Adversaries Infrastructure-Ransomware Groups, APTs, and Red Teams

What you can learn from scanning adversaries' infra?

Michael Koczwara

--

In this short blog, I will get straight to the point. I have been scanning the internet on a daily/weekly basis over the past few months/weeks using Shodan, Censys, Nmap, and my Python scripts, and would like to share my information/research. I will very briefly explain how the different Threat Actors work, what kind of infra and tools are used to launch attacks, and how bad they are at opsec.

Infrastructure

Threat Actors Profiles:

  • Ransomware Groups based in Russia
  • Threat Actors based in China
  • Red Teamers

Diamond Model examples

I will use Diamond Model to explain Threat Actors methodology (It is self-explanatory I guess?)

Ransomware Group from Russia

How do Ransomware Group's based in Russia infra/tools look like?

Threat Actor based in Russia

Another Ransomware Group example is 62.182.159[.]147

Ransomware Group Infra
Ransomware Infra/Tools
Ransomware Infra/Tools

Anydesk, RDP, and ShadowGuru bat files as well as ngrok are typical tools used by ransomware operators.

Anydesk is probably used for persistence same as RDP and other bat files to uninstall/disable security controls.

https://gist.github.com/MichaelKoczwara/07a877f3df094cafa876834249817c95

Threat Actors from…

--

--