Share this article on:
The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3).
In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days.
Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to organizations’ networks, then sell the access to the ransomware gangs. The use of IABs helps ransomware gangs concentrate on developing their ransomware variants and running their RaaS operations, which allows them to work on their TTPs and conduct more successful attacks. HC3 has not observed any change in the numbers of IABs working with ransomware gangs in Q1, 2022, with similar numbers observed as throughout 2022.
IABs were most commonly observed advertising general VPN/RDP access to the networks of HPH entities on cybercrime forums, which accounted for more than half of forum adverts, and around 25% of advertisements were offering compromised Citrix/VPN appliances. Remote access solutions were extensively implemented by organizations to support a remote workforce during the COVID-19 pandemic, but the rush to deploy meant basic security features were not implemented, and vulnerabilities have been extensively exploited.
Ransomware gangs are increasingly using living-of-the-land (LOTL) techniques in their attacks, utilizing legitimate tools that are already available in the environments of large organizations during ransomware attacks such as CMD.exe, PowerShell, Task Scheduler, MSHTA, and Sysinternals. The use of these tools makes the malicious activities of the gangs harder to detect.
Tactics include the use of remote access tools such as AnyDesk, Windows Safe Mode, Atera, ScreenConnect, ManageEngine, encryption tools such as BitLocker and DiskCryptor, file transfer tools including FileZilla FTP, Microsoft Sysinternals tools such as PsExec, Procdump, and Dumpert, and open-source tools such as Cobalt Strike, Mimikatz, AdFind, Process Hacker, and MegaSync.
While the malicious use of these tools is difficult to detect by security teams, there are detection opportunities. HC3 recommends using a behavior-based approach to detection, such as a Security Information and Event Management (SIEM) tool, which can detect malicious use of LOTL tools which signature-based detection tools cannot.
The HC3 Ransomware Trends in the HPH Sector Report provides detailed information on the TTPs employed by each ransomware operation, including the most commonly abused LOTL tools, relevant ATT&CK techniques, and a long list of mitigations that can be implemented to prevent, detect, respond to, and recover from ransomware attacks.