Some of the tactics, techniques and procedures being widely used by ransomware operators in their efforts that organizations should monitor:
AdFind: This command-line Active Directory tool gets employed – like so many legitimate utilities – by numerous criminals, Group-IB says.
Advanced IP Scanner: Developer Famatech says its free network scanner shows all network devices, gives you access to shared folders, provides remote control of computers and can even remotely switch computers off.
“Banking” Trojans: Trickbot and Qakbot are among the types of malware that began as banking Trojans, but which have been redesigned to help gangs gain initial access to a system and then “drop” other types of malware, including ransomware. Because of the increasing crossover between this type of malware and ransomware, companies should investigate infections more carefully, rather than just reimaging the machine and moving on,
BitLocker Drive Encryption: Unless it’s properly administered, this tool, built into recent versions of Windows, can be used by attackers to forcibly encrypt every PC. It doesn’t always take a piece of malware to ransom systems.
ClearLock: This screen-locking tool is used by attackers so system administrators and other personnel cannot log in and cancel encryption processes.
Cloud Storage: Ransomware operators commonly use cloud storage to exfiltrate sensitive data from compromised networks,
Cobalt Strike: This penetration-testing tool is used by around 70% of all groups involved in big game hunting,
Exploits: Ransomware gangs target vulnerabilities in remote access services, such as the CVE-2019-11510 flaw in Pulse Secure and flaws in Pulse Secure, Fortinet and Palo Alto products. Such flaws can give attackers easy, remote access to a victim’s infrastructure. Conversely, experts say keeping such systems patched can drive attackers to look elsewhere.
IObit Uninstaller: This Windows utility is designed to install unwanted files. Criminals often use the tool to deactivate or help avoid antivirus software.
Mimikatz: This freely available tool can be used to dump Windows passwords and help attackers escalate privileges. Skulkin says it remains widely used and very often gets deployed without attackers even bothering to rename or attempt to hide it.
NLBrute: This is designed to brute-force guess a wide range of RDP passwords.
NS2: Malware-wielding hackers use this utility for mounting available network drives and shares to enable their malicious code to spread farther.
PsExec: Microsoft calls this “a lightweight telnet-replacement that lets you execute processes on other systems.” Security experts say numerous gangs rely on it to help take down victims.