Insikt Group determined MITRE ATT&CK TTPs used by ransomware. The intended audiences for this report are SOC analysts and those interested in threat hunting.

Executive Summary

Ransomware continues to evade detection and infect enterprise networks of every industry. Defenders need to continually mature their dynamic detections, such as Sigma rules, to detect and stop a ransomware attack. Insikt Group analyzed common techniques used by ransomware operators, mapped them to the MITRE ATT&CK framework, and developed 5 Sigma rules to detect these techniques, which are available to Recorded Future clients.

The ATT&CK techniques highlighted in this research align with Insikt Group’s 2020 Top MITRE ATT&CK Techniques report, where the Defense Evasion tactic was the most commonly seen tactic in 2020.

The 5 ransomware techniques detailed in this report are as follows:

• 3 techniques from the Defense Evasion tactic: Disable or Modify Tools, Disable or Modify System Firewall, and Pre-OS Boot
• 1 technique from the Command and Control tactic: Ingress Tool Transfer
• 1 technique from the Privilege Escalation tactic: Group Policy Modification

Key Judgments

• Ransomware operators continue to focus on developing techniques to evade defenses, aligning with Insikt Group’s 2020 Top MITRE ATT&CK Techniques report.
• Sigma rules focused on particular TTPs used by threat actors can detect malicious behavior before the deployment of ransomware in many cases.
• Sigma rules aligned with MITRE ATT&CK can help organizations define mitigations based on specific threat actor TTPs.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.