FedSearch - Federated network search engine

A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today https://www.youtube.com/watch?v=K1a6Mac1-y4

Link to the latest @CISA @FBI #StopRansomware alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) https://www.cisa.gov/uscert/ncas/alerts/aa22-335a

Past advisories on five other #ransomware highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: https://www.cisa.gov/stopransomware/stopransomware

According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: https://www.tidalcyber.com/blog/adversary-ttp-evolution-and-the-value-of-ttp-intelligence

(And here’s another piece covering TTP evolution relative to another top malware, QakBot https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps)

In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset https://github.com/joshhighet/ransomwatch

The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: https://app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋

#Cuba Ransomware details from #mitreattack https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4-Cuba

Technique set for Cuba TTPs published in February https://app.tidalcyber.com/share/6fbf994c-d6c9-42fd-8ee9-8954865d6d6f (source: https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware)

Cuba technique set based on CISA’s/FBI’s new alert: https://app.tidalcyber.com/share/11c631bc-be34-463d-9d24-852a6f414b2a

Script to quickly convert techniques & procedures from recent #CTI into a technique “layer” json file: https://github.com/mitre-attack/attack-navigator/blob/master/layers/attack_layers/attack_layers_simple.py

LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: https://app.tidalcyber.com/technique/ab0da102-5a14-42b1-969e-5d3daefdf0c5-LSASS%20Memory

Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/

Disable or Modify Tools technique details page: https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6-Disable%20or%20Modify%20Tools

Final Cuba Ransomware technique time series comparison/overlay: https://app.tidalcyber.com/share/7631b2a7-2c0d-49ee-ac12-ca9c92ad4a72

Dashboard we’re maintaining covering all TTPs from the #StopRansomware alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: https://app.tidalcyber.com/share/9c1f08a2-b823-4e11-a8a5-01335fb0215e

Join the Tidal Community Slack channel to engage with & learn from others throughout the #threatinformeddefense space https://join.slack.com/t/tidalcommunity/shared_invite/zt-1ljrtdtkm-VGi8fa5VYhLma4o1Vu33nA

Catch this and other walkthroughs on the @tidal Cyber YouTube channel https://www.youtube.com/@tidalcyber6071

#cyberthreatintelligence #cybersecurity #OSINT #SharedWithTidal

#stopransomware #ransomware #cuba #mitreattack #cti #threatinformeddefense #cyberthreatintelligence #cybersecurity #osint #sharedwithtidal

Last updated 2 years ago

Original post