Over the past year, ransomware gangs have increasingly turned to otherwise legitimate information security tools and a variety of automation scripts to carry out post-exploitation lateral movement, data exfiltration and defense evasion,among other tasks. Recent data on attacks by Dharma “affiliate” actors takes this to the extreme—the attackers used a “toolbelt”of packaged tools and scripts to automate their attacks. Other ransomware gangs, including Ryuk and LockBit, have also increasinglyused tools originally developed for penetration testing. In this presentation, I’ll review the most commonly-used tools and frameworks, and review the way they’re used by ransomware attackers.
Sean Gallagher is a senior threat researcher at Sophos Labs. A Navy veteran, former squadron ADP Security Officer and former military IT contractor, Gallagher was a technology and information security journalist for over 20 years, including 9 years as the IT and National Security Editor at Ars Technica.