Top 10 Global Ransomware Groups 2025 with MITRE TTPs and Recommendations
- Avraham Cohen
- Apr 25
- 38 min read
Top 10 Global Ransomware Groups 2025:
LockBit Ransomware Group
Overview: LockBit is a prolific Ransomware-as-a-Service (RaaS) operation active since 2020.
It recruits numerous affiliates, making it the most widely deployed ransomware globally in recent years (Understanding Ransomware Threat Actors: LockBit | CISA).
LockBit has hit organizations of all sizes across critical sectors including finance, food and agriculture, education, energy, government, healthcare, manufacturing, and transportation (Understanding Ransomware Threat Actors: LockBit | CISA).
Its affiliates follow a double-extortion model, stealing data and encrypting systems.
Notable Targeted Sectors: Practically all major industries (especially financial services, government, healthcare, manufacturing, etc.) (Understanding Ransomware Threat Actors: LockBit | CISA).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1190 – Exploit Public-Facing Application; T1133 – External Remote Services; T1566 – Phishing; T1078 – Valid Accounts ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Technique%20Title%20ID%20Use%20Drive,gain%20access%20to%20victims%E2%80%99%20networks)) ([Understanding Ransomware Threat Actors: LockBit | |
Execution | T1059.003 – Windows Command Shell; T1569.002 – Service Execution; T1072 – Software Deployment Tools ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Execution%20TA0002%20LockBit%203,line%20package%20manager%20for%20Windows)) ([Understanding Ransomware Threat Actors: LockBit | |
Persistence/Privilege Esc. | T1547 – Boot or Logon Autostart (Registry Run keys); T1078 – Valid Accounts; T1068 – Exploitation for Privilege Escalation ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Technique%20Title%20ID%20Use%20Boot,persistence%20on%20the%20target%20network)) ([Understanding Ransomware Threat Actors: LockBit | |
Defense Evasion | T1562.001 – Disable or Modify Tools; T1070.001 – Clear Windows Event Logs; T1027 – Obfuscate Files/Information ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Impair%20Defenses%3A%20Disable%20or%20Modify,001)) ([Understanding Ransomware Threat Actors: LockBit | |
Credential Access | T1110 – Brute Force; T1003.001 – LSASS Memory Dumping ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Technique%20Title%20ID%20Use%20Brute,001)) ([Understanding Ransomware Threat Actors: LockBit | |
Discovery & Lateral Movement | T1046 – Network Service Discovery; T1021.001 – Remote Services: RDP; T1021.002 – SMB/Windows Admin Shares ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Technique%20Title%20ID%20Use%20Network,Service%20Discovery%20T1046)) ([Understanding Ransomware Threat Actors: LockBit | |
Exfiltration | T1567.002 – Exfiltration to Cloud Storage; T1567 – Exfiltration Over Web Service ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Exfiltration%20TA0010%20LockBit%20affiliates%20use,sharing%20service%20for%20data%20exfiltration)) ([Understanding Ransomware Threat Actors: LockBit | |
Impact | T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery ([Understanding Ransomware Threat Actors: LockBit | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a#:~:text=Table%2016%3A%20LockBit%20Affiliates%E2%80%99%20ATT%26CK,Techniques%20for%20Enterprise%20%E2%80%93%20Impact)) ([Understanding Ransomware Threat Actors: LockBit |
Defensive Recommendations: To counter LockBit, organizations should harden remote access (disable unused RDP services, enforce MFA on all accounts) and apply up-to-date patches to eliminate known exploits (#StopRansomware: Play Ransomware | CISA).
Deploy robust EDR and network monitoring to catch behaviors like suspicious admin tool usage, credential dumping, and large-scale file modifications.
Regular backups (stored offline) and tested recovery plans are critical, given LockBit actors often purge shadow copies (Understanding Ransomware Threat Actors: LockBit | CISA).
In the event of an infection, isolate affected systems immediately and report to authorities.
ALPHV (BlackCat) Ransomware Group
Overview: ALPHV, also known as BlackCat or Noberus, is a sophisticated RaaS group that emerged in late 2021.
It was the first major ransomware written in Rust, and it’s operated by affiliates including former DarkSide/BlackMatter members.
ALPHV is highly adaptable and has aggressively targeted numerous organizations worldwide; notably, an ALPHV attack on a healthcare firm in 2024 led to one of the largest U.S. healthcare data breaches (ALPHV Ransomware: Analyzing the BlackCat After Change ...).
Since December 2023, ALPHV actors have increasingly targeted the Healthcare sector (hospitals) following law enforcement disruptions to their infrastructure (#StopRansomware: ALPHV Blackcat | CISA).
Notable Targeted Sectors: Healthcare and Public Health, Financial Services, Critical Manufacturing, IT services – with a recent uptick in hospital attacks (#StopRansomware: ALPHV Blackcat | CISA).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1566 – Phishing (Email/SMishing/Vishing); T1078 – Valid Accounts; T1190 – Exploit Public-Facing Application ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=Table%203%3A%20Initial%20Access%20Technique,Facing%20Application)) ([#StopRansomware: ALPHV Blackcat | |
Credential Access | T1557 – Adversary-in-the-Middle (Session Hijacking); T1558 – Steal or Forge Kerberos Tickets; T1003 – OS Credential Dumping ([#StopRansomware: ALPHV Blackcat | To bypass MFA, ALPHV operators have used tools like Evilginx2 to intercept login cookies/tokens during authentication, effectively hijacking sessions ([#StopRansomware: ALPHV Blackcat | |
Lateral Movement | T1021 – Remote Services (RDP); T1563 – Remote Service Session (TeamViewer/AnyDesk); T1570 – Lateral Tool Transfer | ALPHV actors pivot within networks using both legitimate admin tools and malware. They often activate RDP on compromised hosts or use remote admin software (like TeamViewer, AnyDesk) to move laterally under the guise of IT support. They also drop tools like Cobalt Strike beacons or custom backdoors on multiple systems (“lateral tool transfer”) for persistence across the network. In recent incidents, ALPHV has been observed creating new domain admin accounts to facilitate lateral movement ([#StopRansomware: BianLian Ransomware Group | |
Discovery & Evasion | T1047 – Windows Management Instrumentation; T1080 – Taint Shared Content; T1036 – Masquerading (Rename Files/Tasks) (JOINT CYBERSECURITY ADVISORY) ([#StopRansomware: BianLian Ransomware Group | BlackCat affiliates frequently use “living off the land” techniques to map the network and evade detection. They run WMI queries and PowerShell scripts to gather host and software information (e.g., list running processes, installed software) ([#StopRansomware: BianLian Ransomware Group | |
Data Exfiltration | T1560 – Archive Data (Compress for Exfil); T1048 – Exfiltration Over Alternative Protocol | Before encryption, ALPHV actors extensively steal data. They often compress large data sets using tools like 7-Zip or RAR (sometimes splitting into parts) for quicker exfiltration. Exfiltration is then performed over non-standard channels: for instance, uploading to cloud storage, or via encrypted transfer utilities. In one high-profile case, BlackCat used a victim’s own VPN to exfiltrate data, blending in with normal traffic. | Mitigate: Encrypt sensitive data at rest so stolen files are of limited value. Monitor egress traffic for large uploads or the use of archive file types leaving the network at odd hours. Implement rate-limiting or alerts on outbound transfer volumes. Use cloud access security brokers (CASB) to detect unsanctioned use of cloud storage. |
Impact | T1486 – Data Encrypted for Impact; T1489 – Service Stop (Inhibit System Recovery) | ALPHV encrypts data on victim systems using robust encryption schemes (RSA+AES). It is known for intermittent encryption, encrypting only parts of files to speed up the process while still rendering data unusable (Play Ransomware Group – Detection and Protection - Check Point Software). Like many ransomware, it stops or disables backup services and deletes shadow copies (using vssadmin or via its malware logic) to hinder recovery. Ransom notes direct victims to a TOR site (“ALPHV site”) for negotiation. | Respond: Ensure isolated backup systems (offline or offsite) since on-site backups may be wiped ([Understanding Ransomware Threat Actors: LockBit |
Defensive Recommendations: Defending against ALPHV/BlackCat requires a multi-layered approach.
Rigorous phishing education and verification procedures can thwart the social engineering tactics (e.g., verify helpdesk callers).
Zero Trust network access principles (continuous verification, limited lateral movement) can limit the damage if they do get in.
It’s crucial to monitor Active Directory for abnormal changes (new admins or GPO modifications) and to secure backups.
Given ALPHV’s focus on stealing data, organizations should invest in data loss prevention and encrypt sensitive data so that exposure risk is reduced.
In summary, combine strong access controls (MFA, patched systems) with active monitoring and an incident response plan to reduce the likelihood and impact of BlackCat attacks.
Clop (Cl0p) Ransomware Group
Overview: Clop is a financially motivated ransomware gang associated with the FIN11 threat actor (a spin-off of the TA505 group).
Active since 2019, Clop is notorious for large-scale “spray-and-pray” attacks followed by targeted exploitation.
They pioneered the mass exploitation of file transfer software vulnerabilities – for example, the Accellion FTA hack in 2020-21, and more recently the MOVEit Transfer zero-day in 2023 (#StopRansomware | CISA).
Clop heavily uses double extortion: stealing sensitive data and threatening leaks on their “CL0P^_- LEAKS” site.
Notable Targeted Sectors: Healthcare (hospital chains, pharma), technology (software companies like Qualys), finance, education – Clop has hit organizations in at least 10 countries, with a focus on U.S. and EU critical infrastructure (many victims in the Healthcare & Public Health sector).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1566 – Phishing; T1190 – Exploit Public-Facing App; T1078 – Valid Accounts | Clop operators use phishing emails to deliver malware loaders (notably the SDBbot RAT) into victim networks. They also ruthlessly exploit 0-day and N-day vulnerabilities in widely used file transfer systems – e.g. Accellion FTA and Progress MOVEit (SQLi CVE-2023-34362) – to breach multiple organizations in one stroke ([#StopRansomware | CISA](https://www.cisa.gov/stopransomware/stopransomware#:~:text=,FBI%29%2C%20the%20National%20Security)). In some cases, they leverage stolen credentials or unsecured RDP services to gain access. |
Execution | T1059 – Command and Scripting Interpreter; T1569 – System Services (Service Execution) | In early stages, FIN11/Clop often executes payloads via script interpreters – e.g., using malicious Office macros or PowerShell to run the SDBbot backdoor on a victim machine. Once they have admin access, they use Windows services or scheduled tasks to deploy the Clop ransomware binary across hosts (for example, using PsExec or WMI to launch the ransomware as a service on target systems). | Detect: Monitor for unusual service creation or script execution on servers (e.g., an Office app spawning PowerShell). Use AMSI-enabled antivirus to catch malicious scripts. Tighten PowerShell execution policies and log all PowerShell use. |
Persistence | T1547.001 – Registry Run Keys/Startup Folder; T1136 – Create Account | If initial compromise is via malware like SDBbot, it may establish persistence by adding a Registry Run key or scheduled task to reload on reboot. Clop actors with domain control have also been observed creating new user accounts (often with administrative privileges) to maintain access. However, Clop’s attacks are typically swift, focusing on deployment rather than long-term stealth, so they often rely on their foothold and continuous activity rather than extensive persistence mechanisms. | Mitigate: Monitor the creation of new user accounts and addition of accounts to privileged groups. Use Sysmon or autoruns utilities to detect new persistence implants (registry entries, startup folder additions). Since Clop’s malware often doesn’t linger long post-encryption, focus on catching them in the infiltration phase. |
Privilege Escalation | T1068 – Exploitation for Privilege Escalation; T1078.002 – Valid Accounts: Domain Accounts | Clop affiliates have exploited OS vulnerabilities (like ZeroLogon CVE-2020-1472 in some cases) to escalate privileges to Domain Admin. More commonly, they perform credential theft and reuse – once SDBbot or similar malware is running, they capture admin credentials (or use tools like Mimikatz) then use legitimate domain admin accounts to elevate privileges within the network. They also disable security services to remove obstacles (see Defense Evasion). | Prevent/Detect: Apply critical Windows patches (e.g., for ZeroLogon) enterprise-wide. Deploy LAPS or other solutions to randomize and manage local admin passwords. Detect abnormal use of domain admin credentials (e.g., an account doing actions outside its normal pattern). Limit the number of domain admins and use admin tiering. |
Defense Evasion | T1562.001 – Disable or Modify Tools; T1489 – Service Stop; T1036 – Masquerading | The Clop ransomware itself is designed to terminate processes related to security, database, and backups before encryption. For example, newer Clop variants kill over 600 processes/services (Exchange, SQL, backup agents, etc.) to ensure files are unlocked for encryption. The malware may run under a fake process name to blend in. During the attack, Clop actors also often uninstall or deactivate endpoint security software across the network. | Mitigate: Use an EDR solution with self-protection (to resist tampering). Monitor for mass service termination events on servers (e.g., a sudden stop of multiple critical services) – this is a red flag. Ensure logging of service status changes. Utilize application whitelisting to prevent unauthorized binaries (like a rogue taskkill script or the Clop binary) from executing in the first place. |
Lateral Movement | T1021.002 – SMB/Windows Admin Shares; T1219 – Remote Access Software | Clop actors spread ransomware to multiple machines by copying it to network shares (ADMIN$ or C$) and using remote execution (like PsExec or WMI) to run it. In some incidents, they have deployed commercially available remote admin tools (e.g., Remote Desktop, VNC, or NetSupport Manager) on high-value systems to manually navigate the network. They also scan for accessible file shares and network drives to encrypt those files and maximize impact. | Defend: Disable the use of legacy SMB v1 and require signed SMB to reduce abuse. Monitor for file copy events of executables to admin shares. Use network segmentation to limit which systems can talk to each other over SMB/Windows admin protocols. Employ honeypot shares to get early warning of ransomware traversing file servers. |
Collection & Exfiltration | T1560 – Archive Collected Data; T1048 – Exfiltration Over Alt Protocol (FTP/HTTP) | Prior to encryption, Clop consistently steals large volumes of data. They use scripts or batch files to compress sensitive data (using utilities like 7-Zip) into archives. Exfiltration is often performed via FTP or web uploads – for example, during the Accellion FTA incident, data was directly exfiltrated through the compromised appliance’s HTTPS channel. In other cases, they set up FTP servers or use existing admin tools (like bitsadmin or custom exfiltration tools) to send data out. | Mitigate: Monitor outbound traffic for unusual volume or to unfamiliar IPs. Restrict FTP usage and inspect SSL/TLS traffic for anomalies (via SSL inspection if policy allows). Consider endpoint DLP agents that can alert on bulk file archives creation or transfer. Time-bound analysis: large data transfers during late nights or weekends could indicate exfiltration. |
Impact | T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery | Clop encrypts files on every reachable system, using RSA encryption per victim. It also deletes volume shadow copies and any backup files it finds, to prevent recovery. By stopping databases and mail servers beforehand, it ensures maximum damage. After encryption, Clop leaves a ransom note (often not specifying an amount, but directing victims to email or Onion sites for negotiation). If ransom is not paid, stolen data is published on their leak site. | Respond: Maintain offline backups and regularly test restoration (Clop’s routine deletion of on-disk backups makes offline copies vital). Have an incident response plan: if Clop ransomware is detected (e.g., via file integrity monitoring or an encryption canary file), isolate the network immediately to contain spread. Engage law enforcement early – Clop is well-known, and agencies can provide guidance. Analyze and clean the network thoroughly after an attack; Clop is known to sometimes leave backdoors (like SDBbot) that need eradication. |
Defensive Recommendations: Organizations should treat Clop like an APT – it combines mass exploitation with hands-on-keyboard attacks.
Key measures include: 1) Apply patches promptly for any software connected to your network (especially file-transfer, collaboration, or VPN tools) (#StopRansomware | CISA). 2) Harden credentials – implement MFA everywhere, disable unused accounts, and monitor for credential abuse. 3) Segment and monitor networks so that a breach in one system doesn’t easily cascade.
Given Clop’s tendency to disable defenses, ensure your security tools have tamper protections and out-of-band alerting.
Finally, prepare for incident response: have immutable backups and an IR team on standby to respond within that critical early window (before Clop can deploy ransomware enterprise-wide).
Black Basta Ransomware Group
Overview: Black Basta is a RaaS group that appeared in April 2022 and rapidly amassed victims across North America, Europe, and Oceania.
By mid-2024 it had impacted over 500 organizations worldwide (#StopRansomware: Black Basta | CISA).
Black Basta affiliates operate a double-extortion model – encrypting files and exfiltrating data for leverage.
They have attacked at least 12 of the 16 U.S. critical infrastructure sectors, with notable focus on manufacturing, healthcare, and financial organizations (#StopRansomware: Black Basta | CISA).
The group is believed to include former Conti members and is technically adept, using a range of initial access vectors and custom tools (like the EDR-killer “Backstab”).
Notable Targeted Sectors: Healthcare (hospitals, dental chains), Education, Manufacturing, Financial Services, among others (#StopRansomware: Black Basta | CISA).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1566.001 – Spearphishing Attachment; T1566.004 – Spearphishing via Service (Voice/Teams); T1190 – Exploit Public-Facing Application ([#StopRansomware: Black Basta | Black Basta affiliates commonly start with phishing. They send emails with malicious attachments or links, or even make phone calls posing as tech support (known as “Basta call” vishing) to trick users into running malware or sharing credentials ([#StopRansomware: Black Basta | |
Privilege Escalation | T1068 – Exploitation for Privilege Escalation; T1053 – Scheduled Task Job; T1548 – Abuse Elevation Control Mechanism | Black Basta’s toolkit for privilege escalation includes known exploits like PrintNightmare and ZeroLogon ([#StopRansomware: Black Basta | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a#:~:text=Table%203%3A%20Black%20Basta%20ATT%26CK,and%20PrintNightmare%20for%20privilege%20escalation)). They have been observed running credential theft tools (Mimikatz) and then exploiting Windows vulnerabilities to escalate to SYSTEM or Domain Admin ([#StopRansomware: Black Basta |
Defense Evasion | T1036 – Masquerading; T1562.001 – Disable or Modify Tools ([#StopRansomware: Black Basta | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a#:~:text=Masquerading%20T1036%20Black%20Basta%20affiliates,001)) ([#StopRansomware: Black Basta | |
Execution | T1204 – User Execution (Social Engineering); T1059.001 – PowerShell ([#StopRansomware: Black Basta | Black Basta often relies on user execution – tricking users to run remote support tools or trojans. For instance, affiliates have convinced users to launch a “troubleshooting” session via AnyDesk or Windows Quick Assist, which the attackers then abuse to run malware ([#StopRansomware: Black Basta | |
Lateral Movement | T1021.001 – Remote Services: RDP; T1021.002 – SMB/Windows Admin Shares | After initial compromise, Black Basta spreads through the network via RDP and SMB. They harvest credentials and then use RDP with those valid accounts to access other systems (sometimes even using stolen VPN credentials to hop between network segments). They also push their tools and ransomware payload via SMB to administrative shares on servers or workstations and remotely execute them. Their reconnaissance phase (masquerading as IT) helps identify which machines to target for lateral movement. | Mitigate: Enforce network segmentation – e.g., user workstations should not directly RDP to servers. Use host firewall rules to limit RDP access. Monitor for concurrent login anomalies (one account logging into many machines in short succession). Disable the use of local admin accounts over SMB (via policies like LAPS + SMB signing). |
Exfiltration | T1567 – Exfiltration Over Web Service; T1490 – Inhibit System Recovery (Shadow Copy Deletion) | Black Basta actors exfiltrate data typically using web-based means. In some cases they have been seen launching a simple HTTP or cloud storage upload of stolen data (e.g., to an attacker-controlled cloud drive or via file-sharing sites). If the network is segmented or monitored, they may also use the remote access tools (like the same AnyDesk session) to transfer files out. Once ready to deploy ransomware, they use vssadmin delete shadows /all /quiet to remove backups ([#StopRansomware: Black Basta | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a#:~:text=Table%C2%A06%3A%20Black%20Basta%20ATT%26CK%20Techniques,key%20to%20fully%20encrypt%20files)) and may stop backup services (to prevent data restoration). |
Impact | T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery | Black Basta uses a fast file encryption routine (often using a public key embedded in the binary to encrypt file keys) ([#StopRansomware: Black Basta | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a#:~:text=Inhibit%20System%20Recovery%20T1490%20Black,key%20to%20fully%20encrypt%20files)). They also delete or encrypt backups. The group’s ransom notes typically omit specific demands; instead they provide a unique code and a Tor .onion site (called Basta News) for contact ([#StopRansomware: Black Basta |
Defensive Recommendations: Key steps against Black Basta include up-to-date patching (they exploit known bugs) and strict access controls.
Because they use multi-pronged phishing (emails and calls), foster a culture of verification – e.g., an employee receiving an unsolicited “IT support” call should independently verify the person’s identity.
Deploy robust endpoint defenses and configure them to not trust scripts or binaries in unusual paths (many Basta tools are run from temp directories or user profiles).
Network monitoring is crucial: unusual admin share access, lateral RDP connections, and bulk file movements should trigger alarms.
Given Black Basta’s broad targeting (500+ victims in diverse sectors), all organizations should practice good cyber hygiene (MFA, network segmentation, backups) and have an incident response plan ready (#StopRansomware: Black Basta | CISA) (#StopRansomware: Black Basta | CISA).
Royal / BlackSuit Ransomware Group
Overview: The Royal ransomware group emerged around September 2022 and primarily targeted U.S. and international organizations, including many in the Healthcare sector (#StopRansomware: Black Basta | CISA) (#StopRansomware | CISA).
In mid-2023, Royal rebranded as BlackSuit after law enforcement pressure (#StopRansomware: Blacksuit (Royal) Ransomware | CISA) – the malware and tactics remained similar under the new name. Royal/BlackSuit is a human-operated ransomware (not pure RaaS) known for high ransom demands (often between $1 million to $10 million) (#StopRansomware: Blacksuit (Royal) Ransomware | CISA).
It uses double extortion: data theft followed by encryption (#StopRansomware: Blacksuit (Royal) Ransomware | CISA).
Notable Targeted Sectors: Healthcare and Public Health (hospitals), Manufacturing, Communications, Government agencies, and Education have all been victims (#StopRansomware | CISA).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1566 – Phishing; T1133 – External Remote Services (VPN/RDP); T1190 – Exploit Public-Facing App ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=Remote%20Services%3A%20Remote%20Desktop%20Protocol,001%20BlackSuit)) ([#StopRansomware: Blacksuit (Royal) Ransomware | |
Initial Access | T1566 – Phishing; T1133 – External Remote Services (VPN/RDP); T1190 – Exploit Public-Facing Application ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=Remote%20Services%3A%20Remote%20Desktop%20Protocol,001%20BlackSuit)) ([#StopRansomware: Blacksuit (Royal) Ransomware | |
Privilege Escalation | T1078 – Valid Accounts (Domain Admin); T1068 – Exploitation for Privilege Escalation | Once inside, Royal operators often leverage valid accounts to elevate privileges. In incidents, they have found and abused a domain admin’s credentials or created new admin users to gain full control ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=Table%2020%3A%20Cyber%20Threat%20Actors,create%20new%20admin%20user%20accounts)). They also exploit vulnerabilities to escalate privileges on machines (for instance, using exploits against Windows to get SYSTEM-level access). After escalation, they spread to the domain controller to take over the Windows domain. |
Defense Evasion | T1070.001 – Clear Windows Event Logs; T1484.001 – Group Policy Modification; T1562.001 – Disable Security Tools ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=BlackSuit%20actors%20used%20valid%20accounts,actors%20modified%20Group%20Policy%20Objects)) ([#StopRansomware: Blacksuit (Royal) Ransomware | |
Discovery & Lateral Movement | T1046 – Network Service Discovery; T1021.001 – Remote Services: RDP; T1572 – Protocol Tunneling (SSH) ([#StopRansomware: Blacksuit (Royal) Ransomware | Royal actors conduct extensive discovery – mapping the network, identifying domain trusts and high-value systems. They use tools like AdFind or built-in commands to list users, groups, and computers. For movement, they often rely on RDP (sometimes re-enabling it via registry if turned off) using the credentials of accounts they’ve compromised. They have also employed encrypted tunnels (e.g., setting up an SSH reverse tunnel) to route traffic and hide their C2 communications ([#StopRansomware: Blacksuit (Royal) Ransomware | |
Collection & Exfiltration | T1119 – Automated Collection; T1567 – Exfiltration to Cloud/Web Service | Royal/BlackSuit is known to steal large amounts of data prior to encryption ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=,ransomware%20and%20encrypting%20the%20systems)). They script automated file collection, often targeting databases and file servers. They then exfiltrate data – commonly via cloud services or simple HTTPS uploads. For instance, they may compress data and upload it to an attacker-controlled cloud storage or use a secure file transfer to their servers. In some cases, Royal actors even use publicly available file-sharing sites or their own leak site infrastructure for exfiltration. |
Impact | T1486 – Data Encrypted for Impact; T1489 – Inhibit System Recovery | Royal (BlackSuit) uses a ransomware payload (“Zeon” in earlier iterations) to encrypt data on victim systems, typically after hours of preparation. They often disable or delete backups by turning off backup services and using tools like vssadmin to remove shadow copies. The encryption leaves a ransom note directing victims to contact the group via a TOR site or email. Royal’s ransom demands have been extremely high (total demands exceeding $500 million across victims, with some single demands up to $60 million) ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=,instances%20where%20victims%20received%20telephonic)). If unpaid, they publish stolen data on a leak site. |
Defensive Recommendations: Organizations – especially in healthcare and critical infrastructure – should double down on basic cyber hygiene to defend against Royal/BlackSuit.
That means prioritizing patching of known exploited vulnerabilities (Royal has actively leveraged them) (#StopRansomware: Play Ransomware | CISA), enforcing MFA on all accounts (to prevent easy VPN/RDP break-ins) (#StopRansomware: Blacksuit (Royal) Ransomware | CISA), and segmenting networks so that critical systems are less reachable.
Because Royal often spends time exploring the network, anomalous activity (like mass account enumeration or log clearing) should be treated as an intrusion signal – implement 24/7 SOC monitoring if possible.
Regularly test incident response plans (Royal attacks can unfold fast, so preparedness is key). Finally, given Royal’s history in attacking hospitals, ensure life-critical systems have manual fail-safes; ransomware in healthcare is also a patient safety issue.
Vice Society Ransomware Group
Overview: Vice Society is an intrusion, extortion, and ransomware group that began operations in 2021.
Uniquely, Vice Society doesn’t stick to a single ransomware strain – they have deployed variants like Hello Kitty/FiveHands and Zeppelin in their attacks (JOINT CYBERSECURITY ADVISORY).
Vice Society is best known for disproportionately targeting the education sector, especially K-12 schools and districts (JOINT CYBERSECURITY ADVISORY).
Their attacks have caused school closures, delayed exams, and massive leaks of student and staff data (JOINT CYBERSECURITY ADVISORY).
They also hit local governments and healthcare providers.
Notable Targeted Sectors: Education (K-12) is heavily targeted (JOINT CYBERSECURITY ADVISORY); also, some Healthcare and local governments – but schools are their prime focus.
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts (Compromised Credentials) (JOINT CYBERSECURITY ADVISORY) | Compromised credentials and vulnerable systems are common entry points for Vice Society. They likely gain initial access through weak or reused passwords (including hitting exposed RDP or VPN portals) or by exploiting unpatched internet-facing applications (JOINT CYBERSECURITY ADVISORY). For example, Vice Society actors have exploited known vulnerabilities in network devices or unpatched school IT systems to get in. They do not use bespoke exploits, but rather take advantage of organizations (like under-funded schools) running outdated software. | Prevent: Enforce strong, unique passwords and MFA on remote access points – many schools have implemented MFA after Vice Society incidents. Inventory and patch external-facing applications (e.g., school record systems, library systems, etc.) (JOINT CYBERSECURITY ADVISORY). If certain systems can’t be patched promptly, geofence or restrict access to them. |
Execution & Persistence | T1053 – Scheduled Task/Job; T1547.001 – Registry Run Keys; T1574.002 – DLL Side-Loading (JOINT CYBERSECURITY ADVISORY) | Vice Society often establishes persistence and executes payloads using scheduled tasks and service DLL hijacking. They have created scheduled tasks on compromised machines to execute their ransomware or tools at set times (often off-hours) (JOINT CYBERSECURITY ADVISORY). They have also been observed conducting DLL side-loading – placing malicious DLLs that their malware or legitimate software will load to execute code (for instance, replacing a DLL for a legitimate service to run their payload) (JOINT CYBERSECURITY ADVISORY). This allows them to maintain access even if a reboot occurs. | Mitigate: Monitor for new or modified scheduled tasks (especially ones created by non-admin users or unusual accounts). Utilize application control to prevent unauthorized DLLs in directories of legitimate programs. Keep an eye on Windows Event Logs for service failures or strange DLL load paths. Consider using Microsoft’s Attack Surface Reduction rules to block persistence via suspicious autostart entries. |
Privilege Escalation | T1068 – Exploitation for Privilege Escalation (PrintNightmare etc); T1078.002 – Valid Accounts: Domain Accounts | Vice Society actors have taken advantage of known exploits like PrintNightmare (CVE-2021-34527) to escalate privileges on unpatched Windows systems (JOINT CYBERSECURITY ADVISORY). After gaining local admin or a foothold, they often target Active Directory – acquiring or cracking a domain admin credential (or using tools to extract the ntds.dit domain database). With domain admin rights, they push ransomware group-wide. In some cases, they have simply used legitimate domain admin accounts obtained via credential theft (especially in environments without MFA for administrative access). | Prevent: Ensure all systems are patched for known elevation bugs (PrintNightmare, Zerologon, etc.) – Vice Society heavily exploits unpatched systems. Use credential tiering: admin accounts for domain should not be used to log into low-tier systems. Detect: Monitor for spooler service abuse or other signs of exploit usage. Any sudden granting of domain admin privileges to an account or use of dormant admin accounts should raise an alert. |
Defense Evasion | T1036 – Masquerading; T1055 – Process Injection; T1497 – Virtualization/Sandbox Evasion | Vice Society employs various evasion tricks. They often masquerade their tools as legitimate files – for instance, naming their ransomware something innocuous like “system.exe” or running it from a folder resembling a legitimate path (JOINT CYBERSECURITY ADVISORY). They also use process injection techniques to hide within trusted processes (making detection by signature harder). Some reports indicate Vice Society’s malware can detect if it’s running in a sandbox or VM (and delay or halt encryption to avoid analysis) (JOINT CYBERSECURITY ADVISORY). Additionally, they attempt to defeat automated analysis by packing or obfuscating their binaries. | Detect: Apply behavior-based detection since file names can be misleading (look for unusual process behavior rather than name). Monitor for processes spawning from unexpected directories or executing in memory of other processes. Use sandbox evasion countermeasures: run detonated files with tools that can bypass simple VM checks. Ensure your EDR is updated to catch common injection patterns (like remote thread creation into sensitive processes). |
Lateral Movement | T1047 – Windows Management Instrumentation; T1080 – Taint Shared Content | Vice Society leverages built-in tools for lateral movement. They use WMI commands to execute processes on remote machines (especially once they have credentials with admin rights, WMI lets them move laterally without dropping new binaries) (JOINT CYBERSECURITY ADVISORY). They have also been seen using a technique of placing malicious files in shared directories that users or IT personnel commonly execute (tainting shared content), thereby spreading when those files are accessed (JOINT CYBERSECURITY ADVISORY). This low-tech method can be effective in school networks where many machines access the same file share. | Mitigate: Restrict permissions on shared folders so regular users cannot plant executables in software shares. Monitor WMI event logs (Event ID 5861, etc.) for remote execution attempts. Use a host-based firewall to restrict WMI and other remote management to known management servers. Encourage staff to use centralized software deployment tools rather than manually running files from shares, to reduce the risk of this “tainting” technique. |
Collection & Exfiltration | T1565.002 – Data Staged: Cloud Storage; T1567 – Exfiltration Over Web Service | Vice Society, like others, engages in extensive data theft. They often stage large data archives on systems (sometimes splitting archives into smaller pieces named subtly) and then upload them to cloud storage or via web protocols. In the Los Angeles USD attack (2022), for example, they exfiltrated hundreds of GB of sensitive student data. They may use publicly accessible file-sharing services or their own infrastructure over HTTPS to exfiltrate, making it appear as normal web traffic. | Detect: Configure alerts for when internal hosts communicate with known cloud storage endpoints not normally used (Dropbox, Mega, etc.). Monitor for creation of large compressed files on servers or unusual PowerShell/7zip usage creating big archives. Implement egress filtering – if a school network doesn’t legitimately need to post hundreds of GB to the internet, block or rate-limit it. |
Impact | TA0040 (Impact) – (Data Encryption & Data Destruction) | Vice Society ultimately deploys ransomware (often variants like Zeppelin) to encrypt victim data. They have also been known to change passwords of domain admins and other key accounts during the attack to lock the victim out of systems (in one case, scripts were used to change hundreds of passwords, impeding the victim’s recovery efforts) (JOINT CYBERSECURITY ADVISORY). The ransom demands are typically communicated via notes and their dark web leak site, where they threaten to publish personal data of students/patients if not paid. | Respond: In the midst of an attack, be prepared for password resets – have out-of-band ways to regain admin access (e.g., an offline domain controller backup or cloud directory). After an attack, reset all passwords (especially those Vice Society might have changed). Ensure you have immutable backups for data restoration. Given Vice Society’s focus on data leaks involving minors’ data, coordinate incident response with legal and communications teams to handle breach notification sensitively. |
Defensive Recommendations: Educational institutions (and other Vice Society targets) often have limited budgets, but some high-impact steps include: upgrading and patching critical systems (many school systems hit were running outdated software easily exploited) (JOINT CYBERSECURITY ADVISORY), implementing MFA where possible, and network segmentation (so a breach in a lab computer doesn’t compromise the district’s entire network).
Regularly back up student and staff data offline.
Vice Society specifically capitalizes on weaker security environments, so leveraging government/free resources (like MS-ISAC services for K-12) can bolster defenses.
In case of an incident, involve law enforcement and cyber response teams; Vice Society has caused significant disruptions, and recovery may require outside help.
Proactively, the education sector should follow the joint advisories (like StopRansomware guides) aimed at hardening schools against these attacks (JOINT CYBERSECURITY ADVISORY).
Cuba Ransomware Group
Overview: “Cuba” ransomware is a cybercriminal group (unrelated to the country) active since at least 2019.
It operates as a RaaS or close-knit gang and has extorted significant sums – by late 2022 the FBI noted Cuba had compromised over 100 entities and extorted at least ~$60 million USD.
Cuba ransomware has been linked with the “Tropic Trooper” APT in some reports (due to overlaps with the RomCom RAT), showing a blend of financial and strategic motives.
They often work with initial access brokers and malware like Hancitor or Qakbot to infiltrate networks.
Notable Targeted Sectors: FBI reporting indicates Cuba actors have hit organizations in Financial Services, Government Facilities, Healthcare & Public Health, Critical Manufacturing, and Information Technology sectors – i.e., a wide range of critical infrastructure.
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1190 – Exploit Public-Facing Application; T1566 – Phishing; T1078 – Valid Accounts; T1563.002 – Remote Services: RDP (External Tool) | Cuba ransomware actors use multiple avenues to get in. Per FBI, they leverage known vulnerabilities in commercial software for initial breaches (for instance, exploiting flaws in VPN appliances or web servers). They also run phishing campaigns to deliver malware loaders like Hancitor that drop backdoors. Once a foothold is established, they may use legitimate remote desktop tools or admin utilities to expand access (sometimes installing their own RDP tools for persistence). In some cases, simply using stolen credentials for remote access has enabled them to enter networks. | Prevent: Keep all internet-facing systems updated – Cuba actors prey on unpatched systems. Employ MFA and strong passwords on RDP/VPN to stop attacks with stolen creds. Use email security and user training to reduce phishing success (Hancitor often arrives via malicious docs). Disable or tightly restrict RDP access from the internet; consider using VPN and monitoring for new RDP service usage. |
Privilege Escalation | T1068 – Exploitation for Privilege Escalation; T1558.003 – Kerberoasting; T1003.001 – LSASS Memory (Dumping) | Cuba actors are adept at escalating privileges. They have exploited Windows vulnerabilities like CVE-2022-24521 (CLFS) to steal system tokens for SYSTEM access, and even ZeroLogon (CVE-2020-1472) to get Domain Admin privileges. They also target Active Directory: running PowerShell scripts to perform Kerberoasting – extracting service account Kerberos tickets and cracking them offline to retrieve passwords. Tools like “KerberCache” have been used to dump cached credentials from LSASS memory on domain controllers. With these techniques, they often obtain domain-wide admin control. | Mitigate: Apply critical Windows patches (the CLFS driver patch, the Netlogon/ZeroLogon patch, etc.) – these remove their easy elevation paths. Use strong, randomly generated service account passwords to make Kerberoasting impractical (and monitor for abnormal Kerberos ticket requests). Enable credential guard or restrict debug rights to protect LSASS memory on critical servers (domain controllers). Detect: Monitor for Kerberos ticket extraction anomalies and for known exploit usage (e.g., event logs indicating token manipulation or suspicious DC authentication). |
Lateral Movement | T1021.002 – SMB/Windows Admin Shares; T1563 – Remote Desktop (RDP) | With elevated credentials, Cuba operators move laterally by copying tools to administrative shares (like ADMIN$) on other hosts and using those tools or commands to execute on those machines. They also make heavy use of remote administration – for example, using PSExec or WMI over SMB to run their ransomware on multiple computers simultaneously. In some instances, they leveraged tools like Impacket to automate lateral movement and deploy the RomCom RAT or other backdoors on additional systems. RDP is occasionally used in later stages for interactive control of key servers. | Defend: Disable the unnecessary SMB shares and enforce SMB signing – it can slow lateral movement. Monitor for unusual use of tools like Impacket or batch deployments across many systems at once. Use network segmentation to limit which systems administrators can access directly. Monitor account logons on multiple machines; a single admin account initiating concurrent sessions on many endpoints could indicate lateral movement. Utilize deception techniques (like fake admin shares or honey tokens) to detect intruders exploring the network. |
Defense Evasion | T1562.001 – Disable or Modify Tools; T1027.002 – Software Packing | Cuba ransomware actors deploy kernel-level malware to disable security. Notably, they used a dropper that installed a malicious driver named “ApcHelper.sys” – this driver (signed with a stolen certificate) would kill processes for EDR/antivirus, effectively disarming endpoint defenses. The use of a kernel-mode component helped them evade user-land detection. They also pack or encrypt their payloads to avoid signature detection by antivirus. Once they begin the attack, they may also stop logging services and disable security software through command-line commands. | Prevent/Detect: Configure systems to only load drivers signed by trusted, up-to-date certificates (and consider Microsoft’s driver blocklist for known malicious drivers). Monitor for attempts to load uncommon drivers or for any legitimate driver signing certificates that have been abused (LAPSUS NVIDIA certificate in this case). Keep antivirus and EDR agents updated so they can detect or block known bad drivers. Endpoint threat protection should also monitor for abrupt termination of its processes – a sign something like ApcHelper is at work. Utilize memory integrity (Hypervisor-Protected Code Integrity) on Windows 10+ to harden against unauthorized drivers. |
Collection & Exfiltration | T1567.002 – Exfiltration to Cloud Storage; T1048 – Exfiltration Over Alternative Protocol (FTP) ([#StopRansomware: BianLian Ransomware Group | Cuba actors exfiltrate data primarily via file transfer tools. They have been observed using Rclone or similar utilities to upload stolen data to cloud accounts under their control (e.g., cloud storage or Mega) ([#StopRansomware: BianLian Ransomware Group | |
Impact | T1486 – Data Encrypted for Impact; T1485 – Data Destruction | Cuba ransomware encrypts data on victim systems using RSA+AES. Before encryption, they often try to destroy backups and system recovery options – e.g., using wbadmin to delete backup catalogs or disabling backup services. In some cases, they’ve also deployed destructive commands or malware on systems they choose not to encrypt (possibly to hamstring incident responders or as retaliation). The primary impact is file encryption; Cuba’s malware will append a distinctive “.cuba” extension and drop ransom notes. The group runs a leak site to pressure victims by publishing stolen data if the ransom is not paid. | Respond: Maintain offline backups of critical systems. If hit by Cuba, immediately isolate affected hosts and network segments to stop the spread. Their use of destructive actions means responders should be cautious – preserve forensic data quickly before it’s wiped. Given Cuba’s willingness to exploit infrastructure weaknesses, ensure during recovery that all backdoors (RATs, accounts, etc.) are eradicated. Share indicators (malicious driver hashes, C2 addresses) with law enforcement and peers, as Cuba’s tactics are well-documented and sharing can help others. |
Defensive Recommendations: Defending against Cuba ransomware requires vigilance on both technical and credential fronts.
Because they often piggyback on other malware (like Qakbot or Hancitor), organizations should strengthen email security and endpoint protection to catch those initial infections.
Network segmentation and privileged access management are vital – Cuba can’t progress if they can’t easily escalate privileges or move freely.
Employing modern Windows security features (Credential Guard, HVCI, driver block rules) can blunt their advanced techniques like malicious driver loading.
Due to Cuba’s presence in multiple critical sectors, CISA and FBI advisories urge organizations to prioritize fixing known bugs and fortifying accounts.
In short: patch aggressively, enforce MFA, monitor relentlessly – and have a clear plan for fast containment and recovery should an intrusion be detected.
BianLian Ransomware Group
Overview: BianLian is a Russia-linked ransomware and extortion group first observed in 2022 (#StopRansomware: BianLian Ransomware Group | CISA).
Initially a double-extortion outfit (data theft + encryption), BianLian changed tactics in 2023 – moving to primarily data-theft extortion without encryption, and by early 2024 they had gone to exfiltration-only (no encryption) extortion attacks (#StopRansomware: BianLian Ransomware Group | CISA).
They are known for custom tooling (they wrote their own backdoor malware) and a preference for using valid credentials and living-off-the-land techniques once inside.
BianLian has compromised organizations across multiple U.S. critical infrastructure sectors and abroad (notably Australia) (#StopRansomware: BianLian Ransomware Group | CISA).
Notable Targeted Sectors: Media and Entertainment, Healthcare, Energy, Education, and other critical services in the U.S. and Australia (#StopRansomware: BianLian Ransomware Group | CISA).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1133 – External Remote Services (RDP/VPN); T1566 – Phishing; T1190 – Exploit Public-Facing Application ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=Table%203%3A%20Initial%20Access%20Technique,Facing%20Application)) ([#StopRansomware: BianLian Ransomware Group | |
Execution | T1059.001 – PowerShell; T1059.003 – Windows Command Shell; T1053.005 – Scheduled Task ([#StopRansomware: BianLian Ransomware Group | BianLian heavily abuses command-line interpreters. They use PowerShell to execute malicious commands and also to disable security features like AMSI (Anti-Malware Scan Interface) ([#StopRansomware: BianLian Ransomware Group | |
Persistence | T1136.001/002 – Create Account (Local & Domain); T1505.003 – Server Software Component: Web Shell ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=Create%20Account%3A%20Local%20Account%20T1136)) ([#StopRansomware: BianLian Ransomware Group | |
Privilege Escalation | T1068 – Exploitation for Privilege Escalation (OS Vulnerabilities) ([#StopRansomware: BianLian Ransomware Group | BianLian actors will exploit known OS vulnerabilities to elevate privileges when needed. For example, they have exploited a Windows 10/11 privilege escalation (CVE-2022-37969) to gain SYSTEM rights on a box after initial compromise ([#StopRansomware: BianLian Ransomware Group | |
Defense Evasion | T1112 – Modify Registry; T1562.001 – Disable or Modify Tools; T1562.004 – Disable System Firewall; T1027.002 – Software Packing; T1036.004 – Masquerade Task or Service ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=Table%207%3A%20Defense%20Evasion%20Technique,See%20Appendix%3A%20Windows%20PowerShell%20and)) ([#StopRansomware: BianLian Ransomware Group | |
Credential Access | T1003.001 – LSASS Memory Dumping (Mimikatz); T1003.003 – NTDS (AD Database Theft); T1552.001 – Search Unsecured Credentials; T1552.004 – Steal Private Keys ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=OS%20Credential%20Dumping%3A%20LSASS%20Memory,001)) ([#StopRansomware: BianLian Ransomware Group | |
Discovery & Lateral Movement | T1087.002 – Account Discovery: Domain Accounts; T1482 – Domain Trust Discovery; T1135 – Network Share Discovery; T1018 – Remote System Discovery ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=Network%20Service%20Discovery%20T1046%20BianLian,Network%20Share%20Discovery%20T1135)) ([#StopRansomware: BianLian Ransomware Group | |
Lateral Movement | T1021.001 – Remote Services: RDP; T1021.002 – SMB/Windows Admin Shares ([#StopRansomware: BianLian Ransomware Group | To move laterally, BianLian uses legitimate remote access when possible. They frequently use RDP with stolen credentials to hop between systems, often after creating additional admin users to facilitate this ([#StopRansomware: BianLian Ransomware Group | |
Collection & Exfiltration | T1115 – Clipboard Data; T1560 – Archive Collected Data; T1537 – Transfer Data to Cloud Account; T1048 – Exfiltration Over Alternative Protocol ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=Clipboard%20Data%20T1115%20BianLian%20group,is%20collected%20prior%20to%20exfiltration)) ([#StopRansomware: BianLian Ransomware Group | |
Impact | T1486 – Data Encrypted for Impact (historical); — – Data Extortion (no ATT&CK ID) | Earlier, BianLian encrypted victim data using their ransomware (targeting hundreds of machines). However, since 2023 they shifted strategy – often foregoing encryption and relying purely on data theft and extortion ([#StopRansomware: BianLian Ransomware Group | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a#:~:text=and%20command,based%20extortion%20around%20January%202024)). In those cases, the impact is less about locked files and more about massive data leakage threats. When they did encrypt, they used a custom ransomware that left a note with payment instructions on each system. The group’s evolution means some victims might find systems intact but data stolen, whereas others (earlier victims) suffered full encryption. In all scenarios, stolen data is leveraged for extortion on BianLian’s dark web leak site. |
Defensive Recommendations: BianLian’s tactics underscore the need for comprehensive security beyond just file protection.
Because they often don’t encrypt data in newer attacks, preventing data theft is paramount: employ network segmentation and least privilege so attackers can’t freely access all data once in.
Strictly limit RDP and other remote admin services – many BianLian intrusions began with an unchecked RDP entry (#StopRansomware: BianLian Ransomware Group | CISA). Use behavioral analytics to detect patterns like rapid account creation or mass credential dumping.
Regularly hunt for signs of malicious admin behavior (new users, changed registry settings, disabled security) – these can be detected if one is looking, as evidenced by the detailed TTPs known from BianLian cases.
Finally, because BianLian focuses on extortion, have a robust data governance and encryption policy: know what critical data you have and where, and encrypt sensitive data at rest – this can reduce the damage if it’s exfiltrated.
Implementing the mitigations from the joint advisory (CISA FBI ACSC) (#StopRansomware: BianLian Ransomware Group | CISA) – such as limiting PowerShell, securing RDP, and monitoring accounts – will significantly improve resilience against BianLian.
Medusa Ransomware Group
Overview: Medusa is a ransomware gang that rose to prominence in 2023 by launching a spree of high-profile attacks.
By early 2025, U.S. agencies warned that Medusa had impacted over 300 organizations, including many in critical infrastructure sectors (Medusa ransomware gang claims to have hacked NASCAR).
Medusa conducts double-extortion – stealing data and threatening leaks in addition to encrypting systems.
The group gained notoriety for its brazen tactics (even posting lengthy video leaks of stolen data).
Notable Targeted Sectors: Medusa’s victims span medical, education, legal, insurance, technology, and manufacturing sectors (Medusa ransomware gang claims to have hacked NASCAR).
This includes large public school systems (e.g., Minneapolis Public Schools), government agencies, and recently even sports organizations (NASCAR) (Medusa ransomware gang claims to have hacked NASCAR) (Medusa ransomware gang claims to have hacked NASCAR).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1566 – Phishing; T1078 – Valid Accounts; T1190 – Exploit Public-Facing Application | Medusa likely uses a mix of phishing and exploiting unpatched systems to gain entry. In one education sector case, it’s suspected they entered via a vulnerable system on the school’s network (many school IT environments have legacy systems). They also harvest credentials – some Medusa victims had earlier been compromised via infostealer malware, suggesting Medusa obtained those logins from dark markets and reused them. Additionally, weakly secured RDP or VPN endpoints can be a target – if a username/password is guessable or previously leaked, Medusa will use it. | Prevent: Bolster external-facing security: apply critical patches (Medusa is quick to exploit known CVEs in common software). Enable MFA on remote access to neutralize stolen passwords. Conduct regular password audits to ensure no shared or simple credentials, especially for admin accounts. Since phishing is a threat, user training and robust email filtering should be in place. |
Execution | T1204 – User Execution; T1059 – Command-Line Interface | Medusa often relies on victims executing something – e.g., opening a malicious email attachment (user execution) or enabling a macro. Once they have a foothold, they utilize command-line scripts to deploy their ransomware widely. Reports from incidents indicate they may drop a batch script that kills processes and then runs the encryptor across directories. They sometimes schedule these scripts via Group Policy or other means to run simultaneously on many machines, akin to a “big bang” deployment. | Detect: Identify when a user launches an unusual file (like a macro-enabled doc that then spawns a script or installer). Use EDR to detect common ransomware pre-cursor behavior (mass file handle closure, suspicious command sequences like those disabling backups). If one machine shows signs of compromise, assume Medusa will try to spread – perform threat hunting on other systems immediately. |
Persistence | T1547 – Boot or Logon Autostart (Registry); T1136 – Create Account | Medusa may not focus heavily on long-term persistence, as they usually strike quickly. However, they have been known to drop autorun entries (registry or startup folder) for their backdoor, ensuring they can get back in if a system reboots mid-attack. They have also reportedly created new local admin accounts on machines (with names mimicking normal users) to retain access. Once the ransomware is executed network-wide, persistence is less a concern for them. | Mitigate: Limit administrative privileges so malware can’t easily create autoruns or new accounts. Monitor the creation of new local users and any changes to Run keys in the registry via Sysmon. Because Medusa’s dwell time may be short, focus on preventing that initial persistent foothold by catching them at ingress. |
Privilege Escalation | T1078.001 – Valid Accounts: Default Accounts; T1068 – Exploitation for Privilege Escalation | If Medusa lands on a system without admin rights, they may try simple techniques like activating default Administrator accounts or exploiting known local priv-esc vulnerabilities to elevate. Given many targets (like school networks) might have old vulnerabilities unpatched, Medusa can take advantage of those. However, often they steal an admin credential early via credential dumping, negating the need for local exploits. In the Minneapolis schools case, insiders noted the attackers seemed to move with admin privileges very quickly, implying credential compromise. | Prevent: Disable or rename default admin accounts and use strong passwords. Patch privilege escalation bugs on endpoints (even older ones that might exist on school PCs). Detect: Look for unusual processes running as SYSTEM that normally wouldn’t, or events like SAM database access which might indicate an attempt to crack local passwords. If an attack is in progress, any privilege escalation attempt is a critical moment to detect and contain. |
Defense Evasion | T1562.001 – Disable Security Tools; T1070.004 – File Deletion | Medusa, like other ransomware crews, will try to neutralize security software. They often use scripts to stop antivirus services and delete agent files. In one incident, they deployed a known AV removal tool (for example, something like PC Hunter) to kill EDR processes. They also delete system backups (shadow copies) and potentially system logs to cover tracks. Medusa’s leak of Minneapolis data included screenshots of security settings, suggesting they had time to observe and possibly tamper with them. | Detect: Have alerts for sudden stoppage of security services on multiple hosts. Ensure the security agents report tamper events (e.g., if someone tries to uninstall them) to a central console. Use centralized logging because if Medusa deletes local Windows logs, you still have a copy. Consider implementing application control to prevent unauthorized utilities (like third-party process killers) from running. |
Discovery & Lateral Movement | T1046 – Network Service Discovery; T1021 – Remote Services (RDP, SMB) | Medusa operators scan the victim’s network to identify file servers, backups, and other targets. They likely use native commands (ping, net view, etc.) and maybe tools like Advanced IP Scanner. For lateral movement, they have used RDP with harvested credentials and possibly PsExec/SMB for distributing their ransomware. In one case, right before encryption, Medusa had distributed the ransomware binary to many machines over the network, indicating they achieved broad lateral movement. They also might exploit any trust relationships (e.g., if a school district has inter-school network trusts, they pivot across them). | Mitigate: Use network segmentation to limit lateral movement. If possible, segment critical servers (like database or file servers) from user subnets. Detect: Identify when one host starts connecting to many others it usually doesn’t (port scanning or a workstation trying to access many admin shares). Use lateral movement detections like detecting new services created remotely or multiple failed logins across different machines (could indicate credential guessing as they move). |
Collection & Exfiltration | T1560 – Archive Data; T1567 – Exfiltration Over Web Service | Medusa is highly focused on data theft. They gather sensitive files (in school cases, they targeted student psychological reports, etc.) and compile them into big archives. Notably, Medusa sometimes “shows off” the stolen data (as with the one-hour video montage of Minneapolis schools’ data), indicating they steal a breadth of information. Exfiltration is typically via encrypted web upload – either to cloud storage under their control or directly to their leak site. Because one of their leaks was a video, they clearly exfiltrated a lot of unstructured data (likely via high-bandwidth transfers). | Detect: Outbound monitoring for large transfers is key. If a mid-size organization with no regular large data uploads suddenly starts sending gigabytes out, it’s a red flag. Employ user behavior analytics to notice if an account or system starts accessing files it usually never touches (indicative of broad collection). Consider disabling or monitoring archive utilities – if a user system starts zipping up hundreds of files from disparate folders, generate an alert. |
Impact | T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery | Medusa deploys its ransomware to encrypt files en masse once data is stolen. They also remove backups – e.g., deleting Volume Shadow Copies and any backup drive contents – to ensure victims feel pressure to pay. The ransom demands vary, with some around $1 million (Minneapolis) and others higher (NASCAR faced $4 million demand) (Medusa ransomware gang claims to have hacked NASCAR) (Medusa ransomware gang claims to have hacked NASCAR). Medusa’s encryption can cause significant downtime; in school attacks, systems were offline for weeks. The final impact is both the loss of data availability and the potential public release of sensitive data if the ransom isn’t paid. | Respond: Ensure backup systems are isolated – Medusa will try to destroy on-network backups. In an active attack, once encryption is detected, sever network connectivity to contain it. Prepare communications plans for data leaks, as Medusa is very public. Work with law enforcement; according to FBI and CISA, Medusa had over 300 victims (Medusa ransomware gang claims to have hacked NASCAR), so they are a known quantity and authorities can assist in response and negotiation strategies. In recovery, wipe and rebuild affected machines to eliminate any hidden backdoors before restoring data. |
Defensive Recommendations: To guard against Medusa, organizations should focus on early detection and hardened backup strategies.
Because Medusa is noisy when exfiltrating and preparing the attack, robust network monitoring (for unusual data flows or internal scanning) can provide an early warning. Regularly exercise incident response plans – Medusa’s rapid and public tactics can create chaos, so rehearsed response is valuable (especially for public institutions like schools or hospitals that must handle PR).
Keep offline, immutable backups; Medusa can’t extort you for data if you have secure backups and if sensitive data is well-protected (consider data encryption for highly confidential records so that leaks are less damaging).
Finally, stay informed via threat intelligence (CISA alerts, etc.): Medusa’s tactics may evolve, and being aware of the latest behaviors (such as new vulnerabilities they exploit or tools they use) will help preempt their moves (Medusa ransomware gang claims to have hacked NASCAR).
Play Ransomware Group
Overview: “Play” (aka PlayCrypt) is a ransomware group that surfaced in mid-2022 and quickly made a name by attacking governments and enterprises across North and South America and Europe (#StopRansomware: Play Ransomware | CISA).
As of late 2023, the FBI noted roughly 300 organizations had been affected by Play ransomware (#StopRansomware: Play Ransomware | CISA).
Play is known for using the technique of intermittent encryption (encrypting parts of files to speed up the process) (Play Ransomware Group – Detection and Protection - Check Point Software) and for abusing recently disclosed vulnerabilities to gain access.
High-profile Play victims include city governments (e.g., Oakland, Dallas) and companies worldwide. Notable Targeted Sectors: Government (state/local) and public services, Healthcare, Manufacturing, IT services – Play has a broad target range, similar to other big-game ransomware groups (#StopRansomware: Play Ransomware | CISA).
MITRE Tactic | Techniques (IDs & Names) | Observed TTPs | Defensive Notes |
Initial Access | T1078 – Valid Accounts; T1190 – Exploit Public-Facing Application ([#StopRansomware: Play Ransomware | Play often gains entry by exploiting known vulnerabilities in perimeter devices. Notably, they leveraged a path traversal vulnerability in Microsoft Exchange (OWA) in late 2022 to bypass patches (“ProxyNotShell” bypass) and install webshells – this gave them initial access on Exchange servers. They have also exploited VPN appliance flaws (e.g., Fortinet CVE-2018-13379) and more recently the Citrix ADC vulnerability CVE-2023-3519 (“Citrix Bleed”) to breach networks (Play Ransomware Group – Detection and Protection - Check Point Software). Additionally, Play uses stolen or brute-forced credentials for RDP/VPN – if an account with weak or reused password is exposed, they abuse it ([#StopRansomware: Play Ransomware | |
Persistence | T1547 – Boot/Logon Autostart; T1505 – Server Component (Web Shell) | Play actors have been observed installing web shells on compromised servers (especially Exchange or web servers) for persistence – this allows re-entry even if a reboot occurs or credentials are reset. They also have used tools like AnyDesk or Ngrok tunnels to maintain access. While Play’s end goal is ransomware deployment, they sometimes leave quiet backdoors first (web shell, scheduled task, or new local user) that persist while they do recon. For example, after exploiting Citrix, they dropped a web shell for later use. | Detect: Monitor servers (especially Exchange/IIS) for web shell files – unusual ASP/ASPX, PHP, or JSP files in web directories. Employ AV or file integrity monitoring to catch unknown files in those paths. Any use of remote admin tools like AnyDesk should be controlled and logged. Look for suspicious scheduled tasks or services, such as ones with strange names or pointing to temp directories. Removing any discovered persistence early can evict the actor before they strike. |
Privilege Escalation | T1078.002 – Valid Accounts: Domain Accounts; T1484.001 – Group Policy Modification ([#StopRansomware: Blacksuit (Royal) Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a#:~:text=Technique%20Title%C2%A0%20ID%20Use%20,create%20new%20admin%20user%20accounts)) ([#StopRansomware: Blacksuit (Royal) Ransomware | |
Defense Evasion | T1562.001 – Disable Security Tools; T1480.001 – Execution Guardrails (Environmental Keying) | Play ransomware actors, prior to deploying ransomware, take steps to disable endpoint defenses. They use tools such as GMER, IOBit Unlocker, and PowerTool to kill antivirus and EDR processes on target machines ([#StopRansomware: Play Ransomware | CISA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a#:~:text=Table%205%3A%20Play%20ATT%26CK%20Techniques,and%20PowerTool%20to%20disable%20anti)). They might run these via scripts or GPO before launching the encryptor. Interestingly, the Play ransomware binary itself has some guardrails – it won’t run if certain conditions aren’t met (for example, some variants check system language to avoid encrypting CIS countries). This is a form of execution guardrail to evade running in researcher sandboxes. |
Discovery | T1016 – System Network Configuration Discovery; T1046 – Network Service Discovery ([#StopRansomware: Play Ransomware | Play operators use both automated tools and manual commands to survey the victim network. One known tool is Grixba, an IP scanning tool they use to map network configuration and find live hosts and open ports ([#StopRansomware: Play Ransomware | |
Lateral Movement | T1570 – Lateral Tool Transfer; T1021 – Remote Services (SMB/RDP) ([#StopRansomware: Play Ransomware | Play’s lateral movement often involves copying tools (and the ransomware binary) to multiple machines. They use built-in admin shares (C$ or admin$) or tools like psexec (or their own variant) to push the ransomware. One report noted they use Group Policy to distribute the ransomware as a scheduled task – effectively a lateral movement via Active Directory that executes on all machines (Play Ransomware Group – Detection and Protection - Check Point Software). They also exploit any trust relationships (if multiple domains, they move across trusts). RDP might be used in targeted ways if needed, but their hallmark is distributing payloads in bulk using domain admin credentials. | |
Exfiltration | T1048 – Exfiltration Over Alternative Protocol (SFTP/WinSCP); T1567 – Exfiltration to Cloud Storage ([#StopRansomware: Play Ransomware | Play ransomware actors engage in data theft for double extortion. They have been seen using WinSCP (an SFTP/FTP client) to exfiltrate data batches over SCP/FTP connections to their servers ([#StopRansomware: Play Ransomware | |
Impact | T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery ([#StopRansomware: Play Ransomware | Play ransomware employs a fast encryption routine with intermittent encryption (skipping chunks of files) to speed up locking files (Play Ransomware Group – Detection and Protection - Check Point Software). The ransomware will append a “.play” extension to files. They also make sure to delete shadow copies and backups – using commands or their malware to remove Volume Shadow Copies on all machines to inhibit recovery. Play’s final payload is often delivered network-wide nearly simultaneously, causing a “big bang” of encryption. After encryption, they leave a ransom note (often instructing the victim to contact an email at a gmx address or visit their leak site) ([PDF] #StopRansomware: Play Ransomware). |
Defensive Recommendations: The Play group is aggressive in exploiting newly disclosed vulnerabilities, so a key defense is timely patch management – especially for critical externally facing systems (#StopRansomware: Play Ransomware | CISA).
Organizations should subscribe to vulnerability alert services (like CISA’s KEV catalog) and treat urgent patches as truly urgent.
Additionally, implement network segmentation and least privilege: Play’s impact was magnified in environments where flat networks and over-privileged accounts allowed them to push ransomware everywhere.
Employ advanced threat detection capable of recognizing patterns like mass logon attempts, sudden GPO changes, or rapid file encryption.
Regularly exercise your backup restoration process – Play has caused city-wide outages, and those who recovered fastest were those who had well-practiced continuity plans.
Finally, share and consume threat intelligence: indicators of Play’s tradecraft (like specific file names, hashes, or C2 IPs) can be used to update detection tools preemptively (Ongoing Play Ransomware Attack—What You Need To Know - Forbes) (Play Ransomware Group – Detection and Protection - Check Point Software).
Being prepared and agile is the best counter to this fast-moving threat group.
