Emulating the RansomHub Affiliate Attack Chain

The Varonis Threat Research team recently published an in-depth investigation of an intrusion attributed to a RansomHub affiliate. The full article is available here: https://www.varonis.com/blog/varonis-prevents-ransomware-disaster

This case is particularly insightful because it dissects the intrusion into distinct phases of the Kill Chain, each containing observable technical markers. In this incident, the attacker was detected only at a very late stage, when an anomalous CPU spike was observed during mass exfiltration activities. However, numerous earlier indicators were visible in telemetry and should have enabled earlier detection.

This article describes how such behaviors can be reproduced with BlackNoise to evaluate and optimize defensive capabilities, validate SOC procedures, and train analysts to recognize early-stage signals of compromise.

This first stage involved several « automated reconnaissance and initial command and control activity, including enumerating Active Directory users and computers, querying key local system information, hunting for credentials in memory, and various other discovery techniques.« 

These behaviors refer to various MITRE ATT&CK techniques from the Discovery tactic to gain knowledge about systems and the internal network. For example:

• T1087: Account Discovery
• T1069: Permission Groups Discovery
• T1018: Remote System Discovery
• T1033: System Owner/User Discovery

The BlackNoise R&D provides granular events that emulate early-stage reconnaissance (account, group, password policy, network, services executed, remote session, security software installed, etc.) and also some to test the Credential Access tactic with the T1003 - OS Credential Dumping technique, including an LSASS Memory attempt.

The report also states that attackers « deployed a recurring Scheduled Task for persistence« . We provide an event to test that T1053 - Scheduled Task/Job technique by attempting to create a user.

Note: Three ready-to-use BlackNoise scenarios are available to focus on rapid testing of visibility, alerting logic, and SOC triage quality regarding early-phase attacker reconnaissance oh this step: System discovery, Persistence, and MITRE CTID « Active Directory enumeration ».

During the 2^nd step, the adversary began « hunting for credentials and privilege escalation opportunities in the customer’s network. This included scanning network shares for credential-containing material« .

We may refer to the T1046 - Network Service Discovery technique, by using some File Share BlackNoise scan event for example, and also Network Share Discovery event.

Moreover Varonis indicates that attacker then attempt to « identify credentials stored in browsers » by using the « Data Protection API (DPAPI) to decrypt passwords stored in the browsers from files« .

The BlackNoise event Library includes events to test the T1555 - Credentials from Password Stores: Credentials from Web Browsers technique that can target Chrome, Firefox, Edge. These events allow defenders to verify detection logic against common infostealer workflows (DPAPI Master Key access, WebData file extraction, credential blob decryption patterns).

Note: To provide an easy way for our customer to test them against those behaviors, we developped a focused scenario called Local Credentials Theft by Infostealer.

In the 3^rd stage, Varonis reports that the adversary try to « controlling a Domain Admin account« . This is a common target for attackers as they want to have full access on the entire network by getting administrative privileges on this key component.

Here again, BlackNoise R&D has developed several events to obtain an overview of the domain configuration and stealing Active Directory related credentials.

We may mention for instance T1078 - Valid Accounts: Domain Accounts and T1558 - Steal or Forge Kerberos Tickets.

Note: Do you want to test your own detection system and procedure against such behaviors? Consider using Domain discovery and Domain Credentials Theft scenarios for quick and efficient answer. These help validate if your detection pipeline correctly identifies abnormal Kerberos activity, impossible travel of authentication artifacts, and privileged account misuse.

The report indicates that the threat actor then move on the network to deploy « additional information and credential gathering scripts« . We have already deal about such behaviors during the previous stages with several Discovery events and scenarios.

The adversary finally choose to achieve « mass data exfiltration« . The report mention the installation of the AzCopy utility to upload files on a Microsoft Azure Storage instance which is linked to the T1567 - Exfiltration Over Web Service MITRE ATT&CK technique. We provide multiple tests of such exfiltration to cloud services for Amazon S3, Github, Mega, Pixeldrain and more.

But we may also consider the T1048 - Exfiltration Over Alternative Protocol technique to test files exfiltration using basic protocols such as DNS, HTTPS, SSH, etc.

Note: 14 selected events are packed in the Data exfiltration over web services or alternative protocols BlackNoise scenario to test those actions at the end of the Kill Chain.

BlackNoise provides targeted scenarios that accurately reproduce each phase observed in the RansomHub affiliate intrusion. By executing these simulations, security teams can rapidly evaluate the effectiveness of their defensive controls from early-stage detection to lateral movement visibility and exfiltration monitoring. These tests expose potential blind spots, missing correlation rules, and configuration gaps that could allow an attacker to operate undetected.

Beyond assessing specific technical controls, BlackNoise also delivers a full Kill Chain simulation, based on this Varonis insights, that combine reconnaissance, credential theft, privilege escalation, lateral movement, and data exfiltration. This scenario is named RansomHub Affiliate Attack Chain.

Importantly, these scenarios serve not only as a validation tool but also as a training platform for SOC and CERT/CSIRT teams. By replaying realistic attacker behaviors in a controlled environment, analysts can practice:

• Investigating early weak signals
• Conducting rapid triage
• Responding to simulated events to test escalation paths and containment playbooks

This operational training allows teams to refine their detection logic, improve their investigation workflows, and strengthen incident response readiness. Through repeated exposure to adversary-like activity, SOC and CERT/CSIRT analysts gain experience that directly enhances their ability to recognize and neutralize real-world threats.