Nip Ransomware in the FUD: Detecting Attacks Pre-Encryption
Ransomware operators are evolving their tactics, techniques, and procedures (TTPs) to shift their targets and become more difficult to detect. As ransomware operators targeting large organizations have begun to move more strategically, using applications already installed on network systems (“living-off-the-land” techniques), off-the-shelf red team tools, and Windows utilities, their malicious behavior before encrypting files has become more difficult to distinguish from legitimate activity.
Recorded Future's cyber threat analysts researched malicious actors using living-off-the-land techniques, open source resources, and red team tools, with a specific focus on “big game” ransomware operators, to identify opportunities for detecting malicious behavior during the post-compromise, pre-encryption phase. The team looked at actual compromises by ransomware operators, analyzing their techniques, procedures and tool usage to derive detections.