Ransomware-Tool-Matrix
Ransomware Tool Matrix
- This repository contains a list of which tools each ransomware gang or extortionist gang uses
- As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused
- We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions
- This project will be updated as additional intelligence on ransomware gang TTPs is made available
[!TIP] This Ransomware Tool Matrix has several use cases, which are as follows:
- As a list of leads for threat hunting inside the environments available to you
- As a list of leads to look for during incident response engagements
- As a checklist of tools to identify patterns of behaviour between certain ransomware affiliates
- As an adversary emulation resource for threat intelligence-led purple team engagements
Ransomware Tool Matrix
- RMM Tools
- Exfiltration Tools
- Credential Theft Tools
- Defense Evasion Tools
- Networking Tools
- Discovery Tools
- Offensive Security Tools
- Living-off-the-Land Binaries and Scripts
Threat Intel Sources
- List of CISA’s Threat Groups
- List of The DFIR Report’s Threat Groups
- List of Trend Micro’s Threat Groups
- Common TTPs of the Modern Ransomware Groups by Kaspersky
- The Conti Playbook
- The Bassterlord Networking Manual
- Extra Threat Intel
Additional Resources
- List of Tools used by +10 Ransomware Gangs
- List of Ransomware Group Profiles
- List of All Tools by Type
- Ransomware Tool Matrix Threat Hunt Checklist
Types of Ransomware Adversaries
[!TIP] This repo also contains multiple types of Ransomware adversaries, this includes the ransomware gangs themselves, affiliates, and initial access brokers
- Ransomware Gangs: In this repo, a tool is associated with a ransomware gang, meaning that the tool was observed in an intrusion which resulted in the deployment of that ransomware family
- Affiliates: A threat group in this repo with an asterisk at the end (e.g. Scattered Spider*), means it is a ransomware affiliate, which has access to one or more ransomware families
- Initial Access Brokers: A threat group in this repo with an asterisk at the start (e.g. *Prophet Spider), means it is an Initial Access Broker (IAB), which sells access to one or more ransomware gangs
- State-sponsored: A threat group in this repo with a plus sign at the end (e.g. DarkBit+), means it is a suspected state-sponosored adversary using ransomware, such as those from Iran, DPRK, Russia, or China
Challenges
[!IMPORTANT] Using the Ransomware Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by ransomware gangs to hunt, detect, and block, there are some risks.
- Many of the tools referenced in this repository may be currently used by your IT team or even your Cybersecurity team.
- When hunting for these tools, you may uncover many installations of them inside your environment.
- Deciphering whether a tool is being used legitimately, by an employee, with permission is difficult in a large or global environment.
- If you create a detection rule, you may generate a large amount of alerts, which may get ignore or turned off without investigating them.
- If you block these tools without investigating for legitimate usage, you may cause disruption to legitimate business operations and potentially impose costs on your own organisation.
How To Contribute
- Please see the following guidelines to contribute to this repo.