2021 ATT&CK Evaluations for Enterprise Call for Participation: Data Encrypted for Impact with Wizard Spider and Sandworm

The Call for Participation for the 2021 ATT&CK Evaluations for Enterprise is open now until May 28th, 2021. This round of evaluations will evaluate participants’ ability to detect adversary behavior inspired by Wizard Spider (G0102) and Sandworm Team (G0034). Vendors will participate in detection scenarios, as well as have the option to sign up for an additional scenarios which test protection capabilities.

Whereas the 2020 Carbanak and FIN7 evaluation implemented scenarios focused on multiple groups which leveraged common malware (i.e., Carbanak), this round instead looks to explore how multiple groups abuse Data Encrypted For Impact (T1486). In Wizard Spider’s case, they have leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446). Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with their NotPetya malware (S0368) that disguised itself as ransomware.

Wizard Spider is a Russian-speaking cybercriminal group that dates back to wire transfer fraud and the operation of the Trickbot botnet (S0266). Since 2016, Trickbot has infected over a million computing devices, and remains a threat due to the persistent nature of a botnet infrastructure and continued malware development. In August 2018, Wizard Spider began conducting “big game hunting” campaigns, targeting large organizations for a high ransom return rate. In less than one year (2019–2020) Wizard Spider extorted $61 million USD from ransomware attacks. Notable attacks include those against the Universal Healthcare System Hospitals and US Georgia and Florida state government administrative offices.

Sandworm is attributed to Unit 74455 of the Russian Main Intelligence Directorate (GRU) by the U.S. Department of Justice, and while still active today, is most notorious for 2015 and 2016 attacks against Ukrainian electrical companies, and 2017’s NotPetya attacks. NotPetya took down systems worldwide from shipping giant Maersk to FedEx’s TNT Express. One of those companies hit, Merck, claimed $1.3 billion in losses from computer repair and interrupted operations. This group has repeatedly conducted disruptive attacks targeting critical infrastructure, government organizations and elections, as well as public events such as the PyeongChang Winter Olympics in 2018.

While the common thread to this year’s evaluations is Data Encrypted for Impact, both groups have substantial reporting on a broad range of post-exploitation tradecraft. This will allow us to build emulation plans that still provide valuable insights into the detection performance of the enterprise security market ahead of, and during their abuse of data encryption.

Community Contributions

As with prior rounds, we welcome your contributions to help inform our emulation plans. The process for sharing remains unchanged:

· Email us at evals@mitre-engenuity.org with your contribution (If you’d prefer secure means, email us at the above address, and we’ll get back to you with a secure sharing method). Your real name must be included for your information to be considered. Contributions from company accounts may add to the credibility of the information, but we are always happy to accept contributions from independent researchers.

· We are looking for information about the group behaviors as well as the overall way they perform intrusions. Information structured using ATT&CK tactics and/or techniques is helpful, but not required.

· Tell us how you would like to be credited. You can choose to be credited with your name and/or company name, or alternatively, you can choose to remain anonymous. For any anonymous contributors, we will work with you to produce a short statement about the general visibility you have that led to you having access to the information.

· We will not accept any leaked, proprietary, or sensitive information that was not released with the permission of the original source. Contributions are strictly on a voluntary basis for researchers and analysts who wish to share their own information.

More Information

For an overview of our evaluation process, visit our site. We anticipate releasing a list of techniques that could be included in this upcoming round of evaluations, as well as information on the environment towards the end of April. As with our Carbanak+FIN7 emulation, Linux techniques will again be in scope for the evaluation, and there will be an optional protections-focused scenario. To reiterate a point above, while the thread between our scenarios is data encryption, the detection and protection scenarios will focus on a broad range of adversary behavior to explore solutions defense in depth.

The Call for Participation will close on May 28, 2021. Evaluations will be performed late 2021, and scheduling priority is set by the order in which contracts were signed. For more information or to participate, reach out to the ATT&CK Evaluations team.

© 2021 MITRE Engenuity. Approved for Public Release. Document number AT0014