The Red Report 2024: The Top 10 Most Prevalent MITRE ATT&CK Techniques
Suleyman Ozarslan, PhD & Hüseyin Can Yüceel | January 20, 2022
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
Ransomware has become an important tool with a working business model for cyber threat actors in recent years. Nowadays, it is a widespread and well-known threat to organizations. The impact of these attacks on organizations may be highly disruptive to daily operations and sometimes have dangerous outcomes for their employees and customers. Therefore, we decided to write a blog series on ransomware. This is the first blog of the series where we explained recent ransomware trends.
The first trend is Ransomware as a Service (RaaS). Before explaining it, let’s define Cybercrime as a Service (CaaS). Cybercrime as a Service (CaaS) is selling or renting hacking tools and illegal services to people on the dark web. Cybercrime as a Service is a significant trend because it empowers a broader range of threat actors - including the nontechnical ones - by enabling anyone to become a cybercriminal with minimal investment.
Ransomware was initially targeting home users however, social engineering capabilities of the threat actors have evolved to compromise enterprise networks as well. As a consequence, ransomware has expanded to be a service that can be rented or sold on Dark Web forums. This trend set up the stage for Ransomware as a Service model. Ransomware as a Service (RaaS) is a business model used by ransomware threat actors that enables anyone with even basic technical knowledge to launch ransomware attacks simply by signing up for a service. Nowadays, RaaS is the most common type of CaaS.
RaaS has become a profitable business model for ransomware developers and enabled them to get more use out of their effort. Ransomware is advertised on the dark web in the same way that any legitimate software would. Threat actors can launch their own ransomware campaign with basic technical knowledge.
DarkSide is an excellent example of the Ransomware as a Service model. DarkSide ransomware group interviews their potential customers and grants access to qualified customers by a management panel. Using this management panel, Darkside gang enables their customers to become cyber threat actors.
Figure 1: Advertisement of DarkSide 
These threat actors can perform various operations, including creating a ransomware build, creating content in the DarkSide blog on the TOR, managing victims, and contacting support. For example, the management panel in Figure 2 lets threat actors choose encryption methods and which resources to be encrypted. Additionally, ransomware has a self-destruct option which enables ransomware to remove its traces.
Figure 2: DarkSide Management Panel 
As we all know, the ransomware business is based on extortion. However, the threat actors have improved their methods recently to extort more money from their victims. Let’s explain these extortion methods.
Demanding ransom in exchange for access to encrypted data and compromised systems
Initially, ransomware prevented you from accessing your data or compromised systems by encrypting files in the infected systems and holding the decryption key for ransom in order to extort money from you. In this single extortion method, victims pay to recover access to encrypted data and compromised systems that fail to operate due to encrypted files.
Threatening to leak or disclose data
As ransomware attacks become popular, organizations adapted to file encryption attacks by improving their data backup procedures. Data backups eliminated the need to pay ransom and enabled organizations to recover data from their backups. Backup measures led to the emergence of a new extortion method in addition to encryption. The ransomware gangs responded by exfiltrating victim’s data prior to encrypting it and then threatening to leak or disclose it if the ransom is not paid.
According to the Coveware report, over 80% of ransomware attacks involve data exfiltration in addition to file encryption . Threatening with the combination of encryption and data exfiltration is double extortion.
Threatening to disrupt operations
Some organizations would restore from backups and take the risk of data exfiltration. As a response, ransomware threat actors turned to threatening the organizations with denial of service attacks. These attacks have the potential to overload a server or a network with traffic, halting and further disrupting operations. This triple extortion method combines denial of service attacks with encryption and data disclosure threats.
Threatening to contact with clients
In addition to previous extortion methods, ransomware operators contact the victim organization's consumers and stakeholders directly, increasing the victim's pressure. This is called quadruple extortion. For example, DarkSide operators use the quadruple extortion strategy in a number of their campaigns, including DDoS attacks and direct contact with clients via designated call centers.
Threatening to sell sensitive data to competitors
In quintuple extortion, ransomware threat actors put more pressure on the victim by threatening to sell stolen data to competitors or investors who may be interested in the victim organization’s trade secrets or use the stolen information for insider trading.
Different ransomware families apply different levels of extortion; some focus exclusively on the first phase, while others attempt fourth-phase tactics. Additionally, these stages are not always followed sequentially, as was the case with the Clop ransomware, which went straight from double to quadruple extortion .
Initial Access Brokers are financially motivated threat actors who profit from the sale of remote access to enterprise networks in underground forums. Initial Access Brokers (IABs) find vulnerable systems massively scanning networks for known vulnerabilities on remote systems.
The access methods available are primarily Remote Desktop Protocol (RDP), Virtual Private Network (VPN), web shells, and remote access software provided by Citrix, Pulse Secure, Zoho, or VMware.
IABs also sell knowledge and tools used to conduct breaches into the company network using SQL injections, remote code execution (RCE) exploits, and other exploited vulnerabilities.
Initial Access Brokers have accelerated and simplified the initial access phase of the attack chain for adversaries by demanding payment only for verified access to a given target.
Purple Academy by Picus has a new learning path about Ransomware. Check out our open-access (free) “Ransomware Attacks: Basics, TTPs, and Countermeasures” course with verifiable certification:
 “A Closer Look at the DarkSide Ransomware Gang.” https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/.
 “Shining a Light on DARKSIDE Ransomware Operations.” https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations.
 B. Siegel, “Ransomware attackers down shift to ‘Mid-Game’ hunting in Q3,” Coveware: Ransomware Recovery First Responders, 21-Oct-2021. https://www.coveware.com/blog/2021/10/20/ransomware-attacks-continue-as-pressure-mounts.
 D. Santos, “Threat Assessment: Clop Ransomware,” Unit42, 13-Apr-2021. https://unit42.paloaltonetworks.com/clop-ransomware/.