Skip to content

Latest commit

 

History

History
63 lines (54 loc) · 5.57 KB

README.md

File metadata and controls

63 lines (54 loc) · 5.57 KB

Ransomware Tool Matrix

  • This repository contains a list of which tools each ransomware gang or extortionist gang uses
  • As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused
  • We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions
  • This project will be updated as additional intelligence on ransomware gang TTPs is made available

Tip

This Ransomware Tool Matrix has several use cases, which are as follows:

  • As a list of leads for threat hunting inside the environments available to you
  • As a list of leads to look for during incident response engagements
  • As a checklist of tools to identify patterns of behaviour between certain ransomware affiliates
  • As an adversary emulation resource for threat intelligence-led purple team engagements

Ransomware Tool Matrix

Threat Intel Sources

Additional Resources

Types of Ransomware Adversaries

Tip

This repo also contains multiple types of Ransomware adversaries, this includes the ransomware gangs themselves, affiliates, and initial access brokers

  • Rasnomware Gangs: In this repo, a tool is associated with a ransomware gang, meaning that the tool was observed in an intrusion which resulted in the deployment of that ransomware family
  • Affiliates: A threat group in this repo with an asterisk at the end (e.g. Scattered Spider*), means it is a ransomware affiliate, which has access to one or more ransomware families
  • Initial Access Brokers: A threat group in this repo with an asterisk at the start (e.g. *Prophet Spider), means it is an Initial Access Broker (IAB), which sells access to one or more ransomware gangs
  • State-sponsored: A threat group in this repo with a plus sign at the end (e.g. DarkBit+), means it is a suspected state-sponosored adversary using ransomware, such as those from Iran, DPRK, Russia, or China

Challenges

Important

Using the Ransomware Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by ransomware gangs to hunt, detect, and block, there are some risks.

  • Many of the tools referenced in this repository may be currently used by your IT team or even your Cybersecurity team.
  • When hunting for these tools, you may uncover many installations of them inside your environment.
  • Deciphering whether a tool is being used legitimately, by an employee, with permission is difficult in a large or global environment.
  • If you create a detection rule, you may generate a large amount of alerts, which may get ignore or turned off without investigating them.
  • If you block these tools without investigating for legitimate usage, you may cause disruption to legitimate business operations and potentially impose costs on your own organisation.

How To Contribute

  • Please see the following guidelines to contribute to this repo.

Integrations