Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
This article covers the fifth volume of AttackIQ’s Ransom Tales series, which recreates the tactics, techniques, and procedures of three notorious ransomware families—REvil, DarkSide, and BlackMatter. Each scenario walks through execution, persistence, discovery, defense evasion, and impact stages to enable defenders to validate detection and response playbooks. The emulations reproduce hallmark behaviors, such as DLL search order hijacking, registry abuse, scheduled tasks for persistence, VSS shadow copy deletion, and strong cryptographic file encryption. The piece also revisits major supply-chain intrusions and tracks how ransomware-as-a-service has matured over time.
Ransomware Attack Analysis
AttackIQ’s Adversary Research Team drew on public threat-intel reporting and malware samples to craft realistic attack graphs for each ransomware family. Researchers mapped individual steps to MITRE ATT&CK technique IDs and designed execution paths that retrieve payloads, establish persistence, enumerate host and domain information, and encrypt files. The team also modeled the use of known CVE exploits leveraged by DarkSide for initial access. The investigation underscores shared tooling, overlapping infrastructure, and code reuse by REvil, DarkSide, and BlackMatter ransomware families.
Mitigation
Recommended mitigation actions focus on enforcing the principle of least privilege, disabling non-essential services, and rapidly patching exposed systems, including known VMware ESXi vulnerabilities. Teams are urged to restrict remote desktop access, closely monitor for suspicious registry changes and newly created scheduled tasks, and deploy robust application control. The guidance further stresses the role of endpoint detection technologies and routine verification of backups to contain the blast radius of ransomware incidents.
Response
When ransomware-style activity is detected, responders should immediately isolate impacted systems, capture volatile memory, collect relevant registry hives, and preserve log sources. Forensic review should examine shadow copies, scheduled tasks, and registry keys for signs of REvil, DarkSide, or BlackMatter tradecraft. Recovery involves restoring data from clean, validated backups and hunting for lateral movement attempts using SMB and LDAP credentials. Finally, teams should brief stakeholders, document the incident, and enrich findings with threat intel to support attribution and future defensive improvements.
“`mermaid graph TB %% Class Definitions classDef technique fill:#ffcc99 classDef tool fill:#c2f0c2 classDef malware fill:#ffb6c1 classDef process fill:#d9d9ff classDef operator fill:#ffeb99 %% Nodes – Initial Execution and Setup tech_initial_exec[“<b>Technique</b> – <b>T1574.001 DLL Search Order Hijacking</b><br/>Malware loads a malicious DLL by hijacking the Windows DLL search order.”] class tech_initial_exec technique tech_anti_analysis[“<b>Technique</b> – <b>T1497 Virtualization/Sandbox Evasion</b><br/>Calls IsDebuggerPresent API to detect debugging or sandbox environments.”] class tech_anti_analysis technique tech_registry_query[“<b>Technique</b> – <b>T1012 Query Registry</b><br/>Creates HKLM\\SOFTWARE\\WOW6432Node\\BlackLivesMatter and queries the MachineGUID value for a unique system identifier.”] class tech_registry_query technique tech_persistence[“<b>Technique</b> – <b>T1053 Scheduled Task/Job</b><br/>Establishes a scheduled task using the schtasks utility for persistence.”] class tech_persistence technique tool_schtasks[“<b>Tool</b> – <b>Name</b>: schtasks<br/><b>Purpose</b>: Create and manage scheduled tasks”] class tool_schtasks tool %% Nodes – Discovery Phase op_discovery((“Discovery”)) class op_discovery operator tech_sys_info[“<b>Technique</b> – <b>T1082 System Information Discovery</b><br/>Gathers OS and hardware details via GetSystemInfo.”] class tech_sys_info technique tech_user_discovery[“<b>Technique</b> – <b>T1033 System Owner/User Discovery</b><br/>Obtains the current username via GetUserNameW.”] class tech_user_discovery technique tech_process_discovery[“<b>Technique</b> – <b>T1057 Process Discovery</b><br/>Enumerates running processes using Toolhelp snapshot APIs.”] class tech_process_discovery technique tech_service_discovery[“<b>Technique</b> – <b>T1007 System Service Discovery</b><br/>Queries services via EnumServicesStatusW.”] class tech_service_discovery technique tech_file_dir_discovery[“<b>Technique</b> – <b>T1083 File and Directory Discovery</b><br/>Traverses the filesystem with FindFirstFileW / FindNextFileW.”] class tech_file_dir_discovery technique tech_software_discovery[“<b>Technique</b> – <b>T1518 Software Discovery</b><br/>Uses WMI (wmic) to list installed antivirus, antispyware, and firewall products.”] class tech_software_discovery technique tech_location_discovery[“<b>Technique</b> – <b>T1614 System Location Discovery</b><br/>Obtains locale information via GetLocaleInfoW.”] class tech_location_discovery technique %% Nodes – Defense Evasion op_defense_evasion((“Defense Evasion”)) class op_defense_evasion operator tech_impair_defenses[“<b>Technique</b> – <b>T1562 Impair Defenses</b><br/>Disables the Windows Firewall using netsh commands.”] class tech_impair_defenses technique tool_netsh[“<b>Tool</b> – <b>Name</b>: netsh<br/><b>Purpose</b>: Configure and disable Windows Firewall”] class tool_netsh tool tech_inhibit_recovery[“<b>Technique</b> – <b>T1490 Inhibit System Recovery</b><br/>Deletes Volume Shadow Copies via vssadmin, wmic, and PowerShell.”] class tech_inhibit_recovery technique tool_vssadmin[“<b>Tool</b> – <b>Name</b>: vssadmin<br/><b>Purpose</b>: Delete shadow copies”] class tool_vssadmin tool tool_wmic[“<b>Tool</b> – <b>Name</b>: wmic<br/><b>Purpose</b>: Delete shadow copies through WMI”] class tool_wmic tool tool_powershell[“<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Purpose</b>: Delete shadow copies via Get‑WMIObject”] class tool_powershell tool tech_clear_eventlogs[“<b>Technique</b> – <b>T1070.001 Clear Windows Event Logs</b><br/>Clears event logs via OpenEventLogW and ClearEventLogW APIs.”] class tech_clear_eventlogs technique tool_eventlog[“<b>Tool</b> – <b>Name</b>: Windows API<br/><b>Purpose</b>: Clear Windows event logs”] class tool_eventlog tool %% Nodes – Impact malware_ransom[“<b>Malware</b> – <b>Name</b>: DarkSide/REvil<br/><b>Impact</b>: Encrypts discovered files on disk”] class malware_ransom malware node_files[“<b>Target</b>: Files on disk”] class node_files process %% Connections – Execution Flow tech_initial_exec –>|leads to| tech_anti_analysis tech_anti_analysis –>|leads to| tech_registry_query tech_registry_query –>|enables| tech_persistence tech_persistence –>|uses| tool_schtasks %% Connections – Discovery Flow tech_initial_exec –>|triggers| op_discovery op_discovery –>|uses| tech_sys_info op_discovery –>|uses| tech_user_discovery op_discovery –>|uses| tech_process_discovery op_discovery –>|uses| tech_service_discovery op_discovery –>|uses| tech_file_dir_discovery op_discovery –>|uses| tech_software_discovery op_discovery –>|uses| tech_location_discovery %% Connections – Defense Evasion Flow tech_initial_exec –>|prepares| op_defense_evasion op_defense_evasion –>|uses| tech_impair_defenses tech_impair_defenses –>|uses| tool_netsh op_defense_evasion –>|uses| tech_inhibit_recovery tech_inhibit_recovery –>|uses| tool_vssadmin tech_inhibit_recovery –>|uses| tool_wmic tech_inhibit_recovery –>|uses| tool_powershell op_defense_evasion –>|uses| tech_clear_eventlogs tech_clear_eventlogs –>|uses| tool_eventlog %% Connections – Impact Flow op_discovery –>|provides data to| malware_ransom op_defense_evasion –>|prepares environment for| malware_ransom malware_ransom –>|encrypts| node_files class tech_initial_exec,tech_anti_analysis,tech_registry_query,tech_persistence technique class tool_schtasks,tool_netsh,tool_vssadmin,tool_wmic,tool_powershell,tool_eventlog tool class tech_sys_info,tech_user_discovery,tech_process_discovery,tech_service_discovery,tech_file_dir_discovery,tech_software_discovery,tech_location_discovery,tech_impair_defenses,tech_inhibit_recovery,tech_clear_eventlogs technique class malware_ransom malware class node_files process class op_discovery,op_defense_evasion operator “`
Attack Flow
Detections
Detect REvil and DarkSide Ransomware Shadow Copy Deletion [Windows Process Creation]
View
Detect REvil Ransomware Registry Manipulation for Execution and Persistence [Windows Registry Event]
View
IOCs (HashSha256) to detect: Ransom Tales: Volume V — Throwback Edition! Emulating REvil, DarkSide, and BlackMatter Ransomware
View
Suspicious VSSADMIN Activity (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Simulations
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The REvil operator targets the victim machine to ensure that the ransomware payload launches automatically after a reboot. Using a PowerShell dropper, the attacker creates three registry modifications that the rule monitors:- Create a deceptive “BlackLivesMatter” key under the Wow6432Node branch – a known REvil indicator.
- Enable AutoAdminLogon to force automatic logon of a privileged account after reboot, facilitating ransomware execution.
- Add a payload to the RunOnce key so the malicious executable runs once at system start.
All three actions are performed with elevated rights, generating Security Event ID 13 entries that match the Sigma rule’s
selectionfilter. -
Regression Test Script:
# ------------------------------------------------- # REvil Registry Manipulation Simulation (TC-20251114-3Z7XQ) # ------------------------------------------------- # 1. BlackLivesMatter key (HKLM\SOFTWARE\WOW6432Node\BlackLivesMatter) $blmKey = 'HKLM:\SOFTWARE\WOW6432Node\BlackLivesMatter' New-Item -Path $blmKey -Force | Out-Null New-ItemProperty -Path $blmKey -Name 'Command' -Value 'C:\Temp\revil_payload.exe' -PropertyType String -Force # 2. AutoAdminLogon activation $autoAdminKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' Set-ItemProperty -Path $autoAdminKey -Name 'AutoAdminLogon' -Value '1' -Force # 3. RunOnce persistence for the payload $runOnceKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' New-Item -Path $runOnceKey -Force | Out-Null New-ItemProperty -Path $runOnceKey -Name 'RevilStart' -Value 'C:\Temp\revil_payload.exe /quiet' -PropertyType String -Force Write-Host "REvil registry simulation completed. Verify alerts in SIEM." -
Cleanup Commands:
# ------------------------------------------------- # Cleanup REvil Registry Simulation Artifacts # ------------------------------------------------- # Remove BlackLivesMatter key Remove-Item -Path 'HKLM:\SOFTWARE\WOW6432Node\BlackLivesMatter' -Recurse -Force -ErrorAction SilentlyContinue # Reset AutoAdminLogon (set to 0 or remove) Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' ` -Name 'AutoAdminLogon' -Value '0' -Force # Remove RunOnce entry Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' ` -Name 'RevilStart' -Force -ErrorAction SilentlyContinue Write-Host "Cleanup completed."