{
	"id": "ae58edac-46ca-4303-a65b-8e18126e1cec",
	"created_at": "2026-04-06T00:07:25.059915Z",
	"updated_at": "2026-04-10T03:22:12.845455Z",
	"deleted_at": null,
	"sha1_hash": "3b82a58b0eaa09d7edb4e3387f8ea6a52c6444eb",
	"title": "Quarterly Report: Incident Response trends from Fall 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 119607,
	"plain_text": "Quarterly Report: Incident Response trends from Fall 2020\r\nBy Jonathan Munshaw\r\nPublished: 2020-12-09 · Archived: 2026-04-05 13:20:36 UTC\r\nQuarterly Report: Incident Response trends from Fall 2020\r\nWednesday, December 9, 2020 09:32\r\nBy David Liebenberg and Caitlin Huey.\r\nFor the sixth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat\r\nlandscape. However, for the first quarter since we began compiling these reports, no engagements that were closed\r\nout involved the ransomware Ryuk (though there were engagements that were kicked off this quarter involving\r\nRyuk, but have yet to close). The top ransomware families observed were Maze and Sodinokibi, though barely\r\nmore than any others, continuing a trend of “democratization” for ransomware families observed in last quarter’s\r\nreport, in which no one family was dominant. With Maze adversaries’ recent announcement of retirement, the\r\npossibility remains that more ransomware groups will step up to fill the void, accelerating this trend.\r\nBesides the drop in Ryuk, we saw a continuing decline in commodity trojans such as Trickbot and Emotet, as\r\nransomware adversaries rely more on open-source tools, the Cobalt Strike framework, and a  combination of\r\nvarious living-off-the-land tools and utilities, or “LoLBins.\" The lack of Ryuk is somewhat surprising given recent\r\nreports from the U.S. government that indicate adversaries are looking to target health care organizations with\r\nRyuk. Part of this could be related to the timing of these incidents, which occurred toward the end of Q3 2020. We\r\ndo note that there were several Ryuk cases opened toward the end of the quarter which have yet to close, including\r\none affecting a health care company.  CTIR also observed a general increase in engagements involving attacks\r\nagainst health care organizations toward the end of the quarter, though they mostly involved other malware\r\nhttps://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html\r\nPage 1 of 4\n\nfamilies, such as the Vatet loader, which is known to target this industry. For more information, you can check out\r\nthe full report summary here.\r\nTargeting\r\nActors targeted a broad range of verticals, including agriculture, food and beverage, health care, education, energy\r\nand utilities, industrial distribution, law enforcement, local government, manufacturing, and technology. The top\r\ntargeted vertical was manufacturing, a continuation of last quarter. However, as mentioned above, there was a\r\nspike in attacks against health care organizations, and some of these engagements have yet to close out. In\r\ncounting both engagements that were opened and closed out this quarter, health care and manufacturing sectors\r\nwere tied as being the most affected sectors this quarter. Looking ahead, it appears that adversaries will continue\r\nto target the health care industry with ransomware and other types of attacks given their security postures and\r\nincentives to pay, especially given the situation with the COVID-19 pandemic, which threat actors have been more\r\nthan willing to capitalize on.\r\nThreats\r\nRansomware continued to comprise the majority of threats CTIR observed. In a continuation from last quarter, no\r\none ransomware family was dominant. Furthermore, there were no engagements that closed out involving Ryuk\r\n(though there was one engagement which opened this quarter in which Ryuk is suspected). In the past, Ryuk was\r\nmuch more prominent. In a continuation from the last several quarters, the majority of ransomware attacks were\r\nnot observed in conjunction with commodity trojan infections, instead relying on open source tools, Cobalt Strike,\r\nand living-off-the-land utilities.\r\nFor example, a U.S. manufacturing company was targeted with a phishing email that contained a malicious ZIP\r\nfile. Once downloaded and opened, an adversary carried out multiple malicious actions, including connection to a\r\nmalicious IP address, account enumeration, and execution of encoded PowerShell. The adversary attempted to\r\ndeploy a malicious ransomware file called “hnt.dll,” which CTIR identified as a Maze ransomware variant,\r\nalthough the mutexes were slightly different from previous Maze mutexes which could have indicated a new\r\nstrain. The customer had Cisco AMP for Endpoints running which successfully quarantined the malicious DLL.\r\nThe adversary used several commercially available and open source tools for malicious means, including\r\nPowerShell to execute encoded commands; Cobalt Strike, including executing \"Invoke-DACheck\", an Aggressor\r\nscript that checks to see if the current user is a domain administrator and \"Norton Power Eraser,\" a scanning tool\r\nthat irreversibly removes forensic artifacts vital to the investigation from systems. CTIR investigated possible\r\nindicators of data exfiltration from six hosts to a malicious C2 IP address, including large amounts of packets\r\nexchanged over the observed time period. However, they found no evidence of data staging or any specific\r\nindicators that data was exfiltrated from the environment.\r\nIt is worth highlighting that the Maze ransomware group announced they have officially closed down their\r\nransomware operation and claimed they will no longer be leaking new company data on their site. While the\r\nvalidity of Maze’s claim is still unknown at this time, it is possible that lower-tiered ransomware groups may\r\nattempt to compete within this threat landscape now that a very high-profile group has announced its departure.\r\nhttps://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html\r\nPage 2 of 4\n\nCTIR has observed a spike in Vatet loader/ransomware engagements this quarter affecting health care entities.\r\nVatet is known to be used by adversary groups to specifically target health care organizations. In one open incident\r\nresponse engagement involving a U.S. medical center infected with Vatet, CTIR identified the likely infection\r\nvector as an IcedID phishing email with a ZIP attachment that used steganography for loading commands to the\r\nVatet loader itself. From there, IcedID downloaded and ran Vatet, which started Cobalt Strike activity and\r\neventually launched and executed the Defray777 ransomware.\r\nOther observed threats this quarter included business email compromise (BEC), cryptocurrency mining, web\r\nshells, brute-force attacks, exploit attempts and information stealers.\r\nInitial vectors\r\nFor the majority of engagements, definitively identifying an initial vector was difficult due to shortfalls in logging.\r\nHowever, in engagements in which the initial vector could be identified, or reasonably assumed, phishing\r\nremained the top infection vector for the sixth quarter in a row. Besides email, other initial vectors that CTIR has\r\nobserved this quarter include drive-by downloads, RDP brute-force attacks, and exploitation of various\r\nvulnerabilities, including Microsoft Exchange (CVE-2020-0688), SaltStack Salt (CVE-2020-116511 and CVE-2020-11652), and Oracle WebLogic (CVE-2020-14882).\r\nTop-observed MITRE ATT\u0026CK techniques\r\nBelow is a list of the most common MITRE ATT\u0026CK techniques observed in this quarter’s IR engagements.\r\nGiven that some techniques can fall under multiple categories, we grouped them under the most relevant category\r\nin which they were leveraged. This represents what CTIR observed most frequently and is not intended to be\r\nexhaustive.\r\nKey Findings:\r\nThe usage of Cobalt Strike decreased by half. However, we do note that there are many open engagements\r\nthat rely on Cobalt Strike for post-exploitation.\r\nWe observed a robust combination of various living-off-the-land tools and utilities, or “LoLBins.” This is a\r\ncontinuation of a trend seen in late 2019 where actors combine fileless malware and legitimate cloud\r\nservices to improve chances of staying undetected.\r\nEncoded PowerShell commands account for several execution techniques, illustrating the need for policies\r\nto limit unprivileged users from using PowerShell or CMD applications.\r\nLeveraging valid accounts is the most observed technique used for lateral movement this quarter. RDP\r\nusage for lateral movement decreased this quarter. However, we did see brute-force attacks almost double\r\nthis quarter.\r\nATT\u0026CK techniques\r\nInitial Access (TA0027), T1078 Valid Accounts: Use valid compromised credentials in BEC scam.\r\nPersistence (TA0028), T1543 Create or Modify System Process: Install a cryptomining application\r\nservice on the system to maintain persistence on the server.\r\nhttps://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html\r\nPage 3 of 4\n\nExecution (TA0041), T1059.001 Command and Scripting Interpreter: PowerShell: Executes\r\nPowerShell code to retrieve information about the client's Active Directory environment.\r\nDiscovery (TA0007), T1082 System Information Discovery: Used Process Hacker to identify infected\r\nmachine’s OS information.\r\nCredential Access (TA0006), T1003 OS Credential Dumping: Use tools such as Mimikatz to\r\ncompromise credentials in the environment.\r\nPrivilege Escalation (TA0029), T1484 Group Policy Modification: Force group policy update that\r\ncreates service to execute ransomware.\r\nLateral Movement (TA0008), T1021.001 Remote Desktop Protocol: Adversary connects to the system\r\nusing RDP with valid credentials.\r\nCollection (TA0035), T1560.001 Archive Collected Data: Archive via Utility: One binary was capable of\r\nextracting system information and files that are subsequently placed within a tar archive, which is\r\ncompressed with bzip2.\r\nDefense Evasion (TA0030), T1070 Indicator Removal on Host: Remove files and artifacts from an\r\ninfected machine.\r\nCommand and control (TA0011), T1132.001 Data Encoding: Standard Encoding: Use Base64 to\r\nencode C2 communication.\r\nExfiltration (TA0010), T1567 Exfiltration Over Web Service: Data exfiltration was performed with the\r\nusage of FirefoxSend.\r\nImpact (TA0034), T1486 Data Encrypted for Impact: Deploy Maze ransomware.\r\nSoftware, Cobalt Strike: Execution of “Invoke-DACheck,\" a Cobalt Strike Aggressor Script to check if\r\nthe current user is a domain administrator.\r\nSource: https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html\r\nhttps://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html"
	],
	"report_names": [
		"quarterly-ir-report-fall-2020-q4.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b82a58b0eaa09d7edb4e3387f8ea6a52c6444eb.pdf",
		"text": "https://archive.orkl.eu/3b82a58b0eaa09d7edb4e3387f8ea6a52c6444eb.txt",
		"img": "https://archive.orkl.eu/3b82a58b0eaa09d7edb4e3387f8ea6a52c6444eb.jpg"
	}
}