{ "type": "bundle", "id": "bundle--2c5df70b-e574-4b0b-b849-7936b654b683", "spec_version": "2.1", "created": "2026-06-11T23:57:51.668Z", "modified": "2026-06-11T23:57:51.668Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--058d93c8-baa2-46fb-b620-29d0fb2da0b5", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--3025013b-7a74-4546-ba3c-11d46d75adfc", "start_refs": [ "attack-action--3e22a477-71cd-4aef-94da-33cdde6da4d8", "attack-action--dac00d37-82b6-4474-b753-88c12a3b9486" ], "name": "Ragnar Locker", "description": "Profile of a ransomware group", "scope": "threat-actor", "external_references": [ { "source_name": "Acronis", "description": "Article", "url": "https://www.acronis.com/en-us/blog/posts/ragnar-locker/" }, { "source_name": "Avertium", "description": "Article", "url": "https://www.avertium.com/resources/threat-reports/ragnar-locker-ransomware-attacks-analysis" }, { "source_name": "Milton Security", "description": "CVE", "url": "https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability" }, { "source_name": "Sophos", "description": "Article", "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" }, { "source_name": "Zscaler", "description": "Article", "url": "https://www.zscaler.com/blogs/security-research/threatlabz-ransomware-review-advent-double-extortion" } ] }, { "type": "identity", "id": "identity--3025013b-7a74-4546-ba3c-11d46d75adfc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.668Z", "modified": "2026-06-11T23:57:51.668Z", "name": "Mia Sanchez", "contact_information": "msanchez@mitre.org" }, { "type": "threat-actor", "id": "threat-actor--38c0871a-8385-4a6c-bcc3-525b2cca5cfd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "Ragnar Locker", "description": "Name of a ransomware and a ransomware gang; breached energy, critical manufacturing, financial services, government, and information technology sectors; the ransomware gang is a part of a ransomware family, working with multiple ransomware variants and threat actor groups", "first_seen": "2019-12-01T05:00:00.000Z", "sophistication": "advanced", "resource_level": "organization", "primary_motivation": "organizational-gain" }, { "type": "attack-action", "id": "attack-action--3e22a477-71cd-4aef-94da-33cdde6da4d8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Brute Force", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1110", "technique_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", "description": "Attackers brute force passwords for the RDP service", "effect_refs": [ "attack-operator--2cab6c72-de7c-4a71-98d7-242af3ce40a6" ] }, { "type": "attack-action", "id": "attack-action--dac00d37-82b6-4474-b753-88c12a3b9486", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "Attackers purchased stolen credentials from the black market for the victim's RDP service", "effect_refs": [ "attack-operator--2cab6c72-de7c-4a71-98d7-242af3ce40a6" ] }, { "type": "attack-condition", "id": "attack-condition--bdcb1a7b-ad10-41af-8a4d-ef0b009df0d5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker compromises the victim's RDP service" }, { "type": "attack-operator", "id": "attack-operator--2cab6c72-de7c-4a71-98d7-242af3ce40a6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--bdcb1a7b-ad10-41af-8a4d-ef0b009df0d5" ] }, { "type": "attack-action", "id": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Component Object Model Hijacking", "description": "Attacker exploited a vulnerability in the Windows COM Aggregate Marshaler", "effect_refs": [ "attack-condition--6279c87c-9f2c-4d51-9cd6-435fbf25ba03" ] }, { "type": "vulnerability", "id": "vulnerability--46d6c525-3d83-49a3-b7ee-61cb20432849", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "CVE-2017-0213", "description": "vulnerability within Windows COM Aggregate Marshaler to run arbitrary code with elevated privileges" }, { "type": "attack-condition", "id": "attack-condition--6279c87c-9f2c-4d51-9cd6-435fbf25ba03", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker elevates privileges to administrator-level access" }, { "type": "tool", "id": "tool--a041a237-8038-45d2-8264-c86a777710fd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "Special Application", "description": "To exploit CVE-2017-0213, the attackers run a specially crafted application", "tool_types": [ "exploitation" ] }, { "type": "attack-action", "id": "attack-action--a8c21650-07b5-4afd-b75a-7ab04eb40029", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Language Discovery", "description": "Attackers check for locale information. If the machine’s default language matches one on the CIS list, the ransomware process is terminated with the “666” exit code.", "effect_refs": [ "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35" ] }, { "type": "attack-action", "id": "attack-action--4c86708e-d142-4521-909d-3e3ce918042f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Group Policy Modification", "description": "Attackers use GPO to move laterally", "effect_refs": [ "attack-operator--70d4f064-5327-4139-88a9-fe6ee09ae73b" ] }, { "type": "tool", "id": "tool--b5850e52-5d84-4ae3-8e3e-43b8b5b4b659", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "msiexec.exe", "description": "Attackers use Microsoft Installer to pass parameters to a remote web server", "tool_types": [ "remote-access", "exploitation" ] }, { "type": "infrastructure", "id": "infrastructure--5e1c6ff4-a5b2-4cba-be87-c05e026729d6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "Remote Web Server", "infrastructure_types": [ "hosting-malware" ] }, { "type": "tool", "id": "tool--ab5ee969-33ca-4ead-bc33-90106dd462d9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "MSI package", "description": "downloaded MSI package contained the following: working installation of an old Oracle VirtualBox hypervisor (Sun xVM VirtualBox version 3.0.4 from Aug 5, 2009) & a virtual disk image (VDI) named micro.vdi (image is stripped-down version of Windows XP SP3 OS called MicroXP v0.82) that includes the Ragnar Locker ransomware", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--7f17b0e9-c97d-4d47-a0e1-7764a470c166", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "Attackers use PowerShell to move laterally", "effect_refs": [ "attack-operator--70d4f064-5327-4139-88a9-fe6ee09ae73b" ] }, { "type": "attack-operator", "id": "attack-operator--70d4f064-5327-4139-88a9-fe6ee09ae73b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "OR", "effect_refs": [ "attack-condition--9f7b70da-99ce-43a6-98dd-dd05fe6a35c3" ] }, { "type": "attack-condition", "id": "attack-condition--9f7b70da-99ce-43a6-98dd-dd05fe6a35c3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers move laterally across the network, infecting other computers" }, { "type": "attack-action", "id": "attack-action--e0c4c51e-004b-4b3f-91a0-0c6d45683f38", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Msiexec", "description": "Attackers used GPO to execute Microsoft Installer", "effect_refs": [ "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8" ] }, { "type": "attack-action", "id": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attackers run an executable, batch file, and support files", "effect_refs": [ "attack-action--7f8a1ea9-0e16-4229-b40d-148ffafe2ea6", "attack-action--d6fcccf3-4f43-4b5a-b966-c24853916163", "attack-action--80af5404-8374-4dc8-a254-8503c30b7bcd", "attack-action--b6f6bf27-9a31-4bd8-a89d-3121e6dc3f7d", "attack-action--3fc6b75b-3de3-4879-a5dd-a4c211e3cd3e" ] }, { "type": "attack-action", "id": "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Run Virtual Instance", "description": "The attacker deploys a VirtualBox VM and loads a Windows XP image", "effect_refs": [ "attack-action--065964e1-07c5-468b-ba47-7b59dd3784a2" ] }, { "type": "attack-action", "id": "attack-action--065964e1-07c5-468b-ba47-7b59dd3784a2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Peripheral Device Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1120", "technique_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643", "description": "The VM image maps all local drives as read/writable into the virtual machine. This allows the ransomware process running inside the VM to encrypt all files.", "effect_refs": [ "attack-action--c4d26264-450d-4fd0-8ae2-64708b5c267c" ] }, { "type": "tool", "id": "tool--882bf627-a833-43fc-aa06-e5a5591322fc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "Executable", "description": "va.exe - runs the batch script", "tool_types": [ "exploitation" ] }, { "type": "tool", "id": "tool--861f6ca6-9684-4f9c-b2be-18b895e85382", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "Batch Script", "description": "install.bat", "tool_types": [ "exploitation" ] }, { "type": "attack-action", "id": "attack-action--d6fcccf3-4f43-4b5a-b966-c24853916163", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Execution", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "description": "Batch file registers and runs VirtualBox application extensions - VBoxC.dll and VBoxRT.dll", "effect_refs": [ "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" ] }, { "type": "attack-action", "id": "attack-action--7f8a1ea9-0e16-4229-b40d-148ffafe2ea6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Defense Evasion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "description": "Batch file stops Windows Shell Hardware Detection (to disable the Windows AutoPlay notification functionality)", "effect_refs": [ "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" ] }, { "type": "attack-action", "id": "attack-action--b6f6bf27-9a31-4bd8-a89d-3121e6dc3f7d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Reconnaissance", "tactic_id": "TA0043", "tactic_ref": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "description": "Batch script enumerates local disks and connects removable drives and mapped network drives to be accessed within the virtual machine", "effect_refs": [ "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" ] }, { "type": "attack-action", "id": "attack-action--80af5404-8374-4dc8-a254-8503c30b7bcd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Service Stop", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1489", "technique_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", "description": "Batch file terminates many processes/servers and remote management software, closes opened files, and disables AntiVirus software", "effect_refs": [ "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" ] }, { "type": "attack-action", "id": "attack-action--c4d26264-450d-4fd0-8ae2-64708b5c267c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration over Web Service", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1567", "technique_ref": "attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807", "description": "The ransomware steals files and uploads them to one or more servers in case the victim refuses to pay the ransom", "effect_refs": [ "attack-action--cdcf257c-acd6-4a62-9b9a-f10aca957af5" ] }, { "type": "attack-action", "id": "attack-action--3fc6b75b-3de3-4879-a5dd-a4c211e3cd3e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Inhibit System Recovery", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1490", "technique_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "description": "The batch file deletes volume shadow copies (so older unencrypted versions of files cannot be restored)", "effect_refs": [ "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" ] }, { "type": "attack-operator", "id": "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--a8c21650-07b5-4afd-b75a-7ab04eb40029" ] }, { "type": "attack-action", "id": "attack-action--33285dd9-ae14-4bfd-9fdc-7e235da39487", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Encrypted for Impact", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1486", "technique_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", "description": "Ragnar Locker begins the encryption process in 64 simultaneous threads. The encrypted file contains the encrypted Salsa20 key data (40+32 bytes) with the signature ‘_RAGNAR_’ added to the footer at the very end.", "effect_refs": [ "attack-condition--448cf0df-edca-4dea-a55e-54dfac087ece" ] }, { "type": "attack-action", "id": "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attackers install a 122MB crafted, unsigned MSI package from the remote web server", "effect_refs": [ "attack-condition--2ead9766-c614-475f-9cbf-7337f4bb240d" ] }, { "type": "attack-condition", "id": "attack-condition--2ead9766-c614-475f-9cbf-7337f4bb240d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Virtualization software and vdi located in a newly created directory" }, { "type": "tool", "id": "tool--05df012d-5f72-4f85-af36-51ca022ccf03", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "VirtualBox", "tool_types": [ "unknown" ] }, { "type": "tool", "id": "tool--7ebc622f-6a40-4bea-9e0d-f17f88b9083c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "micro.vdi", "description": "stripped-down Windows XP image containing ransomware", "tool_types": [ "unknown" ] }, { "type": "infrastructure", "id": "infrastructure--d853ec10-42cc-4bc1-863e-c67283989e7b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "name": "Servers", "description": "Receive sensitive files from victim", "infrastructure_types": [ "exfiltration" ] }, { "type": "attack-action", "id": "attack-action--cdcf257c-acd6-4a62-9b9a-f10aca957af5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Obfuscated Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1027", "technique_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "description": "Attackers protect the ransomware code with junk code and encryption", "effect_refs": [ "attack-action--33285dd9-ae14-4bfd-9fdc-7e235da39487" ] }, { "type": "attack-condition", "id": "attack-condition--448cf0df-edca-4dea-a55e-54dfac087ece", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Ransomware successfully encrypts files and displays the ransomware note" }, { "type": "relationship", "id": "relationship--9428f419-e18f-4b29-9798-14bafc80600c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-condition--bdcb1a7b-ad10-41af-8a4d-ef0b009df0d5", "target_ref": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850" }, { "type": "relationship", "id": "relationship--7e7a741f-4510-48f3-9a70-9b2eaeb1c933", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850", "target_ref": "vulnerability--46d6c525-3d83-49a3-b7ee-61cb20432849" }, { "type": "relationship", "id": "relationship--fb99e2ae-f045-44db-907a-429d867aecbe", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850", "target_ref": "tool--a041a237-8038-45d2-8264-c86a777710fd" }, { "type": "relationship", "id": "relationship--44aa1232-1187-4a64-a38a-2a5f85c05078", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-condition--6279c87c-9f2c-4d51-9cd6-435fbf25ba03", "target_ref": "attack-action--7f17b0e9-c97d-4d47-a0e1-7764a470c166" }, { "type": "relationship", "id": "relationship--076e883f-0068-456e-be89-908a829738bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-condition--6279c87c-9f2c-4d51-9cd6-435fbf25ba03", "target_ref": "attack-action--4c86708e-d142-4521-909d-3e3ce918042f" }, { "type": "relationship", "id": "relationship--ffbbf37f-0014-4369-9e4a-cd2d71adf402", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-condition--9f7b70da-99ce-43a6-98dd-dd05fe6a35c3", "target_ref": "attack-action--e0c4c51e-004b-4b3f-91a0-0c6d45683f38" }, { "type": "relationship", "id": "relationship--6ba8defe-f086-443c-8534-383153af00f0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--e0c4c51e-004b-4b3f-91a0-0c6d45683f38", "target_ref": "tool--b5850e52-5d84-4ae3-8e3e-43b8b5b4b659" }, { "type": "relationship", "id": "relationship--a11535e6-9600-42d7-a3c7-50e852d865bf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd", "target_ref": "tool--861f6ca6-9684-4f9c-b2be-18b895e85382" }, { "type": "relationship", "id": "relationship--42b618b3-2511-4f48-a97a-e369633a41b9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd", "target_ref": "tool--882bf627-a833-43fc-aa06-e5a5591322fc" }, { "type": "relationship", "id": "relationship--cc7a7eea-6292-448b-acd5-b065922a972d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35", "target_ref": "tool--7ebc622f-6a40-4bea-9e0d-f17f88b9083c" }, { "type": "relationship", "id": "relationship--9b7a7b9b-fd28-4c36-afad-201aca54b29c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35", "target_ref": "tool--05df012d-5f72-4f85-af36-51ca022ccf03" }, { "type": "relationship", "id": "relationship--fb06dfe3-6f1e-4ba1-8052-46dc7912bf6a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--c4d26264-450d-4fd0-8ae2-64708b5c267c", "target_ref": "infrastructure--d853ec10-42cc-4bc1-863e-c67283989e7b" }, { "type": "relationship", "id": "relationship--c2dda736-675a-4309-8a5c-40d351d81065", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8", "target_ref": "infrastructure--5e1c6ff4-a5b2-4cba-be87-c05e026729d6" }, { "type": "relationship", "id": "relationship--e497a314-282d-4a44-8d03-d42652f294d5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8", "target_ref": "tool--ab5ee969-33ca-4ead-bc33-90106dd462d9" }, { "type": "relationship", "id": "relationship--92674f64-bb10-48d2-a686-135b96a3ce83", "spec_version": "2.1", "created": "2026-06-11T23:57:51.669Z", "modified": "2026-06-11T23:57:51.669Z", "relationship_type": "related-to", "source_ref": "attack-condition--2ead9766-c614-475f-9cbf-7337f4bb240d", "target_ref": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd" } ] }