Ransomware Diaries

Disarm Kill Chain

Makes you think about other aspects of the attack, makes it difficult to miss something

Data collection

💡 Ransomware groups always need to talk to their victims

Attack Data

Need to gather all logs/evidence with respect to:

• Time of activity
• Phishing emails details
• IoCs
• other essential telemetry details

Darknet Forums

First thing to do is to figure out where the attackers "live".

• What forums do they use?
  • Identify
  • Gain access

Then, identify the accounts of the target. Also, who do they talk to?

Finally, we can collect forum content.

• Go through all their posts

Attacker Infrastructure

Attackers have their own infrastructure.

💡 Jon once attempted to join LockBit as an affiliate. While he wasn't able to become one, he learned alot about their organization.

Threat Actor Engagement

Know their

• Politics
• Religious Beliefs
• What they like outside of ransomware
• Opinions on relevant/associated criminals

Ransomware Life Cycle - Syed Zaidi

Atomic Ransomware Emulation - Gerard Johanson

• Technique - Focus on a single TTP
  • Can we detect the technique
  • Can we find indications from artifacts
  • Drills