Cyble – Unveiling Wagner Group’s Cyber-Recruitment

MITRE Techniques

• [T1204] User Execution – The ransomware, upon execution, initializes different variables that specify its execution. ‘The ransomware, upon execution, initializes different variables that specify its execution.’
• [T1547] Registry Run Keys / Startup Folder – To ensure persistence, it will make a copy of itself as “svchost.exe” in the startup folder. ‘to ensure persistence, it will make a copy of itself as “svchost.exe” in the startup folder.’
• [T1082] System Information Discovery – The ransomware retrieves all drive types using the DriveInfo.GetDrives() method. ‘The ransomware retrieves all drive types using the DriveInfo.GetDrives() method.’
• [T1083] File and Directory Discovery – The following directories are targeted by ransomware in the “C” drive. ‘The following directories are targeted by ransomware in the “C” drive.’
• [T1057] Process Discovery – By retrieving a list of all running processes using the GetProcesses() method and then searches for a process with the same name as the current process. If it discovers such a process, it terminates itself to prevent multiple instances from running simultaneously. ‘by retrieving a list of all running processes using the GetProcesses() method and then searches for a process with the same name…’
• [T1486] Data Encrypted for Impact – The AES algorithm to encrypt files; a random key per file; the AES key is encrypted with RSA and stored in the file. ‘The AES algorithm to encrypt files… encrypts the AES encryption key using the RSA algorithm.’
• [T1490] Inhibit System Recovery – Commands to delete shadow copies, modify boot status policy, and disable recovery. ‘vssadmin delete shadows /all /quiet & wmic shadowcopy delete’ and ‘bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no’ and ‘wbadmin delete catalog -quiet’