SOC Prime Bias: High

15 Jun 2026 15:57 UTC
newspaper icon picussecurity.com

Tengu Ransomware: From Initial Access to Encryption

Author Photo
SOC Prime Team linkedin icon Follow
Tengu Ransomware: From Initial Access to Encryption
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Tengu is a Ransomware-as-a-Service operation that follows a double-extortion model. Before launching encryption, the attackers use Living Off the Land Binaries to run payloads and exfiltrate sensitive data to MEGA cloud storage. Victim communications and payment negotiations are handled through a Tor-based portal.

Investigation

The report outlines the full Tengu intrusion chain, beginning with initial access through phishing or stolen credentials and ending with data encryption. It emphasizes the use of legitimate administrative utilities such as PowerShell and Rclone, which help the attackers blend into normal activity and reduce the chance of detection.

Mitigation

Security teams should enforce strong multi-factor authentication to reduce the risk of credential abuse on RDP and VPN services. Organizations should also monitor for suspicious LOLBin activity, restrict unauthorized use of cloud storage platforms, and maintain regular offline backups that can support recovery.

Response

If Tengu activity is detected, isolate affected systems immediately to stop lateral movement and additional data exfiltration. Review Windows Event Logs and service configurations for unauthorized modifications, and activate incident response procedures to determine the extent of data exposure and encryption activity.

"graph TB %% Class Definitions Section classDef initial_access fill:#f9f,stroke:#333,stroke-width:2px classDef execution fill:#bbf,stroke:#333,stroke-width:2px classDef defense_impairment fill:#fbb,stroke:#333,stroke-width:2px classDef exfiltration fill:#bfb,stroke:#333,stroke-width:2px classDef impact fill:#f96,stroke:#333,stroke-width:2px classDef tool fill:#ccc,stroke:#333,stroke-width:1px %% Initial Access Nodes access_phishing["<b>Action</b> – <b>T1566.002 Phishing: Spearphishing Link</b><br/>Description: Sending targeted links to victims to gain access."] class access_phishing initial_access access_exploit["<b>Action</b> – <b>T1190 Exploiting a Public-Facing Application</b><br/>Description: Leveraging vulnerabilities in internet-facing software."] class access_exploit initial_access access_accounts["<b>Action</b> – <b>T1078 Valid Accounts</b><br/>Description: Using stolen credentials to access RDP or VPN endpoints."] class access_accounts initial_access op_initial_access(("AND")) class op_initial_access operator %% Execution and Privilege Escalation Nodes exec_powershell["<b>Action</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/>Description: Executing malicious payloads via PowerShell."] class exec_powershell execution exec_cmd["<b>Action</b> – <b>T1059.003 Command and Scripting Interpreter: Windows Command Shell</b><br/>Description: Executing commands via cmd.exe."] class exec_cmd execution exec_rundll32["<b>Action</b> – <b>T1218.011 Rundll32</b><br/>Description: Executing malicious code through Rundll32.exe."] class exec_rundll32 execution priv_esc_lsass["<b>Action</b> – <b>T1003.001 OS Credential Dumping: LSASS Memory</b><br/>Description: Harvesting administrative credentials from LSASS memory."] class priv_esc_lsass execution %% Defense Impairment Nodes def_disable_tools["<b>Action</b> – <b>T1562.001 Impair Defenses: Disable or Modify Tools</b><br/>Description: Disabling Windows Security Center and Windows Update via sc config."] class def_disable_tools defense_impairment def_clear_logs["<b>Action</b> – <b>T1070.001 Indicator Removal: Clear Windows Event Logs</b><br/>Description: Destroying forensic evidence using wevtutil cl *."] class def_clear_logs defense_impairment %% Exfiltration Nodes exfil_cloud["<b>Action</b> – <b>T1567.002 Exfiltration to Cloud Storage</b><br/>Description: Moving sensitive data to cloud providers."] class exfil_cloud exfiltration tool_rclone["<b>Tool</b> – <b>Name</b>: Rclone / WinSCP<br/>Description: Legitimate tools used to transfer data to MEGA."] class tool_rclone tool %% Impact Nodes impact_recovery["<b>Action</b> – <b>T1490 Inhibit System Recovery</b><br/>Description: Deleting shadow copies via vssadmin delete shadows /all /quiet."] class impact_recovery impact impact_encryption["<b>Action</b> – <b>T1486 Data Encrypted for Impact</b><br/>Description: Encrypting files with .tengu extension and dropping TENGU_README.txt."] class impact_encryption impact %% Connections %% Initial access flow access_phishing –>|leads_to| op_initial_access access_exploit –>|leads_to| op_initial_access access_accounts –>|leads_to| op_initial_access %% Execution flow op_initial_access –>|leads_to| exec_powershell op_initial_access –>|leads_to| exec_cmd op_initial_access –>|leads_to| exec_rundll32 exec_powershell –>|enables| priv_esc_lsass exec_cmd –>|enables| priv_esc_lsass %% Defense impairment flow priv_esc_lsass –>|leads_to| def_disable_tools priv_esc_lsass –>|leads_to| def_clear_logs %% Exfiltration flow def_disable_tools –>|precedes| exfil_cloud def_clear_logs –>|precedes| exfil_cloud exfil_cloud –>|uses| tool_rclone %% Final Impact flow tool_rclone –>|leads_to| impact_recovery impact_recovery –>|leads_to| impact_encryption "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to initiate the Tengu ransomware deployment phase. To avoid detection by simple antivirus signatures, they utilize “Living-off-the-Land” (LotL) techniques. The attacker will first use powershell.exe to download a staging payload and then use rundll32.exe to execute a malicious DLL. This mimics the behavior described in the Tengu attack chain, where legitimate Windows binaries are abused to perform malicious actions, thereby attempting to blend in with routine administrative activity.

  • Regression Test Script:

    # Tengu Ransomware Execution Simulation Script
# This script simulates the use of LOLBins to trigger the detection rule.

Write-Host "[*] Starting Tengu Ransomware Execution Simulation..." -ForegroundColor Cyan

# 1. Simulate PowerShell-based payload staging (T1059.001)
Write-Host "[*] Simulating PowerShell payload staging..." -ForegroundColor Yellow
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Write-Output 'Simulating download of malicious payload...'"

# 2. Simulate CMD-based reconnaissance (T1059.003)
Write-Host "[*] Simulating CMD-based reconnaissance..." -ForegroundColor Yellow
cmd.exe /c "whoami /all"

# 3. Simulate Rundll32 execution (T1218.011)
Write-Host "[*] Simulating Rundll32 malicious DLL execution..." -ForegroundColor Yellow
rundll32.exe javascript:"alert('Simulated Tengu Payload Execution');"

Write-Host "[+] Simulation Complete. Check SIEM for alerts." -ForegroundColor Green

  • Cleanup Commands:

    # No permanent files or registry keys were modified in this simulation.
# The commands executed are volatile process executions.
Write-Host "[*] Cleanup unnecessary as no persistent artifacts were created." -ForegroundColor Cyan

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free