Ransomware Attack Techniques

Symantec's analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.