators.

Remember, there is no such thing as 100% protection against attacks. But the research gives you knowledge of cybercriminal techniques which lets you fine-tune your defenses and countermeasures. This will prepare you and your company for possible attacks, thus minimizing, in extreme cases, the damage and potential consequences. As they say, forewarned is forearmed.