|Initial Access||Execution||Defense Evasion||Discovery||Impact|
T1078 - Valid Accounts
T1059.003 - Command-Line Interface: Windows Command Shell
T1140 - Deobfuscate/Decode Files or Information
T1562.001 - Impair Defenses: Disable or Modify Tools
T1082 - System Information Discovery
T1049 - System Network Connections Discovery
T1083 - File and Directory Discovery
T1486 - Data encrypted for impact
T1489 - Service stop
T1490 -Inhibit system recovery
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in RansomEXX attacks:
|Initial Access||Execution||Discovery||Lateral Movement||Impact|
RansomEXX is not as active as it had been in 2020, when its consecutive attacks made it one of the newer ransomware families to watch out for. However, being a highly targeted and human-operated ransomware, its attacks affect its victims and their reputation significantly. The combination of memory-based techniques, legitimate Windows tools, and post-intrusion contribute a lot to RansomEXX’s successes.
Preventing the attacks from the outset is key to avoiding the worst of ransomware campaigns. Organizations should learn from past RansomEXX campaigns and be vigilant against initial access tactics. Users should be wary of enabling macros, and of documents that prompt them to do so.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.