Threat Research

Ransomware: Elevated Threat Level Continues into Q3

Symantec

Ransomware actors rely on four tool categories—Living off the Land, Impairing Defenses, Remote Desktop/Remote Admin, and Data Exfiltration—to run campaigns, with the ecosystem growing more robust. The piece points readers to the Symantec Protection Bulletin for the latest protections and mitigation guidance. #PsExec #WMI #PowerShell #BYOD #SignedVulnerableDriver #RDP #AnyDesk #Splashtop #ScreenConnect #Rclone #RansomHub #Qilin #LockBit #SymantecProtectionBulletin

Keypoints

  • Living off the Land: Uses native Windows utilities like PsExec and WMI for lateral movement and command execution.
  • Impairing Defenses: Attackers deploy signed vulnerable drivers to disable security software.
  • Remote Desktop/Remote Admin: Legitimate tools such as RDP and AnyDesk are exploited for backdoor access.
  • Data Exfiltration: Ransomware groups steal data prior to encryption, using tools like Rclone.
  • Robust Ecosystem: Growing operations such as RansomHub and Qilin may rival established players like LockBit.
  • Protection/Mitigation: Refer to the Symantec Protection Bulletin for the latest defense updates.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – Living off the Land: Use of native Windows utilities such as PsExec and WMI for lateral movement. “Use of native Windows utilities such as PsExec and WMI for lateral movement.”
  • [T1059.001] PowerShell – PowerShell for executing commands and reconnaissance. “PowerShell for executing commands and reconnaissance.”
  • [T1562.001] Disable Security Tools – Impairing Defenses: Deployment of signed vulnerable drivers to disable security software. “Deployment of signed vulnerable drivers to disable security software.”
  • [T1021] Remote Services – Remote Desktop/Remote Admin: Exploitation of RDP, AnyDesk, and similar tools for backdoor access. “Exploitation of RDP, AnyDesk, and similar tools for backdoor access.”
  • [T1041] Exfiltration – Data Exfiltration: Use of Rclone and other tools for data theft prior to encryption. “Use of Rclone and other tools for data theft prior to encryption.”

Indicators of Compromise

  • [IOC] None mentioned – no explicit IPs, domains, file hashes, or filenames are provided in the article.

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-threat-level-remains-high

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint