Ransomware

Techniques, tactics and procedures of ransomware

Deep analysis of modern ransomware allows you to implement universal methods to counter them.

Hugh Aver
June 24, 2022

Kaspersky experts conducted an in-depth analysis of the tactics, techniques and procedures (TTPs) of the eight most widespread ransomware families: Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. Comparing the tools and methods cybercriminals use at different attack stages, they concluded that many groups operate according to much the same schemes. This makes it possible to create effective universal countermeasures to reliably protect your company’s infrastructure against ransomware.

You can find the full report with a detailed analysis and examples of each technique in the Common TTPs of modern ransomware groups document. The study is intended primarily for Security Operations Center (SOC) analysts, threat hunting and threat intelligence experts, and incident response and investigation specialists.

It also contains rules for detecting malicious techniques in SIGMA format. A full version of the report with an expanded set of SIGMA rules is available on the Kaspersky Threat Intelligence Portal to APT, Crimeware or ICS Intelligence report subscribers.

In addition to technique descriptions, the report contains recommendations for protecting a company’s network and data from ransomware attacks and mitigating their consequences. The recommendations are based on both in-house research and the advice of organizations such as NIST, NCSC, CISA, SANS, etc., and reflect the corresponding attack stages:

Intrusion prevention: a set of recommendations to stop attackers from penetrating your company’s network in the first place.
Malware execution prevention: a set of recommendations to make it harder for attackers to run their tools and malware on your company network hosts, and help defenders detect such tools and malware.
Lateral movement prevention: a set of measures to stop malware from infecting neighboring hosts on the network and gaining control over the domain, as well as to detect such attempts.
Data loss prevention: a set of tips for backing up and taking other measures to mitigate possible damage from an attack.

Additional recommendations are given on preparing for possible incidents: from identifying key assets that are likely to be targeted to creating an incident response plan, including advice on engaging with regulators.

Remember, there is no such thing as 100% protection against attacks. But the research gives you knowledge of cybercriminal techniques which lets you fine-tune your defenses and countermeasures. This will prepare you and your company for possible attacks, thus minimizing, in extreme cases, the damage and potential consequences. As they say, forewarned is forearmed.

$2 million CS:GO inventory stolen by a hacker

$2 million inventory hacked in CS:GO

An unnamed hacker allegedly stole two million dollars’ worth of items from a CS:GO player’s backpack and has already started auctioning off the items.

Privacy & Kids

TARGETED SECURITY SOLUTIONS

Techniques, tactics and procedures of ransomware

Ransomware: the most high-profile attacks of 2023

The MOVEit hack and its aftermath

$2 million inventory hacked in CS:GO

Tips

Advertisers sharing data about you with… intelligence agencies

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia