The evolution of the Kuiper ransomware

MITRE Techniques

• [T1021.002] Remote Services: SMB/Windows Admin Shares – Brief description of how it was used. Quote: “Example command: – “wmic /node: process call create””
• [T1057] Process Discovery – Brief description of how it was used. Quote: “Uses “taskkill” to loop and terminate targeted processes”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Brief description of how it was used. Quote: “Example command: – Starts with “powershell.exe -ep bypass -w hidden -enc” followed by a space and the encoded command”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Brief description of how it was used. Quote: “Example command: – Starts with “cmd.exe /c” followed by a space and the command to execute (i.e. “shutdown /r /t 8”)
• [T1059.004] Command and Scripting Interpreter: Unix Shell – Brief description of how it was used. Quote: “Example command: – Starts with “/bin/bash -c” followed by a space and the command to execute (i.e. “reboot”)”
• [T1046] Network Service Scanning – Brief description of how it was used. Quote: “Active Scanning: Scanning IP Blocks” / “Iterates over the last octet of the current IP to see if the SMB share is open and writable, allowing the malware to spread itself”
• [T1016.001] System Network Configuration Discovery – Brief description of how it was used. Quote: “Gets the current IP address from the list of network interfaces from the machine, using a minor blocklist to avoid selecting the wrong address”
• [T1106] Native API – Brief description of how it was used. Quote: “Native API” / “WDEnable” (PowerShell bypass and Defender interaction)
• [T1486] Data Encrypted for Impact – Brief description of how it was used. Quote: “Data Encrypted for Impact”
• [T1562.001] Disable or Modify Tools: Defender – Brief description of how it was used. Quote: “The commands to disable Defender in Kuiper version A are hex encoded” / “Version B’s approach differs, as it creates several loops.”
• [T1497] Virtualization/Sandbox Evasion – Brief description of how it was used. Quote: “Tries to bypass using: – Iterating over an empty loop – Trying to read ‘C:WindowsSystem32cmd.exe’”
• [T1547.001] Boot or Logon Autostart: Registry Run Keys / Startup Folder – Brief description of how it was used. Quote: “reg add “HKEY_LOCAL_MACHINE…Winlogon” /t REG_SZ /v Shell …”
• [T1070.004] Indicator Removal on Host: File Deletion – Brief description of how it was used. Quote: “removal of the backups” / “delete logs and files”
• [T1003] Valid Accounts – Not explicitly listed with a quote; included for context of credential use if present in variants. (Note: no direct quote from the article for this technique.)