Emerging in October 2025, the Brotherhood ransomware group, also known as Brohood, has rapidly established itself as an active and aggressive threat actor in the global cybercrime landscape. Operating under the explicit guise of a “Data Broker,” the group employs a double extortion strategy, prioritizing data exfiltration and subsequent extortion over the deployment of file-encrypting malware. This operational model reflects a significant and growing trend within the ransomware ecosystem, where the primary leverage against victims is the threat of public data exposure rather than operational disruption from encryption.

Initial campaigns attributed to Brotherhood have demonstrated a global reach and a sector-agnostic targeting methodology. The group has publicly claimed responsibility for compromising at least a dozen organizations across the United States, Canada, the United Kingdom, Australia, and South Africa. Victims span a diverse range of industries, including manufacturing, legal services, information technology, and non-profit organizations. Notable incidents include the exfiltration of 45 GB of sensitive corporate and personal data from Australian manufacturer Kevmor Trade Supplies and a massive 274 GB data theft from the U.S.-based religious organization Woodmen Valley Chapel, underscoring the group’s capacity to handle large-scale data exfiltration.

A significant intelligence gap currently exists regarding the specific Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with Brotherhood’s initial access and post-exploitation activities. Publicly available information is largely confined to the group’s extortion framework, including its TOR-based data leak site and communication channels. To address this gap, this report provides a comprehensive analysis of the TTPs commonly employed by contemporary ransomware groups in 2025, offering a likely proxy for Brotherhood’s operational playbook.

This report delivers a detailed profile of the Brotherhood threat actor, an analysis of its victimology and impact, an assessment of its likely TTPs based on the current threat landscape, and a critical evaluation of available IOCs. It concludes with strategic and tactical recommendations for organizations to mitigate the threat posed by data-exfiltration-focused actors like Brotherhood. Key recommendations emphasize a shift in defensive posture from solely preventing encryption to robustly defending against data exfiltration, hardening internet-facing infrastructure, and preparing incident response plans that prioritize the legal, reputational, and regulatory consequences of a data breach.

Who is the Brotherhood Group?

The Brotherhood threat actor represents a new entrant into the crowded and highly competitive ransomware and cyber-extortion ecosystem. Its emergence in late 2025 coincides with a broader market trend characterized by the splintering of larger ransomware cartels and the proliferation of smaller, more agile groups. The group’s operational profile suggests a focus on efficiency and a clear understanding of modern extortion dynamics.

Origins and Communication

The first public activity attributed to the Brotherhood group was observed in October 2025, when its data leak site (DLS) on the TOR network became active and began listing victims. The group uses the primary moniker “Brotherhood” and the shortened alias “Brohood” in its communications and on its leak site.

The group maintains a focused and secure set of communication channels designed to preserve anonymity and facilitate negotiations with its victims. This infrastructure is a core component of its extortion operation and provides the few definitive indicators currently associated with the group.

• TOR Data Leak Site: Brotherhood operates a DLS at the onion address http://brohoodyaifh2ptccph5zfljyajjabwjjo4lg6gfp4xb6ynw5w7ml6id.onion. This site serves as the primary platform for their “name-and-shame” tactics, where they list victim organizations, detail the extent of the data theft, and often provide samples of exfiltrated files to add credibility to their threats. In some cases, links to download the full data dumps are also posted on this site.
• Email Contact: The group uses the email address [email protected] for communication. The use of the OnionMail service, which provides anonymous and encrypted email over the TOR network, is consistent with the operational security practices of modern cybercriminal actors.
• Tox ID: For real-time, peer-to-peer encrypted chat, the group provides the Tox ID 138A7107FE83F6CBC03A43D484C17CCBF7E6ED5060792D6AFB1BE4358FB9482831B0033BACB0. Tox is a decentralized messaging protocol that does not rely on central servers, making it highly resistant to surveillance and takedown efforts, further highlighting the group’s emphasis on secure and untraceable communications.

How They Operate

Brotherhood’s operational model is explicitly defined by its self-proclaimed status as a “Data Broker”. This classification is significant, as it signals a strategic focus on the theft and monetization of information itself, rather than on the disruption caused by file encryption. While many ransomware groups engage in data theft, Brotherhood’s primary branding as a data broker suggests this is the core of their business model, not merely an ancillary tactic.

The group’s extortion strategy is multifaceted, employing methods designed to maximize pressure on victims to pay.

• Direct Extortion: This involves stealing sensitive data and demanding a payment to prevent its public release, without any corresponding file encryption. This model is faster and technically less complex than deploying ransomware, as it removes the need to develop, maintain, and manage a sophisticated encryption locker and decryption tools.
• Double Extortion: This is the more common model in the current ransomware landscape, where attackers both encrypt a victim’s files and exfiltrate a copy of the data. The threat to leak the stolen data serves as a powerful secondary lever, rendering data backups insufficient as a sole recovery strategy. Brotherhood’s use of this tactic indicates their alignment with mainstream ransomware practices.

The choice to operate primarily as a data broker has important implications. It lowers the technical barrier to entry for new cybercrime operations. Developing a stable, effective, and evasive ransomware encryptor is a significant software engineering challenge. In contrast, data exfiltration can often be accomplished using a combination of legitimate administrative tools (“living off the land”), open-source utilities, and commercial penetration testing frameworks. By focusing on the “smash and grab” of data theft, groups like Brotherhood can become operational more quickly and with less upfront investment in custom malware development. This operational model shifts the defensive focus for organizations. Traditional ransomware defense heavily emphasizes robust backup and recovery strategies to mitigate the impact of encryption. However, against a data broker threat like Brotherhood, backups are irrelevant to the primary threat: the public disclosure of sensitive corporate data, customer PII, and intellectual property. The incident response playbook must therefore prioritize containment, data loss prevention, legal counsel, and crisis communications over technical data restoration.

Who Are the Victims?

The initial campaign launched by the Brotherhood group reveals a clear pattern of opportunistic, financially motivated targeting. The group does not appear to discriminate by industry or size, instead compromising a wide array of organizations across multiple continents. This approach is characteristic of many new ransomware entrants who leverage readily available access or exploit common vulnerabilities rather than pursuing specific high-value targets.

Global Reach, Diverse Targets

Brotherhood’s attacks have demonstrated a significant geographic scope, with a notable concentration in Western, English-speaking nations. Documented victims are located in the United States, Canada, the United Kingdom, Australia, and South Africa. This distribution may reflect the language proficiency of the operators, the economic value of targets in these regions, or the prevalence of specific vulnerabilities they are equipped to exploit.

The group’s targeting is sector-agnostic. Their DLS lists victims from a diverse set of industries, including:

• Manufacturing
• Legal and Professional Services
• Information Technology and Software
• Religion and Non-profits
• Advertising, Media & Marketing
• Transportation, Distribution & Logistics
• Banking & Finance

This broad targeting profile is typical of ransomware groups that operate on a Ransomware-as-a-Service (RaaS) model or purchase access from Initial Access Brokers (IABs), who often provide access to a wide variety of compromised networks without a specific industry focus.

Known Victims of the Brotherhood Ransomware Group

The following table consolidates publicly available information on organizations victimized by the Brotherhood group, as listed on their data leak site. The data provides a clear overview of their campaign activity since emerging in October 2025.

A Closer Look at the Attacks

Analyzing specific attacks provides deeper context into the group’s capabilities, data priorities, and the potential impact on victims. The following case studies highlight key aspects of Brotherhood’s operations.

Kevmor Trade Supplies: A Manufacturer Hit

The attack on Kevmor Trade Supplies, an Australian flooring and trade supply wholesaler, was posted on Brotherhood’s DLS on October 9, 2025. The group claimed to have exfiltrated 45 GB of compressed data, a significant volume for a small-to-medium-sized business. The nature of the stolen data underscores the severe risk posed by data broker groups. Brotherhood provided samples that included sales and payment documents, internal spreadsheets, and, most critically, scans of personal identification documents such as passports and driver’s licenses.

This incident is a textbook example of the dual-pronged threat of modern extortion. The release of corporate financial data, such as sales invoices and pricing lists, poses a direct competitive and reputational risk to the business. Simultaneously, the theft of employee and potentially customer Personally Identifiable Information (PII) creates a legal and ethical crisis, exposing the company to regulatory fines and civil liability. The threat actor leverages this combined pressure, forcing the victim to negotiate not only to protect its commercial interests but also to fulfill its duty of care to the individuals whose data was compromised. As of this report, no public data breach notification from Kevmor has been identified, and it is unclear if negotiations took place.

Woodmen Valley Chapel: A Massive Data Theft

The attack against Woodmen Valley Chapel, a large non-denominational church in the United States, stands out due to the massive volume of data stolen—a claimed 274 GB of compressed files. Posted on October 9, 2025, the sample files provided by Brotherhood included highly sensitive internal documents such as “Elder Meeting Minutes 11-17.docx” and “Land Sales Balance Due to WVC 2.29.20.xls”.

This incident challenges the common assumption that threat actors exclusively target organizations with a high capacity to pay large ransoms. While a religious non-profit may have limited financial resources compared to a for-profit corporation, the data it holds can be exceptionally sensitive. This includes confidential member information, pastoral counseling records, financial donation histories, and internal governance documents. The public release of such data could cause profound reputational damage and a breach of trust with its congregation. The sheer volume of data exfiltrated suggests a comprehensive compromise of the organization’s file servers. The attack demonstrates that threat actors like Brotherhood may calculate leverage based not just on financial capacity but also on the potential for reputational harm and the sensitivity of the compromised information. No public breach notification has been found related to this incident, and the group’s motivations for targeting a religious organization remain unclear.

Orion Communications: Not the SolarWinds Hack

On October 9, 2025, Brotherhood listed Orion Communications and Public Relations, a U.S.-based marketing firm, on its DLS. The group claimed the theft of 13 GB of compressed files and databases, providing sample file names such as ApplicantEvaluation_JacquesDaniels.docx and barbara smith passport0001.jpg.

It is critically important to distinguish this incident from the infamous 2020 SolarWinds Orion supply chain attack. The SolarWinds attack was a sophisticated, state-sponsored espionage campaign targeting a specific software platform named “Orion” to compromise thousands of organizations globally, including multiple government agencies. The victim in this case is a marketing firm whose name happens to be “Orion Communications.” The attack was conducted by a financially motivated cybercrime group (Brotherhood) and is characteristic of a typical data theft and extortion operation. Misattributing the TTPs of the state-sponsored SolarWinds campaign to this incident would lead to a catastrophic miscalculation of Brotherhood’s capabilities and intent. This case serves as a vital reminder for threat intelligence analysts to conduct thorough due diligence and avoid drawing conclusions based on superficial name similarities. The data stolen, particularly the passport scan, confirms the compromise of sensitive PII, consistent with Brotherhood’s other attacks. No public breach notification from Orion Communications has been identified.

Motility Software: Struck Twice

The case of Motility Software Solutions, a Dealer Management Software (DMS) provider, presents a complex and revealing scenario. On October 9, 2025, Brotherhood listed Motility on its DLS, claiming the exfiltration of 3.3 GB of data, including dealer price files and invoices.

However, this was not the only security incident to affect the company. Public breach notifications filed with state attorneys general revealed that Motility had suffered a major ransomware attack on or around August 19, 2025, which compromised the data of over 766,000 individuals. This earlier, larger breach was attributed not to Brotherhood, but to a different emerging threat group known as the “Pear gang”. The data exposed in that incident was highly sensitive, including Social Security numbers and driver’s license numbers.

The fact that a single organization was successfully targeted by two separate and newly emerged ransomware groups within a two-month period strongly points to the involvement of an Initial Access Broker (IAB). In the highly specialized cybercrime ecosystem, IABs are threat actors who focus exclusively on gaining unauthorized access to corporate networks. They then package and sell this access to other criminals, typically ransomware operators, on dark web forums. It is highly probable that an IAB compromised Motility’s network and sold the access credentials or method to multiple buyers. Both Pear and Brotherhood, as new groups seeking to build their reputation and generate revenue, would be prime customers for such access.

This scenario illustrates the “victim-as-a-commodity” model that defines the modern cybercrime economy. A single security vulnerability or one compromised user account can be monetized multiple times, leading to a cascade of separate attacks from different adversaries. For the victim organization, this exponentially complicates incident response, as they may be dealing with multiple, concurrent intrusions with different TTPs and objectives. It also underscores the critical importance of rapid detection and remediation of the initial breach to prevent the access from being resold and re-exploited.

The Attack Playbook

A complete understanding of a threat actor’s TTPs is fundamental to developing effective detection and mitigation strategies. While direct, publicly available intelligence on the full attack chain of the Brotherhood group is limited, a comprehensive analysis of the current ransomware landscape provides a high-confidence assessment of their likely methodologies.

What We Know About Brotherhood’s Tactics

As of this report’s publication, no security vendor or research institution has published a detailed forensic analysis of a complete Brotherhood intrusion from initial access to data exfiltration. The group’s known TTPs are confined to the final stage of their operation: the extortion phase. These confirmed TTPs, mapped to the MITRE ATT&CK framework, include:

• Collection: The core of their operation involves identifying and stealing data from sources like file servers and databases.
• Impact: The group leverages stolen data to extort victims, threatening public release if payment is not made. This is executed via their TOR-based DLS. While not definitively observed, data encryption is a key component of the double extortion model they claim to use.
• Exfiltration: Data is exfiltrated from the victim network to actor-controlled infrastructure.

How Modern Ransomware Groups Attack

To provide actionable intelligence for network defenders, this section outlines a composite attack lifecycle based on the observed TTPs of prominent and emerging ransomware groups active in 2025, such as Play, BlackSuit (the successor to Royal), RansomHub, and PEAR. It is highly probable that Brotherhood employs a similar attack chain.

Getting In: The First Step

This phase represents the adversary’s entry point into the victim network. Current trends show a heavy reliance on exploiting weaknesses in the network perimeter and compromising valid user credentials. The most common initial access vector is exploiting known vulnerabilities in unpatched software. Commonly targeted applications include VPN appliances, web servers, and remote access solutions. The second most prevalent method involves the use of legitimate, compromised credentials, often purchased from IABs. Attackers use these credentials to log in to public-facing services such as VPNs and Remote Desktop Protocol (RDP) gateways, particularly those not protected by multi-factor authentication (MFA). Despite increased user awareness, phishing remains a consistently effective entry vector.

Gaining Control and Staying Put

Once inside, attackers execute code to establish control and ensure their access survives reboots or initial remediation efforts. Adversaries heavily utilize native system tools to “live off the land,” blending their activities with legitimate administrative tasks like PowerShell and Windows Command Shell. To maintain a reliable and stealthy backdoor, attackers often install legitimate remote monitoring and management (RMM) software like AnyDesk or ScreenConnect. Creating scheduled tasks is a common persistence mechanism that allows malware or scripts to be re-executed.

Climbing the Ladder: Gaining Higher Access

After gaining initial access, the primary goal is to escalate privileges to a domain administrator level, which provides unrestricted access to the network. This is a cornerstone of modern ransomware attacks. Tools like Mimikatz are widely used to extract plaintext passwords, hashes, and Kerberos tickets from the memory of compromised systems. Using credentials harvested from one system, attackers attempt to authenticate to other machines on the network.

Hiding Their Tracks

Throughout the attack, adversaries actively work to disable security controls and erase their tracks. Attackers use scripts or Group Policy Objects (GPOs) to disable or uninstall antivirus and endpoint detection and response (EDR) solutions. A standard procedure for ransomware actors is to delete Volume Shadow Copies using the native Windows utility vssadmin.exe, preventing easy restoration from local backups. To hinder forensic investigations, attackers often clear Windows Event Logs.

Exploring the Network

With elevated privileges, attackers map the internal network to identify high-value data and move across systems to expand their control. Attackers use tools like SharpShares or simple net view commands to enumerate accessible network drives. Protocols such as RDP and SMB are the primary means of lateral movement. Using compromised administrator credentials, attackers can remotely access other servers and workstations.

Stealing the Data

This is the final stage before the extortion demand and is the central activity for a data broker group like Brotherhood. Before exfiltration, attackers aggregate and compress stolen data into large archive files (e.g.,.zip,.rar) using tools like WinRAR or 7-Zip. A common and effective exfiltration method is to upload the archived data to legitimate cloud storage services such as Mega, Dropbox, or Google Drive.

Clues Left Behind

Indicators of Compromise are forensic artifacts that provide evidence of a potential intrusion. While a comprehensive, verified list of IOCs specific to the Brotherhood group is not yet publicly available, the known operational details provide a small set of high-confidence indicators. Furthermore, analyzing IOCs from similar, recent incidents can provide valuable context for threat hunting and demonstrate the critical importance of intelligence vetting.

Brotherhood’s Digital Fingerprints

The following indicators are directly associated with the Brotherhood group’s extortion infrastructure. These are high-fidelity IOCs that can be used to detect communication with the threat actor’s known platforms. Any network traffic to or from these indicators should be considered malicious and trigger an immediate incident response investigation.

Learning from Other Attacks

To provide a practical guide for security practitioners, this section analyzes the IOCs publicly reported in connection with the ransomware attack on Motility Software Solutions. While this attack was attributed to the “Pear gang,” the types of indicators reported are representative of those found in many initial threat intelligence feeds and serve as an excellent case study for vetting and operationalizing IOCs. These indicators are not confirmed to be associated with Brotherhood but are used here for educational and illustrative purposes.

The process of vetting threat intelligence is not merely about collecting indicators but about critically assessing their quality, context, and actionability. A failure to do so can lead to wasted analyst time, a high volume of false positives, and potentially disruptive actions like blocking legitimate services.

The following is a breakdown of the IOCs reported in the Motility breach and an assessment of their practical value for network defense.

• File Hash:d41d8cd98f00b204e9800998ecf8427e
  • Assessment: This is a low-value, non-actionable indicator. This specific value is the MD5 hash of a zero-byte (empty) file. Countless legitimate processes create empty files during normal operation. Searching for or creating alerts based on this hash will generate an overwhelming number of false positives and provide no meaningful insight into malicious activity. Its inclusion in a public report suggests a lack of vetting and highlights a common problem with raw, automated intelligence feeds. This indicator should be immediately discarded.
• IP Addresses:192.168.1.42 and 172.217.3.110
  • Assessment: These are low-value, non-actionable indicators without additional context.
    • 192.168.1.42: This is an internal, non-routable IP address. It is part of a private network range used by millions of organizations and home networks worldwide. It has no value for detecting external threats.
    • 172.217.3.110: This IP address resolves to Google services. While threat actors can abuse legitimate services for command and control (C2), blocking a major service provider’s IP address would cause significant operational disruption. An IP address like this only becomes actionable with crucial context, such as the specific process that communicated with it, the time of the communication, the protocol used, and the nature of the data transferred. Without this context, it is effectively noise.
• Domain:malicious-exec.com
  • Assessment: This is a potentially high-fidelity, actionable indicator. The domain name is inherently suspicious and is unlikely to be associated with legitimate business operations. Security teams should proactively search historical DNS logs, web proxy logs, and firewall logs for any evidence of communication with this domain. If found, it would be a strong indication of a compromise and warrant immediate investigation. This is the type of indicator that can be added to blocklists and used for effective threat hunting.
• Registry Key:HKCU\Software\MotilityRansom
  • Assessment: This is a high-fidelity, actionable indicator. This host-based artifact is highly specific and unlikely to be created by any legitimate software. Endpoint Detection and Response (EDR) platforms and forensic tools can be used to sweep an environment for the presence of this registry key. Its discovery on any system would be a definitive sign of this specific malware infection and should be treated as a confirmed compromise.
• Log Artifacts:
  • Event ID 4625 (Failed Logons): This is a behavioral indicator. A sudden spike in the volume of Event ID 4625 logs, especially for a single account or from a single source IP, is a classic sign of a brute-force or password-spraying attack. Security Information and Event Management (SIEM) systems should be configured with correlation rules to alert on such anomalies.
  • Event ID 4688 (Process Creation): This is a behavioral indicator. Monitoring process creation logs is a fundamental threat hunting technique. Analysts should look for suspicious parent-child process relationships (e.g., Microsoft Word spawning PowerShell), execution of known malicious tools (e.g., mimikatz.exe), or legitimate tools being used with unusual command-line arguments.
  • AV Detection (Trojan:Win32/RansomXYZ): This is a generic detection name, useful for initial triage but not for specific threat attribution. The “XYZ” or “gen” (generic) suffix indicates that the antivirus engine has identified the file as malicious based on heuristic or machine-learning analysis, but it does not match a signature for a known, named malware family. It confirms the presence of malware but does not, by itself, identify the threat actor.

This analytical process demonstrates that not all IOCs are created equal. Effective threat intelligence requires a critical evaluation of each data point. Organizations should move away from the simple, automated ingestion of raw threat feeds and invest in the analytical capabilities to vet, contextualize, and prioritize indicators. This ensures that security teams focus their limited resources on high-fidelity, actionable intelligence that can lead to the rapid detection and containment of genuine threats, rather than chasing an endless stream of false positives.

How to Defend Against This Threat

The emergence of the Brotherhood ransomware group is not an isolated event but rather a symptom of broader shifts within the cybercrime ecosystem. Understanding this context is crucial for developing resilient and forward-looking security strategies. The era of monolithic ransomware cartels is giving way to a more fragmented, specialized, and dynamic marketplace, which presents both new challenges and new opportunities for defenders.

Understanding the Modern Cybercrime World

In recent years, coordinated international law enforcement actions have successfully disrupted several major ransomware operations, including Hive, BlackCat/ALPHV, and most recently, RansomHub. While these takedowns represent significant victories, they have had the unintended consequence of splintering the ecosystem. Experienced affiliates and developers from these defunct groups do not simply retire; they migrate to other operations or form new, smaller gangs. This has led to a proliferation of new threat actor groups like Brotherhood and Pear, which can emerge rapidly and begin operations with a high degree of sophistication inherited from their predecessors.

This fragmentation is fueled by the maturity of the Ransomware-as-a-Service (RaaS) model and the specialization of roles within the criminal supply chain. IABs focus on gaining and selling access, malware developers create and lease the ransomware tools, and operators (affiliates) conduct the attacks and negotiate with victims. This division of labor significantly lowers the barrier to entry, allowing new groups to form and launch campaigns without needing expertise across the entire attack lifecycle. The result is a more chaotic and less predictable threat landscape, where organizations may face attacks from a constantly changing roster of adversaries.

Advice for Business Leaders

Security leaders must adapt their strategies to address the realities of this evolved threat landscape, focusing on resilience and business impact rather than solely on technical prevention.

• Assume Breach of Data, Not Just Encryption: The primary threat from modern extortion groups is data exposure, which carries severe reputational, legal, and financial consequences. Incident response plans must be updated to reflect this reality. The first calls during an incident should be to legal counsel and a crisis communications firm, in parallel with technical containment efforts. Tabletop exercises should simulate a data breach scenario, testing the organization’s ability to manage regulatory notifications (such as those required by GDPR or state laws), customer communication, and media inquiries. Recovery from backups, while still important, does not solve the problem of data theft.
• Invest in Proactive Attack Surface Management: With the exploitation of public-facing applications being a dominant initial access vector, organizations must have a complete and continuous understanding of their internet-facing perimeter. This involves implementing robust vulnerability management programs that prioritize the patching of known exploited vulnerabilities, particularly on systems like VPN gateways, RDP servers, and web applications. Attack Surface Management (ASM) tools can help identify exposed assets and misconfigurations that attackers are likely to find first.
• Mandate Phishing-Resistant Multi-Factor Authentication (MFA): The widespread abuse of compromised credentials makes the enforcement of MFA a non-negotiable security control for all remote access, cloud services, and critical applications. Leadership should champion the move towards phishing-resistant MFA methods (e.g., FIDO2/WebAuthn) over less secure options like SMS or push-based approvals, which are susceptible to social engineering attacks.
• Implement a Rigorous Vendor Risk Management Program: As demonstrated by the Motility Software case, a breach in the supply chain can be as damaging as a direct attack. Organizations must conduct thorough security assessments of all third-party vendors that handle or have access to sensitive data. This should include contractual requirements for security controls, rights to audit, and clear data breach notification protocols.

Tips for Security Teams

Security operations and incident response teams are on the front lines of defense. The following tactical measures can directly counter the TTPs commonly used by data-exfiltration-focused groups.

• Harden Endpoints and Servers: Reduce the attack surface within the network by implementing the principle of least privilege. Use application control or whitelisting to prevent the execution of unauthorized software. Restrict the use of scripting languages like PowerShell to only authorized administrators and systems. Disable or tightly control legacy protocols and unused services to limit opportunities for lateral movement.
• Enhance Detection for Data Staging and Exfiltration: Since the primary goal of groups like Brotherhood is data theft, detection capabilities must be tuned to identify this specific activity. Configure EDR and SIEM systems to alert on:
  • The creation of large archive files (.zip,.rar,.7z) on servers or endpoints where this is not normal behavior.
  • Anomalous data flows, such as large outbound transfers from internal servers to known cloud storage providers (e.g., Mega, Dropbox) or to IP addresses with no established business relationship.
  • The execution of data compression tools (WinRAR, 7-Zip) by service accounts or from unusual directories.
• Hunt for TTPs, Not Just IOCs: Do not wait for specific IOCs to be published. Proactively hunt for the adversary behaviors outlined in the TTPs section of this report. Create detection rules and queries in your security tools to identify:
  • Execution of credential dumping tools like Mimikatz or access to the LSASS process memory.
  • Lateral movement using PsExec or remote WMI from non-administrative workstations.
  • Attempts to clear Windows Event Logs using wevtutil.exe.
  • The use of vssadmin.exe delete shadows to inhibit system recovery.
• Implement Network Segmentation and Control Egress Traffic: Divide the network into smaller, isolated zones to contain the spread of an intrusion. A flat network allows an attacker with a single foothold to move laterally with ease. Critically, implement strict egress filtering at the firewall. Block all outbound traffic for protocols and ports that are not explicitly required for business operations. For servers that have no need to access the internet, block all outbound connections by default. Proactively block all traffic to and from TOR exit nodes for all assets that do not have a legitimate business requirement to access the TOR network.