Saya baru baca white paper Ransomware Uncovered dari Group-IB. Group-ib ini sebuah perusahaan keamanan. Dia melaporkan tahun 2017 banyak terjadi serangan ransomware yang dilakukan oleh  kelompok yang diduga state-sponsored  seperti Lazarus dan Sandworm. Tahun 2019 ada tren baru, serangannya dilakukan dengan target perusahaan besar, permintaan ransomnya juga meningkat. Contohnya Ryuk Ransomware yang nyerang kota Florida dan New Bredford. Sebenarnya pada awal tahun 2019, black market XDedic berhasil di take-down dan pensiunnya operator ransomware GandCrab. Namun kasus ransomware malah meningkat 40% menurut Group-IB. Menurut group-IB operator Ransomware mulai mengincar target jaringan perusaan besar, bukan lagi individu istilahnya Big Gam3 Hunter (BGH). Contohnya kasus REvil yang nyerang Texas.

BGH banyak pake trojan sebagai initial vector, maksudnya serangan awal buat masuk ke komputer target. Tahun 2018 Ransomware Ryuk pake trojan Emotet dan Trickbot. Tahun 2019 ada trojan Dridex (ransomware DoppelPaynet) dan SDBBot (Ransomware Clop). Sementara untuk distribusinya yang paling banyak digunakan pake email phshing

Initial access:

• Drive-by compromise (T1189)
• External Remote Service (T1113)
• Spearphishing Attachment (T1193)
• Spearphishing Link (T1192)
• Valid Accounts (T1078)
• Supply Chain Compromise (T1195)
• Trusted Relationship (T1199)
• Exploit Public-Facing Application (T1190)

Execution

• User Execution (T1204)
• Powershell (T1086)
• Command-line Interface (T1059)
• Scripting (T1064)
• Windows Management Instrumentation (T1047)
• Exploitation for Client Execution (T1203)
• Mshta (Mshta)
• Scheduled Task (T1053)

Persistence

• Registry Run Keys/Startup Folder (T1060)
• External Remote Services (T1133)
• Create Account (T1136)
• Scheduled Task (T1053)
• Valid Accounts (T1078)
• New Service (T1050)
• Modify Existing Service (T1031)
• WMI Event Subscription (T1084)

Privilege Escalation

• Valid Accounts (T1078)
• Exploitation for Privilege Escalation (T1068)

Defense Evasion

• Disabling Security Tools (T1089)
• Group Policy Modification (T1484)
• Redundant Access (T1108)
• Masquerading (T1036)
• Bypass User Account Control (T1088)
• NTFS File 
• Obfuscated file or Information
• Deobfuscate/Decode Files or Information (T1140)
• File and Directory Permissions Modification (T1222)
• File Deletion (T1107)

Credential Access

• Brute Force (T1110)
• Credential Dumping (T1003)
• Credentials in Files (T1081)
• Credentials from Web Browsers (T1503)

Discovery 

• Network Service Scanning (T1046)
• Network Share Discovery (T1135)
• Remote System Discovery (T1018)
• System Information Discovery (T1082)
• Permission Groups Discovery (T1069)
• Password Policy Discovery (T1201)
• Domain Trust Discovery (T1482)
• Network Configuration (T1016)

Lateral Movement

• Remote Desktop Protocol (T1076)
• Windows Admin Shares (T1077)
• Windows Remote Management (T1028)

Collection

• Data from local system (T1005)
• Data from Network Shared Drive

Command and Control 

• Remote Access Tools (T1219)
• Remote File Copy (T1105)
• Multi-hop Proxy (T1188)

Exfiltration

• Transfer data to cloud acccount (T1537)
• Exfiltration Over Other Network Medium (T1011)
• Data Encrypted (T1022)
• Exfiltration over Command and control Channel (T1041)

Impact

• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)
• Resource Hijacking (T1496)