At the beginning of this report we would like to quote “Intelligence Driven Incident Response” by Scott J. Roberts & Rebekah Brown, “Intelligence – is the glue that can bind together multiple diverse teams
operating at different levels with different priorities”. That is precisely why the Kaspersky Threat Intelligence Team has decided to combine the best practice of all teams in our organisation to create this report. This report uses data from recent investigations by our coworkers in the Threat Research team and the Global Emergency Response Team (GERT), and selected research efforts by the Kaspersky Global
Research and Analysis Team (GReAT). We also used best practice from the Escal Institute of Advanced Technologies (SANS), the National Cybersecurity Centers and The National Institute of Standards and
We drew on our statistics to select the most popular groups, analysed in detail the attacks they perpetrated and employed techniques and tactics described in MITRE ATT&CK to identify a large number
of shared TTPs. By tracking all the groups and detecting attacks, we see that the core techniques remain the same throughout the cyber kill chain. The attack patterns thus revealed are not accidental, because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or victim’s computer, delivering malware, further discovery, credential access, deleting shadow copies, removing backups, and finally, achieving their objective.
Who is this report for
The report is written for SOC analysts, threat hunting teams, cyber threat intelligence analysts, digital forensics specialists or cyber security specialists who are involved in the incident response process
or want to protect their environment from targeted ransomware attacks. This report helps to understand how ransomware groups generally operate and how to defend against such attacks.
You can refer to the report as a library of knowledge on the main techniques used by ransomware groups, for writing hunting rules, as well as for auditing your security solutions.