- This repository contains a list of which tools each ransomware gang or extortionist gang uses
- As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused
- We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions
- This project will be updated as additional intelligence on ransomware gang TTPs is made available
Tip
This Ransomware Tool Matrix has several use cases, which are as follows:
- As a list of leads for threat hunting inside the environments available to you
- As a list of leads to look for during incident response engagements
- As a checklist of tools to identify patterns of behaviour between certain ransomware affiliates
- As an adversary emulation resource for threat intelligence-led purple team engagements
- RMM Tools
- Exfiltration Tools
- Credential Theft Tools
- Defense Evasion Tools
- Networking Tools
- Discovery Tools
- Offensive Security Tools
- Living-off-the-Land Binaries and Scripts
- List of CISA's Threat Groups
- List of The DFIR Report's Threat Groups
- List of Trend Micro's Threat Groups
- Common TTPs of the Modern Ransomware Groups by Kaspersky
- The Conti Playbook
- The Bassterlord Networking Manual
- Extra Threat Intel
Tip
If you see a Threat Group with an asterisk (*), this means it is a Ransomware-as-a-Service (RaaS) affiliate actor or group, which has access to one or more RaaS.
- List of Tools used by +10 Ransomware Gangs
- List of Ransomware Group Profiles
- List of All Tools by Type
- Ransomware Tool Matrix Threat Hunt Checklist
Important
Using the Ransomware Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by ransomware gangs to hunt, detect, and block, there are some risks.
- Many of the tools referenced in this repository may be currently used by your IT team or even your Cybersecurity team.
- When hunting for these tools, you may uncover many installations of them inside your environment.
- Deciphering whether a tool is being used legitimately, by an employee, with permission is difficult in a large or global environment.
- If you create a detection rule, you may generate a large amount of alerts, which may get ignore or turned off without investigating them.
- If you block these tools without investigating for legitimate usage, you may cause disruption to legitimate business operations and potentially impose costs on your own organisation.
- Please see the following guidelines to contribute to this repo.