Techniques, tactics and procedures of ransomware | Kaspersky official blog

Credit to Author: Hugh Aver| Date: Fri, 24 Jun 2022 11:10:58 +0000

Kaspersky experts conducted an in-depth analysis of the tactics, techniques, and procedures of the eight most common ransomware groups — Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat. Comparing the methods and tools of attackers at different stages of attacks, they concluded that many groups operate rather similarly. This permits creation of effective universal countermeasures for protecting a company’s infrastructure from ransomware.

The study, with detailed analysis of all techniques and examples of their use in the wild, can be found in the Common TTPs of Modern Ransomware Groups report. It also contains rules for detecting malicious techniques in the SIGMA format.

The report is intended primarily for SOC analysts, threat-hunting and threat-intelligence experts, and incident response and investigation specialists. However, our researchers also collated some best practices for countering ransomware from various sources in the report. Here are some of them:

Intrusion prevention

The ideal prevention option is to stop a ransomware attack before the threat gets inside the corporate perimeter. The following measures help reduce the risk of intrusion:

  • Filtering of incoming traffic. Filtering policies should be implemented on all perimeter devices — routers, firewalls, IDS systems. And don’t forget about mail filtering from spam and phishing: it’s wise to use a sandbox to validate email attachments.
  • Blocking of malicious websites. Restricting access to known malicious websites; for example, by implementing intercepting proxy servers. It’s also worth using threat Intelligence data feeds to maintain up-to-date lists of cyberthreats.
  • Using deep packet inspection (DPI). A DPI-class solution at the gateway level allows you to check traffic for malware.
  • Blocking malicious code. Using signatures to block malware.
  • RDP protection. Disabling RDP wherever possible. If for some reason you can’t stop using it, place systems with an open RDP port (3389) behind a firewall, and allow access to them only through a VPN.
  • Multi-factor authentication. Using multi-factor authentication, strong passwords, and automatic account lockout policies at all points that can be accessed remotely.
  • Listing allowed connections. Enforcing IP allow-listing using hardware firewalls.
  • Fixing known vulnerabilities. Timely installing patches for vulnerabilities in remote access systems and devices with a direct connection to the internet.

The report also contains practical advice on protection against exploitation and lateral movement, as well as recommendations for countering data leaks and preparing for an incident.

Additional protection

In order to arm enterprises with additional tools that can help eliminate an attack spread-path as early as possible and investigate an incident, we’ve also updated our EDR solution. The new version, suitable for enterprises with mature IT-security processes, is called Kaspersky Endpoint Detection and Response Expert. It can be deployed via the cloud or on-premise. You can learn more about the capabilities of this solution here.