Dark Web Profile: Tengu Ransomware (Shisa)

MITRE Techniques

• [T1595.002] Active Scanning: Vulnerability Scanning – Affiliates appear to probe exposed services and weak targets before intrusion, using reconnaissance to find viable entry points (‘conduct brute-force attacks against exposed RDP and SMB interfaces’).
• [T1566.002] Phishing: Spearphishing Link – Initial access could be obtained through phishing links sent to targets (‘initial access is achieved through spearphishing links’).
• [T1190] Exploit Public-Facing Application – The group used exposed internet-facing applications as an entry path (‘exploitation of public-facing applications’).
• [T1078] Valid Accounts – Stolen or reused credentials were used to gain access (‘the reuse of valid credentials from prior data breaches’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was used for script execution and payload delivery (‘powershell.exe’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Command shell activity supported execution and system enumeration (‘cmd.exe’).
• [T1218.011] System Binary Proxy Execution: Rundll32 – Rundll32 was used to execute payloads while blending in with trusted binaries (‘rundll32.exe’).
• [T1219] Remote Access Software – The group mimicked or used remote management tooling to maintain access (‘FortiRDP subsequently installed on the victim machine’).
• [T1068] Exploitation for Privilege Escalation – ZeroLogon was used to escalate privileges on an unpatched domain controller (‘exploited ZeroLogon (CVE-2020-1472) against an unpatched domain controller’).
• [T1078.002] Valid Accounts: Domain Accounts – Domain administrator access was obtained and then used to expand control (‘obtain domain administrator privileges’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Defender and security tools were disabled to reduce detection (‘Windows Defender is disabled early in the intrusion’).
• [T1070.001] Indicator Removal: Clear Windows Event Logs – Event logs were cleared to erase forensic evidence (‘Event logs are cleared using wevtutil’).
• [T1003.001] OS Credential Dumping: LSASS Memory – LSASS memory was dumped to extract credentials (‘LSASS memory is dumped to extract credentials in cleartext’).
• [T1110.001] Brute Force: Password Guessing – Repeated login attempts were used against exposed services (‘conduct brute-force attacks against exposed RDP and SMB interfaces’).
• [T1110.003] Brute Force: Password Spraying – The access pattern also included broad credential attempts across services (‘Alert on repeated authentication failures across SMB and RDP services’).
• [T1087.002] Account Discovery: Domain Account – Active Directory was enumerated to identify privileged accounts (‘AD is then enumerated to map privileged accounts’).
• [T1046] Network Service Discovery – The group mapped network services and shares to identify targets for movement (‘map privileged accounts, high-value systems, and network shares’).
• [T1021.001] Remote Services: Remote Desktop Protocol – RDP was used for interactive access and lateral movement (‘RDP is also used for interactive access to high-value targets’).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – SMB was used for lateral movement and administration (‘NetExec (nxc) over SMB’).
• [T1039] Data from Network Shared Drive – Data was collected from network shares before exfiltration (‘Data is collected from network shares and local systems’).
• [T1074.001] Data Staged: Local Data Staging – Stolen data was staged prior to exfiltration (‘Data is collected … and staged before exfiltration’).
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Exfiltration used cloud services such as MEGA, PixelDrain, and StorJ (‘MEGA as the primary destination’).
• [T1071.001] Application Layer Protocol: Web Protocols – Communication and storage relied on web-based services and Tor-hosted infrastructure (‘dedicated DLS on the Tor network’).
• [T1090.003] Proxy: Multi-hop Proxy – Affiliates used residential proxies and VPS infrastructure to hide origin (‘leveraging residential proxies and commercial VPS infrastructure’).
• [T1490] Inhibit System Recovery – Shadow copies were deleted before encryption to prevent recovery (‘Shadow copies are deleted immediately before execution’).
• [T1486] Data Encrypted for Impact – Files were encrypted and renamed with the .tengu extension (‘Encrypted files receive the .tengu extension’).