Nip Ransomware in the FUD: Detecting Attacks Pre-Encryption

Ransomware operators targeting large organisations have begun to move more strategically. By using applications already installed on network systems (“living-off-the-land” techniques), off-the-shelf red team tools, and Windows utilities, their malicious behavior before encrypting files has become more difficult to distinguish from legitimate activity.

Recorded Future's cyber threat analysts researched malicious actors using living-off-the-land techniques, open source resources, and red team tools, with a specific focus on “big game” ransomware operators, to identify opportunities for detecting malicious behavior during the post-compromise, pre-encryption phase. The team looked at actual compromises by ransomware operators, analysing their techniques, procedures and tool usage to derive detections.