Skip to content
.ca
sign in
8 mincritical

Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape

In 2025, ransomware operators increasingly relied on vulnerability exploitation for initial access and heavily targeted virtualization infrastructure like ESXi. While overall ransomware profitability appears to be declining, threat actors have adapted by increasing data theft extortion, targeting smaller organizations, and utilizing cross-platform ransomware families like REDBIKE, AGENDA, and INC.

Conf:highAnalyzed:2026-03-16reports

Authors: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark

ActorsQilinAkiraLockBitALPHVBastaRansomHubUNC6357UNC2165CL0PBABUK 2.0FUNKSECUNC6016UNC2465UNC5833UNC6021FIN6UNC5774UNC6276UNC5471UNC5496UNC6098UNC5495REDBIKEAGENDAINCLOCKBIT.WARLOCKCONTIODDSIDEPLAYCRYPTSAFEPAYRHYSIDARIFTTEARMEDUSALOCKER.V2NINTHBEESILVERPINEWHITERABBITFOULFOG.LINUXNITROGENBABUK.MARIOCRYTOXDOLLARLOCKERINC.LINUXLOCKBIT.UNIXFURYSTORMFIREFLAME
REDBIKEData Theft ExtortionRansomwareESXi TargetingVulnerability Exploitation

Source:Mandiant

IOCs · 5

Key Takeaways

  • Initial access via vulnerability exploitation (especially VPNs and firewalls) accounted for 33% of ransomware incidents in 2025.
  • Data theft occurred in 77% of ransomware intrusions, a significant increase from 57% in 2024.
  • Targeting of virtualization infrastructure, particularly ESXi hypervisors, increased to 43% of incidents.
  • REDBIKE was the most frequently deployed ransomware family, accounting for 30% of analyzed incidents.
  • Threat actors continue to decrease their reliance on Cobalt Strike BEACON and MIMIKATZ, shifting towards other post-exploitation frameworks and tunnelers.

Affected Systems

  • Windows
  • Linux
  • VMware ESXi
  • Fortinet FortiOS / FortiProxy
  • Palo Alto PAN-OS
  • SonicWall SonicOS
  • Citrix NetScaler
  • Microsoft SharePoint
  • Veritas Backup Exec
  • Zoho ManageEngine
  • SAP Netweaver

Vulnerabilities (CVEs)

  • CVE-2024-55591
  • CVE-2024-21762
  • CVE-2019-6693
  • CVE-2024-40766
  • CVE-2024-3400
  • CVE-2023-4966
  • CVE-2021-27877
  • CVE-2021-27878
  • CVE-2021-40539
  • CVE-2025-53770
  • CVE-2025-53771
  • CVE-2025-31324
  • CVE-2025-31161
  • CVE-2025-8088
  • CVE-2025-61882
  • CVE-2024-37085

Attack Chain

Threat actors typically gain initial access via vulnerability exploitation in edge devices (VPNs/firewalls) or compromised credentials. They establish footholds using tunnelers (e.g., CLOUDFLARED, LIONSHARE) and backdoors, escalating privileges via OS credential dumping or AD abuse. Lateral movement is heavily reliant on RDP, SMB, and SSH, often targeting ESXi hypervisors. Finally, actors exfiltrate sensitive data using tools like Rclone or MEGASync before deploying ransomware (e.g., REDBIKE, AGENDA) via automated scripts, GPOs, or scheduled tasks, while simultaneously disabling security controls and deleting backups.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Google Threat Intelligence Group (GTIG)

The article provides multiple YARA rules for detecting various ransomware families, including AGENDA, REDBIKE, CLOP, PLAYCRYPT, SAFEPAY, INC, RANSOMHUB, FURYSTORM, and FIREFLAME.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the execution of PowerShell scripts, scheduled task creation, registry modifications disabling Windows Defender, and the use of known tools like Rclone, AnyDesk, and Megatools. Network Visibility: Medium — While initial exploitation and data exfiltration to cloud services generate network traffic, the heavy use of tunnelers (CLOUDFLARED, LIONSHARE) and encrypted protocols (SSH, RDP) can obscure malicious activity. Detection Difficulty: Moderate — The reliance on Living off the Land (LotL) techniques, legitimate RMM tools, and valid credentials makes it challenging to distinguish malicious activity from normal administrative tasks without behavioral analytics.

Required Log Sources

  • Windows Event Logs (Security, System)
  • PowerShell Operational Logs
  • Firewall/VPN Logs
  • ESXi/vCenter Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for PowerShell execution of Active Directory enumeration cmdlets (Get-ADUser, Get-ADComputer) piping output to CSV files in public or unusual directories.PowerShell Script Block Logging (Event ID 4104), Process Command LineDiscoveryMedium
Identify modifications to Windows Defender registry keys (e.g., DisableRealtimeMonitoring) via cmd.exe or PowerShell.Registry Events (Event ID 4657, Sysmon Event ID 12/13), Process Command LineDefense EvasionLow
Detect the execution of esxcli commands modifying advanced system settings, specifically disabling execInstalledOnly.ESXi Shell Logs, vCenter Audit LogsDefense EvasionLow
Monitor for the creation of scheduled tasks executing rundll32.exe with DLLs located in unusual directories like C:\Windows\System32\config.Scheduled Task Creation (Event ID 4698), Process Creation (Event ID 4688)PersistenceLow
Hunt for the execution of data synchronization tools like Rclone or MEGASync, especially when executed with command-line arguments pointing to cloud storage providers.Process Command Line, Network ConnectionsExfiltrationMedium

Control Gaps

  • Lack of MFA on VPNs/External Services
  • Insufficient monitoring of ESXi hypervisors
  • Overly permissive outbound network access allowing tunnelers and RMMs

Key Behavioral Indicators

  • Execution of wevtutil to clear logs
  • Use of IOBIT uninstaller to unlock files
  • Modifications to LegalNoticeCaption registry keys
  • Creation of firewall rules allowing inbound SSH (port 22) via PowerShell

False Positive Assessment

  • Medium. Many of the tools used by ransomware actors (e.g., AnyDesk, Rclone, PowerShell, PsExec) are also used by legitimate system administrators. Detections must focus on behavioral anomalies and context.

Recommendations

Immediate Mitigation

  • Patch known vulnerabilities in edge devices (Fortinet, Palo Alto, SonicWall, Citrix).
  • Enforce MFA on all external-facing services, especially VPNs and RDP.
  • Review and disable unnecessary remote access tools (RMMs) and tunnelers.

Infrastructure Hardening

  • Harden ESXi hypervisors by restricting SSH access, enabling lockdown mode, and monitoring for configuration changes.
  • Implement network segmentation to limit lateral movement via SMB and RDP.
  • Restrict outbound network traffic to prevent unauthorized data exfiltration to cloud storage services.

User Protection

  • Deploy and configure EDR solutions to block unauthorized modifications to Windows Defender and other security controls.
  • Implement LAPS (Local Administrator Password Solution) to prevent lateral movement using local admin credentials.

Security Awareness

  • Train employees on the risks of social engineering and malvertising.
  • Conduct regular tabletop exercises simulating ransomware and data extortion scenarios.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1078 - Valid Accounts
  • T1059.001 - PowerShell
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1003.001 - OS Credential Dumping: LSASS Memory
  • T1003.002 - OS Credential Dumping: Security Account Manager
  • T1003.003 - OS Credential Dumping: NTDS
  • T1558.003 - Kerberoasting
  • T1069.002 - Permission Groups Discovery: Domain Groups
  • T1087.002 - Account Discovery: Domain Account
  • T1021.001 - Remote Desktop Protocol
  • T1021.002 - SMB/Windows Admin Shares
  • T1021.004 - SSH
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1490 - Inhibit System Recovery
  • T1486 - Data Encrypted for Impact
  • T1567.002 - Exfiltration to Cloud Storage
  • T1090 - Proxy

Additional IOCs

  • Domains:
    • www[.]torproject[.]org - Referenced in AGENDA ransomware note
  • Registry Keys:
    • HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - Modified to disable Real-Time Monitoring, ScanOnRealtimeEnable, OnAccessProtection, IOAVProtection, and BehaviorMonitoring.
    • HKLM\Software\Policies\Microsoft\Windows Defender\Reporting - Modified to disable EnhancedNotifications.
    • HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet - Modified to disable BlockAtFirstSeen, SubmitSamplesConsent, and SpynetReporting.
    • HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - Modified to disable MpEnablePus.
    • HKLM\Software\Policies\Microsoft\Windows Defender - Modified to disable AntiSpyware and AntiVirus.
  • File Paths:
    • akira_readme.txt - Ransom note dropped by REDBIKE/Akira ransomware.
    • INC-README - Ransom note dropped by INC ransomware.
  • Command Lines:
    • Purpose: Create a scheduled task for persistence of the LIONSHARE tunneler. | Tools: schtasks.exe | Stage: Persistence | schtasks /Create /SC MINUTE /MO 720 /TN Reg /TR
    • Purpose: Enumerate Active Directory users and export to a CSV file. | Tools: PowerShell, Get-ADUser | Stage: Discovery | Get-ADUser -filter * -properties Enabled,DisplayName,Mail
    • Purpose: Enumerate Active Directory computers and export to a CSV file. | Tools: PowerShell, Get-ADComputer | Stage: Discovery | Get-ADComputer -Filter {enabled -eq $true} -properties *
    • Purpose: Modify firewall rules to enable remote desktop access. | Tools: netsh.exe | Stage: Lateral Movement | netsh advfirewall firewall set rule group="remote desktop" new enable=No
    • Purpose: Create a new firewall rule to allow inbound SSH traffic. | Tools: PowerShell, New-NetFirewallRule | Stage: Lateral Movement | New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)'
    • Purpose: Disable the ExecInstalledOnly setting on ESXi hosts to allow custom binary execution. | Tools: esxcli | Stage: Defense Evasion | esxcli system settings advanced set -o /User/execInstalledOnly -i 0
    • Purpose: Disable Windows Defender Real-Time Protection via registry modification. | Tools: cmd.exe, reg.exe | Stage: Defense Evasion

Related