Ransomware.live 👀

TTPs for Hunters

Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Execution (TA0002)	Persistence (TA0003)	Defense Evasion (TA0005)	Discovery (TA0007)	Command and Control (TA0011)	Impact (TA0040)
Native API (T1106) The threat actor utilizes the application programming interface to execute malicious behaviors.	Boot or Logon Autostart Execution (T1547) The threat actor may set system configurations to automatically execute malware during system startup or login.	Obfuscated Files or Information (T1027) The threat actor utilizes obfuscation on files used for their attack, encrypting, encoding, or obfuscating their content.	Process Discovery (T1057) The threat actor may attempt to gather information about running processes on a system.	Application Layer Protocol (T1071) The threat actor can communicate using OSI application layer protocols to avoid network detection/filtering, blending in with existing traffic.	Data Encrypted for Impact (T1486) The threat actor can encrypt data on the target system or on a large number of systems to disrupt system availability.
Shared Modules (T1129) The threat actor executes payloads by loading shared modules.		Impair Defenses (T1562) The actor may maliciously modify victim environment components to hinder or disable defense mechanisms.	System Information Discovery (T1082) The actor may try to obtain detailed information about the operating system and hardware, including version, patches, hotfixes, and other details.	Application Layer Protocol: Web Protocols (T1071.001) The threat actor can communicate using web traffic associated application layer protocols to avoid detection.
			File and Directory Discovery (T1083) The threat actor may enumerate files and directories or search specific locations on a host or network share for certain information within a file system.

This information is provided by Crocodyli or Ransomware.live