Ransomware is still one of the most common types of malware deployed during cyberattacks. Some hackers use it to extort ransom from their victims, while others — the more sophisticated ones — use it to cover their traces in the networks they compromise for very different purposes.
Although in most cases such attacks are relatively straightforward, even big companies regularly become victims of ransomware spreaders. A prime example is Norsk Hydro, which was infected with LockerGoga ransomware.
Usually, a ransomware sample merely encrypts the victim’s files and leaves Read Me files with the instructions and attacker’s contacts. In some cases, it also attempts to spread through the network and infect as many hosts and servers as possible. Certain samples are capable of even more, however. For example, Shade ransomware (also known as “Troldesh”) has additional modules that allow it to not only encrypt the victim’s data, but also use infected hosts to mine cryptocurrency and conduct brute force attacks against CMSs.
The following article examines forensic artifacts left by the Shade cryptolocker and maps used tactics and techniques to MITRE ATT&CK.
Full article is available here.