The Ransomware Tool Matrix

-

Introduction

Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs.

This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others.

This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations.

Project Background

As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on the same set of utilities and scripts, creating opportunities for defenders to pre-emptively identify, block, or mitigate these threats before they escalate further. The Ransomware Tool Matrix is designed to be an evolving resource, regularly updated with the latest threat intelligence as new information on ransomware TTPs becomes available.

Whether you're hunting for threats within your environment, investigating incidents, or trying to identify behavioural patterns among ransomware affiliates, this matrix serves as a valuable reference. With categorized lists covering everything from Remote Management and Monitoring (RMM) tools to exfiltration and defense evasion utilities, this project provides defenders with the insights needed to disrupt adversarial operations.

Explore detailed breakdowns of the most-used tools by top ransomware groups, dive into threat intelligence sources, and become informed with content like the Conti Playbook and Bassterlord Networking Manual. If you’re serious about proactive defense against ransomware, the Ransomware Tool Matrix is an indispensable tool in your arsenal.

You can find The Ransomware Tool Matrix in my GitHub repository below:


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The CTI Analyst Challenge

-
Image
Welcome to the Cyber Threat Intelligence (CTI) Analyst Challenge!  I am excited to introduce a comprehensive repository designed to enhance the skills and expertise of CTI analysts through a challenging and engaging intelligence analysis exercise. Purpose This repository is created to test and improve the capabilities of CTI analysts by providing a structured challenge that covers both proactive and reactive CTI tasks. It aims to simulate real-world scenarios and offer hands-on experience in fulfilling a demo client's Priority Intelligence Requirements (PIRs) and Requests for Intelligence (RFIs). Key Features Self-Directed Challenge: CTI analysts are provided with instructions and resources to independently navigate through the tasks, encouraging self-discipline and critical thinking. Realistic Scenarios: The tasks are designed based on real-world inspired situations, making the training highly relevant and practical. Comprehensive Training Materials: The repository includes all
Read more