Campaign Trail: Analyzing the Tactics and Impact of a Sophisticated Ransomware Strain by Adam Potter

MITRE Techniques

• [T1098] Account Manipulation – Attackers exploited and modified user accounts to maintain persistence (‘…an account belonging to a manager was detected adding “.blacksuit” extensions…’).
• [T0878] Alarm Suppression – Threat actors disabled or inhibited detection mechanisms to avoid response (‘…disables security alarms to avoid detection during an attack.’).
• [T1071] Application Layer Protocol – Used standard application protocols for C2 and data transfer (‘…uses common application protocols for command and control communications.’).
• [T1119] Automated Collection – Sensitive data was automatically gathered from compromised systems before exfiltration (‘…collects sensitive data automatically from compromised systems.’).
• [T0803] Block Command Message – Inhibit response function observed as part of attack playbook (‘…Block Command Message – INHIBIT RESPONSE FUNCTION’).
• [T0804] Block Reporting Message – Attackers attempted to prevent reporting of events to reduce visibility (‘…Block Reporting Message – INHIBIT RESPONSE FUNCTION’).
• [T1176] Browser Extensions – Persistence techniques include abuse of browser components (‘…Browser Extensions – PERSISTENCE’).
• [T0806] Brute Force I/O – Performed brute-force style operations to impair process control (‘…Brute Force I/O – IMPAIR PROCESS CONTROL’).
• [T1110] Brute Force – Credential brute-forcing was used against accounts (‘…incl. credential brute-forcing…’).
• [T1592.004] Client Configurations – Reconnaissance included scanning client configurations and legacy policies (‘…Client Configurations – RECONNAISSANCE – T1592.004’).
• [T1078.004] Cloud Accounts – Compromised cloud/SaaS credentials were used in attacks (‘…Cloud Accounts – DEFENSE EVASION, PERSISTENCE…’).
• [T1485] Data Destruction – Data destruction techniques were mapped as potential impact actions (‘…Data Destruction – IMPACT – T1485’).
• [T0809] Data Destruction (Inhibit Response) – Used to further disrupt recovery and response (‘…Data Destruction – INHIBIT RESPONSE FUNCTION’).
• [T1486] Data Encrypted for Impact – Files were encrypted (‘.blacksuit’) to disrupt operations and extort victims (‘…encrypts files to disrupt operations and demand ransom.’).
• [T1530] Data from Cloud Storage Object – Exfiltration to cloud storage (Bublup / S3) was observed (‘…data transfers to “bublup-media-production.s3.amazonaws[.]com”‘).
• [T1074] Data Staged – Data was aggregated and archived (e.g., ‘*.part.rar’) before exfiltration (‘…files were then archived using the naming convention “*.part.rar”.’).
• [T1069.002] Domain Groups – Discovery of domain groups and AD structures aided lateral movement (‘…Domain Groups – DISCOVERY – T1069.002’).
• [T1114] Email Collection – Email harvesting was listed among collection techniques mapped by analysts (‘…Email Collection – COLLECTION – T1114’).
• [T1041] Exfiltration Over C2 Channel – Data was moved out via C2 channels and proxies (SystemBC/SOCKS5) (‘…Transfers stolen data through command and control channels.’).
• [T1567.002] Exfiltration to Cloud Storage – Observed exfiltration to cloud storage endpoints like S3/Bublup (‘…Exfiltration to Cloud Storage – EXFILTRATION – T1567.002’).
• [T1190] Exploit Public-Facing Application – Exploitation of public-facing apps was noted as an initial access vector (‘…exploitation of vulnerable public-facing applications.’).
• [T0890] Exploitation for Privilege Escalation – Used to gain higher privileges within victim environments (‘…Exploitation for Privilege Escalation – PRIVILEGE ESCALATION’).
• [T1210] Exploitation of Remote Services – Remote service vulnerabilities (VPN/RDP) were leveraged for lateral movement (‘…leverages vulnerabilities in remote services for lateral movement.’).
• [T1083] File and Directory Discovery – Performed file discovery to locate sensitive data for theft and encryption (‘…File and Directory Discovery – DISCOVERY – T1083’).
• [T1070.004] File Deletion – Attack chain included deletion/manipulation of files to hinder recovery (‘…File Deletion – DEFENSE EVASION – T1070.004’).
• [T1590.005] IP Addresses – Reconnaissance involved IP enumeration and scanning (‘…IP Addresses – RECONNAISSANCE – T1590.005’).
• [T1570] Lateral Tool Transfer – Tools and executables were moved laterally across hosts (‘…Lateral Tool Transfer – LATERAL MOVEMENT – T1570’).
• [T1557.001] LLMNR/NBT-NS Poisoning and SMB Relay – Credential relay/poisoning techniques appeared in mappings (‘…LLMNR/NBT – NS Poisoning and SMB Relay – T1557.001’).
• [T0838] Modify Alarm Settings – Modifications to alarms and monitoring were mapped to inhibit response (‘…Modify Alarm Settings – INHIBIT RESPONSE FUNCTION – T0838’).
• [T0833] Modify Control Logic – Attacks could alter control logic to affect processes (‘…Modify Control Logic – IMPAIR PROCESS CONTROL – T0833’).
• [T0836] Modify Parameter – Parameter changes used to impair control systems (‘…Modify Parameter – IMPAIR PROCESS CONTROL – T0836’).
• [T1046] Network Service Scanning – Internal scanning (ICMP/SMB/RDP) was observed prior to large-scale encryption (‘…Network Service Scanning – DISCOVERY – T1046’).
• [T1135] Network Share Discovery – SMB share discovery used to find data to encrypt/exfiltrate (‘…Network Share Discovery – DISCOVERY – T1135’).
• [T1550.002] Pass the Hash – Credential reuse/passing techniques to move laterally were noted (‘…Pass the Hash – DEFENSE EVASION, LATERAL MOVEMENT – T1550.002’).
• [T1563.002] RDP Hijacking – RDP compromise and hijacking used for lateral movement (‘…RDP Hijacking – LATERAL MOVEMENT – T1563.002’).
• [T1021.001] Remote Desktop Protocol – RDP used extensively for lateral movement and access (‘…Remote Desktop Protocol – LATERAL MOVEMENT – T1021.001’).
• [T1018] Remote System Discovery – Discovery of remote systems preceded lateral activity (‘…Remote System Discovery – DISCOVERY – T1018’).
• [T1036.003] Rename System Utilities – Renaming utilities to evade detection was included in mappings (‘…Rename System Utilities – DEFENSE EVASION – T1036.003’).
• [T1595.001] Scanning IP Blocks – Broader scanning of IP ranges observed during reconnaissance (‘…Scanning IP Blocks – RECONNAISSANCE – T1595.001’).
• [T1569.002] Service Execution – Remote service execution (e.g., WMI, PowerShell) used for commands (‘…Service Execution – EXECUTION – T1569.002’).
• [T1489] Service Stop – Stopping services to disrupt operations was identified as an impact technique (‘…Service Stop – IMPACT – T1489’).
• [T1021.002] SMB/Windows Admin Shares – SMB shares were abused for lateral movement and file encryption (‘…SMB/Windows Admin Shares – LATERAL MOVEMENT – T1021.002’).
• [T1565.001] Stored Data Manipulation – Manipulation of stored data (e.g., appending extensions) to execute impact stage (‘…Stored Data Manipulation – IMPACT – T1565.001’).
• [T1080] Taint Shared Content – Ransom notes and infected files were written to shared locations (‘…Taint Shared Content – LATERAL MOVEMENT – T1080’).
• [T1078] Valid Accounts – Use of compromised valid accounts (admin/SaaS) for persistence and escalation (‘…Valid Accounts – DEFENSE EVASION, PERSISTENCE…’).
• [T1595.002] Vulnerability Scanning – Scanning for vulnerable services was part of reconnaissance (‘…Vulnerability Scanning – RECONNAISSANCE – T1595.002’).
• [T1071.001] Web Protocols – Web protocols used for C2 and exfiltration (HTTP/HTTPS) (‘…Web Protocols – COMMAND AND CONTROL – T1071.001’).
• [T1583.006] Web Services – Development/use of web services and cloud resources for operations (‘…Web Services – RESOURCE DEVELOPMENT – T1583.006’).
• [T1505.003] Web Shell – Web shells included as a persistence option in mappings (‘…Web Shell – PERSISTENCE – T1505.003’).
• [T1047] Windows Management Instrumentation – WMI used for remote execution and lateral actions (‘…Windows Management Instrumentation – EXECUTION – T1047’).
• [T1021.006] Windows Remote Management – WinRM observed as a lateral movement/execution channel (‘…Windows Remote Management – LATERAL MOVEMENT – T1021.006’).