A MITRE ATT&CK Style Knowledge Base for Ransomware

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.

tl;dr

After becoming ever-more frustrated by intelligence producers naming the same ransomware slightly differently, and with ATT&CK missing lots of ransomware types, I finally got around to trying to solve the problem.

Overview

Ransomware is extensively tracked and covered by various sources. However, many often follow slightly different naming conventions.

For example, take one of my previous posts where I showed ransomwhe.re data, and more specifically a ransomware name they print in their data

[
  "Netwalker (Mailto)"
]

However, in other source, for example, MITRE ATT&CK, it is just referred to as Netwalker.

In other places it’s referred to as Mailto (albeit with an alias NetWalker).

As such, trying to join references from different sources to the same ransomware quickly becomes problematic.

MITRE ATT&CK also solves the issue of joining different types of data together (for example, describing the techniques a threat actor uses) in a standardised way.

Will Thomas recently took on one element of this problem for ransomware with the Ransomware Tool Matrix linking common tools ransomware gangs use in addition to ransomware.

However, whilst an amazing resource, this does not integrate directly into the tooling I’m already using.

MITRE ATT&CK solves this problem by using STIX 2.1 objects to represent the data.

Inspired by all of these things, I wanted to create a standard knowledgebase for describing ransomware, linking it back to MITRE ATT&CK where possible (e.g. using MITRE ATT&CK Techniques to describe how ransomware works).

So I started on an initial implementation of Ransomware KB.

Ransomware KB

Ransomware KB’s aim is to provide a standard library of ransomware operators and group, ransomware and tools they use, and eventually victims. The aim is to also contribute these objects to future ATT&CK versions once they’ve been fully developed.

Here is how the data in the knowledge base is currently structured as STIX objects;

Groups (STIX intrusion-set objects, ID in format GXXXX): that describe ransomware operators and groups, which have relationships to;
- Ransomware (STIX malware objects, ID in format RXXXX): that describe the ransomware itself used by the Groups
- Tools (STIX tool objects, ID in format TXXXX): that describe the Tools used by the Groups to achieve their objectives

Here is a visual representation of how these objects are linked;

This graph shows how a small subset of how this looks for real data in Ransomware KB;

You can grab the entire bundle of objects here (it’s too large to load in this graph).

Having the data in a structured format like this makes it easy to insert and work with it in a database.

For example, you can use stix2arango to store it in a graph database (ArangoDB) for querying and retrieval as needed.

Here is an example stix2arango command to import a bundle (make sure to replace path/to/ransomware-kb-bundle.json with the correct path);

python3 stix2arango.py \
  --file path/to/ransomware-kb-bundle.json \
  --database blog_demo \
  --collection ransomware_kb

Some example queries might include…

Show me all ransomware groups and their aliases;

FOR doc IN ransomware_kb_vertex_collection
    FILTER doc.type == "intrusion-set"
    LET ransomware_kb_id = (
        FOR ref IN doc.external_references
            FILTER ref.source_name == "ransomware-kb"
            RETURN ref.external_id
    )
    LET mitre_attack_id = (
        FOR ref IN doc.external_references
            FILTER ref.source_name == "mitre-attack"
            RETURN ref.external_id
    )
    RETURN {
        "name": doc.name,
        "aliases": doc.aliases,
        "ransomware_kb_id": ransomware_kb_id[0], // Assumes only one match for "ransomware-kb"
        "mitre_attack_id": mitre_attack_id[0] // Assumes only one match for "mitre-attack", or null if none exists
    }

[
  {
    "name": "Karakurt",
    "aliases": [
      "Karakurt Lair"
    ],
    "ransomware_kb_id": "G0002",
    "mitre_attack_id": null
  },
  {
    "name": "Scattered Spider",
    "aliases": [
      "Storm-0875",
      "Roasted 0ktapus",
      "Octo Tempest"
    ],
    "ransomware_kb_id": "G0003",
    "mitre_attack_id": "G1015"
  },
  {
    "name": "Vice Society",
    "aliases": [
      "DEV-0832",
      "Vanilla Tempest"
    ],
    "ransomware_kb_id": "G0004",
    "mitre_attack_id": null
  },

However, where it gets really useful is being able to ask the questions about the relationships between objects.

In this query I use the Ransomware KB Group ID, I then search for any relationships this ID is the source_ref of in a relationship, I then lookup what the target_ref objects inside the relationship are by name;

FOR doc IN ransomware_kb_vertex_collection
    FILTER doc.type == "intrusion-set"
    LET ransomware_kb_id = (
        FOR ref IN doc.external_references
            FILTER ref.source_name == "ransomware-kb" AND ref.external_id == "G0007"
            RETURN ref.external_id
    )
    FILTER LENGTH(ransomware_kb_id) > 0
    LET intrusion_set_id = doc.id
    LET target_refs = (
        FOR edge_doc IN ransomware_kb_edge_collection
            FILTER edge_doc.source_ref == intrusion_set_id
            RETURN edge_doc.target_ref
    )
    FOR target_id IN target_refs
        FOR target_doc IN ransomware_kb_vertex_collection
            FILTER target_doc.id == target_id
            AND target_doc.type == "malware"
            RETURN target_doc.name