Ransomware with encryption and double extortion.
A ransomware group / affiliate encrypts all of your files and then asks for money to decrypt them.
If you don't pay, they will publish all the files.
Risk Table
Understand the potential risks from this threat event, broken domain by system.
| System | Likelihood (C | I | A) | Consequence | Impact (C | I | A) | Risk (C | I | A) |
|---|---|---|---|---|
| Customer Database | 4 | 4 | 4 | Data Protection Fine | 4 | 4 | 4 | 16 | 16 | 16 |
Cyber Threat Graph Context
Explore how this threat event relates to the wider threat graph
Intrusion Sets
Real world cyber attackers who demonstrate this type of threat.
IntrusionSet
Dark Angels Team Ransomware Group
Dark Angels Team reportedly emerged in May 2022 having developed a strain of ransomware based on previously leaked Babuk builders. They ...
IntrusionSet
CACTUS Ransomware Group
CACTUS is ransomware group observed targeting victims since at least March 2023. The name CACTUS has been derived from the ransom note left with ...
IntrusionSet
Bl00dy Ransomware Gang
The Bl00dy Ransomware Gang emerged around May 2022 and employs double extortion tactics against targeted organizations. Unlike traditional data ...
IntrusionSet
Black Basta Ransomware Group
Black Basta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. It quickly became one of ...
MITRE ATT&CK Techniques
Explore the TTPs associated with this threat event - based on historical activity by the typical threat actors.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1593.001 | Social Media | Reconnaissance |
| T1204.001 | Malicious Link | Execution |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1585.002 | Email Accounts | Resource Development |
| T1102 | Web Service | Command and Control |
| T1583.001 | Domains | Resource Development |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1597 | Search Closed Sources | Reconnaissance |
| T1585.001 | Social Media Accounts | Resource Development |
| T1608.001 | Upload Malware | Resource Development |
| T1203 | Exploitation for Client Execution | Execution |
| T1589.002 | Email Addresses | Reconnaissance |
| T1204.002 | Malicious File | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1047 | Windows Management Instrumentation | Execution |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1059.007 | JavaScript | Execution |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1018 | Remote System Discovery | Discovery |
| T1486 | Data Encrypted for Impact | Impact |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1003.001 | LSASS Memory | Credential Access |
| T1489 | Service Stop | Impact |
| T1059.003 | Windows Command Shell | Execution |
| T1587.001 | Malware | Resource Development |
| T1007 | System Service Discovery | Discovery |
| T1136 | Create Account | Persistence |
| T1074.001 | Local Data Staging | Collection |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1584.004 | Server | Resource Development |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1005 | Data from Local System | Collection |
| T1136.002 | Domain Account | Persistence |
| T1082 | System Information Discovery | Discovery |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1003.003 | NTDS | Credential Access |
| T1569.002 | Service Execution | Execution |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1071.001 | Web Protocols | Command and Control |
| T1087.002 | Domain Account | Discovery |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1482 | Domain Trust Discovery | Discovery |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1070.004 | File Deletion | Defense Evasion |
| T1135 | Network Share Discovery | Discovery |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1090 | Proxy | Command and Control |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1074 | Data Staged | Collection |
| T1490 | Inhibit System Recovery | Impact |
| T1036.004 | Masquerade Task or Service | Defense Evasion |
| T1027.010 | Command Obfuscation | Defense Evasion |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1588.002 | Tool | Resource Development |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1112 | Modify Registry | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1069.002 | Domain Groups | Discovery |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1033 | System Owner/User Discovery | Discovery |
| T1518.001 | Security Software Discovery | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1553.002 | Code Signing | Defense Evasion |
| T1136.001 | Local Account | Persistence |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1016 | System Network Configuration Discovery | Discovery |
| T1518 | Software Discovery | Discovery |
| T1218.011 | Rundll32 | Defense Evasion |
| T1558.003 | Kerberoasting | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1560.001 | Archive via Utility | Collection |
| T1555.004 | Windows Credential Manager | Credential Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |