Incident Score: Analysis & Impact (BLE1775550609)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Attachment (T1566.001) with moderate confidence (50%), supported by evidence indicating affiliate model where hackers breached systems for profit, Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating initial access brokers likely exploited vulnerabilities, and Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating underground ecosystem outsourced initial access tasks. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (80%), supported by evidence indicating gandCrab and REvil ransomware strains executed encryption and Command and Scripting Interpreter: PowerShell (T1059.001) with moderate confidence (60%), supported by evidence indicating ransomware operations likely used scripting for deployment. Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating affiliate model relied on compromised credentials and Create or Modify System Process: Windows Service (T1543.003) with moderate confidence (50%), supported by evidence indicating ransomware likely established persistence via services. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating compromised accounts used for lateral movement and Exploitation for Privilege Escalation (T1068) with moderate confidence (60%), supported by evidence indicating big-game hunting targeted high-value enterprise systems. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate to high confidence (80%), supported by evidence indicating ransomware strains used encryption to evade detection and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating ransomware likely disabled security tools during encryption. Under the Credential Access tactic, the analysis identified OS Credential Dumping (T1003) with moderate to high confidence (70%), supported by evidence indicating affiliate model relied on stolen credentials for access and Credentials from Password Stores (T1555) with moderate confidence (60%), supported by evidence indicating initial access brokers likely harvested stored credentials. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (70%), supported by evidence indicating big-game hunting targeted large enterprises with cyber insurance and File and Directory Discovery (T1083) with moderate to high confidence (80%), supported by evidence indicating ransomware scanned systems for data to encrypt/exfiltrate. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), supported by evidence indicating compromised credentials used for lateral movement and Lateral Tool Transfer (T1570) with moderate confidence (60%), supported by evidence indicating ransomware deployed across networks via affiliates. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating stolen data used for double extortion tactics and Data from Network Shared Drive (T1039) with moderate to high confidence (80%), supported by evidence indicating ransomware targeted enterprise networks for data theft. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating ransomware operations used C2 channels for encryption keys and Encrypted Channel: Asymmetric Cryptography (T1573.002) with moderate to high confidence (70%), supported by evidence indicating rEvil used encrypted C2 for ransom negotiations. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating double extortion involved data exfiltration before encryption and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate confidence (60%), supported by evidence indicating stolen data likely exfiltrated to attacker-controlled servers. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), supported by evidence indicating gandCrab and REvil ransomware encrypted victim data, Service Stop (T1489) with moderate to high confidence (80%), supported by evidence indicating ransomware disrupted over 1,500 businesses (Kaseya attack), and Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating ransomware likely deleted backups to prevent recovery. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.