Woburn, MA – June 23, 2022 — Kaspersky’s Threat intelligence team has conducted analysis into the most common tactics, techniques, and procedures (TTPs) used by 8 most prolific ransomware groups such as Conti and Lockbit2.0 during their attacks. The research revealed that different groups share more than half of the cyber kill chain and execute the core stages of an attack identically. This monumental study of modern ransomware, which is available for free, will serve as an aid in understanding how ransomware groups operate and how to defend against their attacks.
The analysis within the guide focuses on the activity of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups have been active in the United States, Great Britain and Germany, and have targeted over 500 organizations within industries such as manufacturing, software development and small business, between March 2021 and March 2022.
The 150-page guide navigates readers through the stages of ransomware deployment, how cybercriminals use their preferred tools and the goals they are hoping to achieve. Readers can also learn how to defend against targeted ransomware attacks and learn about SIGMA detection rules, which can be used to build up their preventive measures against the attackers.
Kaspersky’s Threat intelligence team analyzed how the ransomware groups employed the techniques and tactics described in MITRE ATT&CK and found a lot of similarities among their TTPs throughout the cyber kill chain. The revealed ways the groups attacked proved to be quite predictable, with ransomware attacks following a pattern that includes the corporate network or victim's computer, delivering malware, further discovery, credential access, deleting shadow copies, removing backups and finally, achieving their objectives.
The researchers also explain where the similarity between attacks comes from:
The systematization of various TTPs used by attackers has led to the formation of a general set of SIGMA rules in accordance with MITRE ATT&CK which helps to prevent such attacks.
“In recent years, ransomware has become a top concern for the cybersecurity industry, with constant developments and improvements being made by ransomware operators,” comments Nikita Nazarov, team lead for the threat intelligence group at Kaspersky. “It is time consuming and often challenging for cybersecurity specialists to study every single ransomware group and follow each one’s activities and developments in order to win the race between attackers and defenders. We have been tracking the activity of various ransomware groups for a long time, and this report represents the results of a huge piece of analytical work. Its purpose is to serve as a guide for cybersecurity professionals working in all kinds of organizations, making their jobs easier.”
This report is aimed at SOC analysts, threat hunting teams, cyberthreat intelligence analysts, digital forensics specialists and cybersecurity specialists involved in the incident response process, and/or those who want to protect the environment they are responsible for from targeted ransomware attacks.
To find out more, security experts at Kaspersky will shed light on the common TTPs of modern ransomware groups and the ways to prevent the attacks, during a webinar on June 23rd. Register here for free.
The public version of the ransomware TTPs’ report is available for download on Securelist.
To protect against ransomware attacks, consider following:
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812