Threat Intelligence ▲ KRITIS

Global Ransomware ATT&CK Techniques Matrix Reveals Industrial-Scale Cyber Intrusion Patterns

25 Mei 2026 Seraphim News 5 mnt baca
🔴 ATT&CK MATRIX ANALYSIS

Ringkasan

Analisis ini memetakan MITRE ATT&CK® techniques terhadap ekosistem ransomware global yang terdiri dari puluhan kelompok aktif.

Model operasional yang terlihat bersifat:

  • multi-stage intrusion
  • credential-driven compromise
  • lateral movement berbasis domain
  • data exfiltration + encryption

Kelompok yang tercakup:

  • LockBit
  • ALPHV / BlackCat
  • Black Basta
  • Cl0p
  • Conti
  • REvil
  • Hive
  • RansomHub
  • Qilin
  • Medusa / MedusaLocker
  • Rhysida
  • Royal
  • DarkSide
  • BlackMatter
  • Akira
  • BianLian

ATT&CK Execution Layer

T1047  Windows Management Instrumentation (WMI)
T1059  Command and Scripting Interpreter
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1059.006 Python
T1106  Native API Execution
T1569  System Services Execution

Persistence Techniques

T1053 Scheduled Tasks / Cron Jobs
T1547 Registry Run Keys / Startup Folder
T1543 System Services
T1547.001 Boot / Logon Autostart Execution

Credential Access Layer

T1003.001 LSASS Memory Dumping
T1003.003 NTDS.dit Extraction
T1555 Credential Dumping (Passwords / Stores)
T1552 Unsecured Credentials Exposure
T1110 Brute Force

Lateral Movement

T1021.001 RDP
T1021.002 SMB / Admin Shares
T1021.004 SSH Remote Services
T1133 External Remote Services

Defense Evasion Techniques

T1027 Obfuscation / Encoding
T1027.002 Software Packing
T1070 Indicator Removal
T1070.001 Event Log Clearing
T1070.004 File Deletion
T1036 Masquerading
T1027.007 Dynamic API Resolution

Discovery Phase

T1083 File and Directory Discovery
T1018 Remote System Discovery
T1046 Network Service Scanning
T1016 System Network Configuration Discovery
T1069 Permission Group Discovery
T1007 System Service Discovery

Impact Layer

T1486 Data Encrypted for Impact
T1485 Data Destruction
T1490 Inhibit System Recovery
T1561 Disk Wipe
T1489 Service Stop

Analisis Operasional

Pola serangan menunjukkan struktur berikut:

  1. Initial access via credential compromise / phishing
  2. Execution menggunakan LOLBins (PowerShell, WMI)
  3. Persistence melalui registry & scheduled tasks
  4. Privilege escalation via token abuse
  5. Domain-wide credential harvesting
  6. Lateral movement via RDP/SMB
  7. Data staging & exfiltration
  8. Encryption / destruction

Risiko Utama

  • Domain compromise
  • Full AD takeover
  • Data exfiltration sebelum encryption
  • Backup destruction
  • Operational shutdown

Status Matriks

Hingga analisis ini disusun:

[+] Coverage Scope     : 40+ Threat Groups
[+] Technique Mapping  : Full MITRE ATT&CK Lifecycle
[+] Execution Model    : Validated Across Ransomware Families
[+] Threat Level       : High / Critical

Rekomendasi Keamanan

[+] Enable MFA (Privileged Accounts)
[+] Monitor LSASS Access Attempts
[+] Harden RDP / Disable Exposure
[+] Segment Active Directory
[+] Deploy EDR Behavioral Detection
[+] Centralized Logging (SIEM)
[+] Immutable Backup Strategy

Catatan

Artikel ini disusun untuk analisis threat intelligence berdasarkan pemetaan MITRE ATT&CK terhadap ekosistem ransomware global. Seluruh data bersifat agregasi teknik, bukan atribusi insiden spesifik.

Powered by Seraphim Engine