From a155de8f967e395dc42c7edb02d289cd95ca2b6e Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 5 Dec 2024 12:30:28 +0100 Subject: [PATCH 1/2] Create machinetag.json Created a new taxonomy related to the unified ransomware kill chain. --- unified-ransomware-kill-chain/machinetag.json | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 unified-ransomware-kill-chain/machinetag.json diff --git a/unified-ransomware-kill-chain/machinetag.json b/unified-ransomware-kill-chain/machinetag.json new file mode 100644 index 0000000..7d9a7e8 --- /dev/null +++ b/unified-ransomware-kill-chain/machinetag.json @@ -0,0 +1,44 @@ +{ + "namespace": "unified-ransomware-kill-chain", + "expanded": "Unified Ransomware Kill Chain", + "description": "The Unified Ransomware Kill Chain, a intelligence driven model developed by Oleg Skulkin, aims to track every single phase of a ransomware attack.", + "version": 1, + "predicates": [ + { + "value": "Gain Access", + "expanded": "Ransomware affiliates may gain the access to the target network or purchase such access from the initial access brokers." + }, + { + "value": "Establish Foothold", + "expanded": "Ransomware affiliates may need to collect information about the compromised perimeter, elevate its privileges and access credentials, as well as disabling or bypassing defenses to initiate the discovery and propagation." + }, + { + "value": "Network Discovery", + "expanded": "Ransomware affiliates, before starting network propagation, need to collect information about remote systems." + }, + { + "value": "Key Assets Discovery", + "expanded": "Ransomware affiliates start to acquire additional data, such as privileged credentials, sensitive information and backup related to critical assets." + }, + { + "value": "Network Propagation", + "expanded": "Ransomware affiliates use legitimate tools and techniques to move laterally through the network." + }, + { + "value": "Data Exfiltration", + "expanded": "Ransomware affiliates may collect data from one or multiple sources, such as network attached storages, cloud storages and so on, and proceed with the exfiltration." + }, + { + "value": "Deployment Preparation", + "expanded": "Ransomware affiliates disable and remove security solutions or available backups prior to ransomware deployment." + } + { + "value": "Ransomware Deployment", + "expanded": "Ransomware affiliates attempt to achieve their main goal: deploy the ransomware." + } + { + "value": "Extortion", + "expanded": "Ransomware affiliates, after encrypting the victim's assets, may start to upload sample of exfiltrated data on the DLS, call the victims' employees, and even perform DDOS attacks against the compromised infrastructure only to facilitate extortion." + } + ] +} From 1d1fc8e2afe62ade3995422add89bc29a8a08812 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 5 Dec 2024 12:35:06 +0100 Subject: [PATCH 2/2] Update machinetag.json fixed typo errors --- unified-ransomware-kill-chain/machinetag.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unified-ransomware-kill-chain/machinetag.json b/unified-ransomware-kill-chain/machinetag.json index 7d9a7e8..2c37611 100644 --- a/unified-ransomware-kill-chain/machinetag.json +++ b/unified-ransomware-kill-chain/machinetag.json @@ -31,11 +31,11 @@ { "value": "Deployment Preparation", "expanded": "Ransomware affiliates disable and remove security solutions or available backups prior to ransomware deployment." - } + }, { "value": "Ransomware Deployment", "expanded": "Ransomware affiliates attempt to achieve their main goal: deploy the ransomware." - } + }, { "value": "Extortion", "expanded": "Ransomware affiliates, after encrypting the victim's assets, may start to upload sample of exfiltrated data on the DLS, call the victims' employees, and even perform DDOS attacks against the compromised infrastructure only to facilitate extortion."