f33d by Preludef33d by Prelude
Sign in
  • About
  • Archive
  • Help
  • Sign in
Share this post
TTP Tuesday: Ransomware (Release 4)
feed.prelude.org

TTP Tuesday: Ransomware (Release 4)

Linux Ransomware using Custom Tools

Spencer Thompson
and
David Hunt
Jan 5
CommentShare

Theme Overview

04 January 2022

Our current theme is ransomware, focusing on scenarios where threats use live off the land (LotL) binaries and custom payloads to accomplish their objectives. The ransomware theme will contain the following kill-chains:

  1. Linux Ransomware using Live off the Land (LotL) Tools

  2. Windows Ransomware using Live off the Land (LotL) Tools

  3. Mac Ransomware using Custom Tools

  4. Linux Ransomware using Custom Tools (Current Release)

Linux Ransomware using Custom Tools - C(S)wipe

We were originally shooting to release a Windows variant of S(C)wipe but ran into compiling restraints right up to the release of this chain, so we opted to compile for Linux. We’ll release a Windows variant of this chain later on.

This week’s kill chain focuses on a different approach to ransomware for Linux machines. Instead of relying on a typical “discover and encrypt” attack path, our custom chain, written in C, delivers a (safe) attack that:

  • Takes a directory and reads (1-level) of files

  • Once the important directories are located, a custom payload drops on those directories and connects to a unique server (Spiderweb).

  • That connection exfiltrates each file found within those directories to the web server (Spiderweb).

  • Once exfiltrated, the contents of each of the files are replaced with a ransom note.

The purpose of this chain is to deliver a ransomware attack without using a traditional encryption method, therefore becoming harder to detect and presenting an alternative method to a current potential “blind spot” in defenses.

Note: we have designed this chain with two paths, one safe and one destructive. The safe path (the default) will copy each file before wiping and apply the wipe to the copy only. Removing the safe flag will allow this attack to run in the wild, and will be destructive.

You can read more about this attack on the Prelude Chains website.

You can watch a demonstration of the chain here:

Staying up to date

Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/channel/UCZyx-PDZ_k7Vuzyqr4-qK9A

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus

CommentCommentShareShare

Create your profile

Only paid subscribers can comment on this post

Already a paid subscriber? Log in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to log in.

TopNewCommunityWhat is f33d by Prelude?AboutAbout

No posts

Ready for more?

© 2022 Prelude Research Inc.. See privacy, terms and information collection notice
Publish on Substack
f33d by Prelude is on Substack – the place for independent writing