On July 22, 2025, AttackIQ introduced Ransom Tales, an initiative focused on routinely emulating the Tactics, Techniques, and Procedures (TTPs) associated with the prolific ransomware families currently dominating the threat landscape. Each volume in this series is designed to dissect the operational behaviors of multiple ransomware families and translate them into realistic emulations that defenders can employ to rigorously challenge their security controls and enhance resilience against disruptive and extortive threats.
In this sixth volume, AttackIQ’s Adversary Research Team (ART) revisits historical ransomware operations with the introduction of three new attack graphs that emulate the Tactics, Techniques, and Procedures (TTPs) associated with the Ryuk, Conti, and BlackCat ransomware families. These groups pioneered sophistication in ransomware operations and were responsible for large-scale incidents worldwide, profoundly shaping the threat landscape and serving as precursors to many of today’s active ransomware strains.
Validating your security program performance against these behaviors is vital in reducing risk. By employing these assessment templates in the AttackIQ Adversarial Exposure Validation Platform, security teams will be able to:
- Evaluate security control performance against baseline behaviors associated with historic and sophisticated ransomware strains.
- Assess their security posture against opportunistic and financially motivated adversaries that do not discriminate when selecting their targets.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the adversaries currently focused on ransomware activities.
[Malware Emulation] Ryuk Ransomware – 2020-03 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of Ryuk ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
Ryuk is a ransomware strain, descendant of the Hermes ransomware family, that emerged in mid-2018 and quickly established itself as one of the most consequential threats in the global cybercrime ecosystem. First identified in August 2018 during a series of high-value intrusions, Ryuk distinguished itself through its focus on large enterprises and critical organizations, a strategy widely known as Big Game Hunting (BGH). It is operated by the Russian cybercriminal organization known as Wizard Spider, with deployment activity attributed to a subgroup commonly referred to as Grim Spider. Its introduction represented a major strategic evolution for Wizard Spider, which had previously specialized in wire-fraud operations facilitated by their TrickBot payload.
Ryuk is believed to be customized for each victim environment, enabling operators to adapt the payload to the target’ specific network topology and security architecture. This tailored approach, combined with its technical sophistication, positioned Ryuk among the first ransomware families capable of identifying and encrypting network drives and remote administrative shares, deleting shadow copies, and leveraging Wake-on-LAN to power on systems for encryption. These capabilities made Ryuk activities particularly destructive, significantly limiting recovery options in the absence of external backups.
The ransomware rose to public prominence following several high-profile incidents. In December 2018, the New York Times reported that a Ryuk intrusion against Tribune Publishing disrupted newspaper printing operations across multiple U.S. states, including a shared printing facility used by the New York Times and Wall Street Journal in Los Angeles. Given the timing of several Ryuk operations, coinciding with the U.S. midterm elections, and the sensitivity of affected systems, it is suggested that conventional financial motivations may have intersected with broader geopolitical interests.
Over the following years, Ryuk operations targeted numerous sectors, including healthcare, professional services, media, and manufacturing, causing widespread operational outages and driving ransom demands into the multimillion-dollar range. According to the CrowdStrike 2020 Global Threat Report, Ryuk was responsible for three of the ten largest ransom demands observed that year, reaching USD $5.3 million, $9.9 million, and $12.5 million.
In its activities, Ryuk is rarely deployed as an initial payload. Instead, operators leverage a multi-stage infection chain involving TrickBot or other intermediary payloads to establish persistence, escalate privileges, and position the environment for ransomware deployment. Once executed, Ryuk terminates over 180 services and 40 processes, many associated with security solutions, backup utilities, and database systems, to maximize operational disruption. Encryption is performed using AES-256 for file encryption, with keys subsequently encrypted using RSA-2048, enabling robust cryptographic locking of high-value data.
Execution & Persistence – Ryuk Ransomware Deployment
This stage begins with the deployment of the Ryuk ransomware, executed through code injection using the CreateRemoteThread API. Once operational, it attempts to detect the presence of a debugger using the IsDebuggerPresent API.
It then determines the system’s location through the GetLocalInfoW API, establishes persistence through registry Run keys, and enables SeDebugPrivilege by invoking the AdjustTokenPrivileges API.
2020-01 Ryuk Ransomware Sample (T1105): The Ryuk Ransomware sample (SHA256: bddaf6020f8df169e1901c709701240f1a810d0e0fcec7d4479d5354360e1795) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Code Injection via Load Library and Create Remote Thread (T1055): This scenario performs injection of a Dynamic-link Library (DLL) into a target process by utilizing CreateRemoteThread and LoadLibraryW.
Debugger Detection via “IsDebuggerPresent” Native API (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
Obtain System Locales Information via “GetLocaleInfoW” Windows API (T1614): This scenario executes the GetLocaleInfoW Windows API to retrieve the user’s default country locale code from the system.
Persistence Through Registry Run and RunOnce Keys (T1547.001): This scenario creates an entry under HKLM\Software\Microsoft\Windows\CurrentVersion\Run to establish persistence on the system.
Access Token Manipulation (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Discovery – Local System Reconnaissance and Volume Shadow Copy Deletion
This stage begins by enumerating running processes through the CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs, followed by service discovery through the EnumServicesStatusW API. Finally, it attempts to delete volume shadow copies by executing the wmic.exe resorting to vssadmin.exe in case of failure.
Process Discovery via Native API (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
Service Status Discovery via “EnumServicesStatusW” Native API (T1007): This scenario executes the EnumServiceStatusW Windows API to gather critical information regarding configured services.
Delete created Volume Shadow Copy using “wmic.exe” (T1490): This scenario executes the wmic shadowcopy delete command to delete a Volume Shadow Copy created by the emulation.
Delete created Volume Shadow Copy using “vssadmin.exe” (T1490): This scenario executes the vssadmin.exe utility to delete a Volume Shadow Copy created by the emulation.
Impact – Ryuk Ransomware Encryption
This stage begins by enumerating network resources via the WNetOpenEnumW and WNetEnumResourceW APIs. It then identifies local logical drives via the GetLogicalDrives API, determines each drive’s type with GetDriveTypeW API, and performs filesystem traversal and file enumeration using the FindFirstFileW and FindNextFileW APIs. Finally, Ryuk encrypts the identified files using a combination of AES-256 for file encryption with RSA-2048 for key encryption.
Network Resource Discovery via “WNetOpenEnumW” and “WNetEnumResourceW” Native API (T1049): This scenario executes the WNetOpenEnumW and WNetEnumResourceW Windows API calls to enumerate network resources from the local computer.
Logical Drives Discovery via “GetLogicalDrives” Native API (T1680): This scenario executes the GetLogicalDrives Windows API to retrieve the currently available disk drives.
Drive Type Discovery via “GetDriveTypeW” Native API (T1680): This scenario retrieves information about the system’s physical disks by executing the GetDriveTypeW Windows API call.
File and Directory Discovery via “FindFirstFileW” and “FindNextFileW” Native API (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.
Ryuk File Encryption (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Ryuk ransomware.
[Malware Emulation] Conti Ransomware – 2022-03 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of Conti ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
Conti is a sophisticated ransomware strain, first identified in December 2019, notable for its rapid proliferation and displacement of other high-impact ransomware families such as Ryuk. Although commonly categorized as a Ransomware-as-a-Service (RaaS) offering, Conti’s organizational structure diverges significantly from traditional affiliate-based models. Instead of sharing ransom proceeds with affiliates, Conti operators are believed to employ salaried deployers, while developers retain the majority of profits from successful intrusions.
Conti operators leverage multiple initial access vectors, most prominently spear-phishing campaigns and the compromise of exposed Remote Desktop Protocol (RDP) services. Phishing activities frequently leverage malicious Microsoft Office documents weaponized with macros to deploy loaders such as BazarLoader, TrickBot, or BokBot, which facilitate the delivery of post-exploitation frameworks. Once inside a network, Conti actors abuse legitimate Remote Monitoring and Management (RMM) software and remote desktop utilities to establish persistence and maintain long-term access. Additionally, they further augment their post-exploitation toolkit by relying heavily on already available native system utilities and, when required, additional tools such as Windows Sysinternals and Mimikatz to extract password hashes and clear-text credentials, escalate privileges, and facilitate lateral movement. In certain activities, Conti deployers also leverage TrickBot to automate reconnaissance and post-exploitation activities.
In August 2021, a disgruntled Conti affiliate leaked what became known as the “Conti playbook”, revealing the group’s extensive exploitation of unpatched vulnerabilities to escalate privileges and move laterally across victim environments. The playbook highlighted checks for the PrintNightmare vulnerability (CVE-2021-34527) in the Windows Print spooler service, EternalBlue (CVE-2017-0144) in Microsoft Windows Server Message Block (SMB), and Zerologon (CVE-2020-1472) in Microsoft Active Directory Domain Controllers.
Between February and March 2022, a Ukrainian researcher leaked extensive Conti source code and internal chat logs following the Russian invasion of Ukraine. Although Conti relied heavily on open-source tooling, the leaks included critical proprietary components such as the administrator panel, Conti Locker v2, and a functional decryptor. Despite these disclosures, which included two versions of the ransomware’s source code, the group continued to conduct intrusions and extortion operations. Crucially, the most recent and operational versions of the ransomware have not been publicly disclosed, enabling Conti to preserve a functional capability despite significant exposure.
Persistence & Impact – Conti Ransomware Deployment
This stage begins with the deployment of the Conti ransomware, which, once operational, attempts to detect the presence of a debugger using the IsDebuggerPresent API.
It then establishes persistence by creating a RunOnce registry key and enables automatic login by setting the AutoAdminLogon value under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. If that fails, it falls back to enabling a local Guest account by executing the net user guest /active:yes command. Finally, it creates a process via the CreateProcessA API to delete volume shadow copies using the vssadmin.exe utility.
2021-07 Conti Ransomware (T1105): The Conti Ransomware sample (SHA256: 53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Debugger Detection via “IsDebuggerPresent” Native API (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
Persistence Through Registry Run and RunOnce Keys (T1547.001): This scenario creates an entry under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce to establish persistence on the system.
Use Registry to Enable Automatic Login to Windows Workstation (T1547.004): This scenario modifies the registry value AutoAdminLogon under the key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon to automatically login with an administrative account.
Account Manipulation Script (T1098): This scenario enables the Guest user account on the compromised environment by executing the net user guest /active:yes Windows command.
Process Creation via “CreateProcessA” Native API (T1106): This scenario executes the CreateProcessA Windows API call to create a new process for a given executable payload.
Delete created Volume Shadow Copy using “vssadmin.exe” (T1490): This scenario executes the vssadmin.exe utility to delete a Volume Shadow Copy created by the emulation.
Discovery & Impact – Conti Ransomware Encryption
This stage begins with local environment reconnaissance, first obtaining general system information via the GetNativeSystemInfo API and enumerating Address Resolution Protocol (ARP) entries using GetIpNetTable. It then performs network share discovery through NetShareEnum, identifies local logical drives via GetLogicalDriveStringsW, and determines each drive’s type using GetDriveTypeW, followed by filesystem traversal and file enumeration through the FindFirstFileW and FindNextFileW APIs. Finally, Conti encrypts the identified files using a combination of AES-256 for file encryption with RSA-4096 for key encryption.
System Information Discovery via “GetNativeSystemInfo” Native API (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
Enumerate Address Resolution Protocol (ARP) Entries via “GetIpNetTable” Windows API (T1016): This scenario executes the GetIpNetTable Windows API to retrieve the Address Resolution Protocol (ARP) cache information from the system.
Network Share Discovery via “NetShareEnum” Native API (T1135): This scenario executes the NetShareEnum Windows native API call to enumerate network shares from the local computer.
Logical Drive Discovery via “GetLogicalDriveStringsW” Native API (T1680): This scenario executes the GetLogicalDriveStringsW Windows API to retrieve information regarding the system’s physical drives.
Drive Type Discovery via “GetDriveTypeW” Native API (T1680): This scenario retrieves information about the system’s physical disks by executing the GetDriveTypeW Windows API call.
File and Directory Discovery via “FindFirstFileW” and “FindNextFileW” Native API (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.
Conti Ransomware File Encryption (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Conti ransomware.
[Malware Emulation] BlackCat Ransomware – 2022-11 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of BlackCat ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
BlackCat, also known as AlphaVM and ALPHV, is a sophisticated ransomware strain operated under the Ransomware-as-a-Service (RaaS) model that emerged in November 2021. It is written in Rust, a memory-safe, cross-platform programming language that enables operators to deploy payloads across both Windows and Linux environments. According to an FBI advisory published on April 19, 2022, several BlackCat developers and money launderers maintain ties to the defunct DarkSide and BlackMatter ransomware groups, indicating that BlackCat likely evolved from well-established infrastructure, operational workflows, and expertise inherited from prior ransomware operations.
Since its emergence, BlackCat has gained significant visibility through high-profile intrusions and the adoption of triple-extortion tactics, where aside from encrypting data and threatening to leak exfiltrated information, operators threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to increase coercive pressure, an approach that has provided BlackCat with a competitive advantage over other RaaS operations. While targeting varies by operator, BlackCat activities frequently impact organizations in the healthcare, finance, government, and education sectors. Consistent with long-standing norms among several Eastern European cybercriminal groups, attacks against entities within the Commonwealth of Independent States (CIS) are generally discouraged.
BlackCat is commonly delivered via Cobalt Strike or comparable post-exploitation frameworks. Samples require an “access token” to be supplied as a parameter at execution, functioning as an operational safeguard and anti-analysis measure. Operators make extensive use of Living off the Land Binaries (LOLBins) and custom scripts for lateral movement, privilege escalation, and environment reconnaissance. The ransomware includes privilege-escalation capabilities, such as UAC Bypass and PEB Masquerading, and supports propagation to remote hosts using PsExec. On Windows systems, BlackCat attempts to delete Volume Shadow Copies (VSS), enumerates mounted drives, and recursively encrypts eligible files. It also supports intermittent encryption, enabling faster encryption while reducing detection opportunities. Compromised victims are ultimately directed to a Tor-based payment portal for negotiation and ransom instructions.
On December 19, 2023, the U.S. Department of Justice and the Federal Bureau of Investigation (FBI) announced a coordinated disruption of ALPHV/BlackCat operations, including the seizure of several critical infrastructure components. As part of this action, decryption tools were released to assist victims affected by earlier BlackCat intrusions.
Execution & Discovery – BlackCat Ransomware Deployment
This stage begins with the deployment of the BlackCat ransomware which, once operational, attempts to obtain the machine’s Globally Unique Identifier (GUID) from the Windows registry. It then creates a named pipe via CreateNamedPipeW, retrieves the system’s Universally Unique Identifier (UUID) through a Windows Management Instrumentation Command (WMIC), and collects general system information using the GetSystemInfo API.
2022-03 BlackCat Ransomware Sample (T1105): The BlackCat Ransomware sample (SHA256: 847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Obtain MachineGUID from Cryptography Registry Key using “reg query” Command (T1012): This scenario queries the MachineGUID value located within the HKLM\SOFTWARE\Microsoft\Cryptography registry key which contains the unique identifier of the system.
Named Pipe creation via “CreateNamedPipeW” Native API (T1559): This scenario creates a named pipe via the CreateNamedPipeW API, which can be used to move laterally within an internal network by delivering or executing malware via named pipes.
Obtain Csproduct UUID Using WMI (T1082): This scenario executes the wmic csproduct GET uuid command to obtain the Universally Unique Identifier (UUID) of the compromised system.
System Information Discovery via “GetSystemInfo” Native API (T1082): This scenario executes the GetSystemInfo Windows API call to retrieve information associated to the system.
Privilege Escalation & Impact – Bypass UAC and Enable Privileges
This stage begins by bypassing User Account Control (UAC) through abuse of the legitimate Microsoft Connection Manager Profile Installer (CMSTP) utility. This technique exploits a Component Object Model (COM) interface, ICMLuaUtil, which exposes the ShellExec method that allows an adversary to execute arbitrary commands with elevated privileges.
Subsequently, it enables a set of privileges, including SeBackupPrivilege, SeDebugPrivilege, SeImpersonatePrivilege, SeIncreaseQuotaPrivilege, SeLoadDriverPrivilege, SeRestorePrivilege, SeSecurityPrivilege, SeSystemEnvironmentPrivilege, and SeTakeOwnershipPrivilege via the AdjustTokenPrivilege API. It then abuses Windows remote symbolic links, enabling both Remote-to-Local and Remote-to-Remote symlink creation through the fsutil command to expand the scope of accessible resources.
Finally, it attempts to delete volume shadow copies using vssadmin.exe, falling back to wmic.exe if necessary. Subsequently, it clears Windows event logs through wevtutil.exe to reduce forensic visibility.
Bypass UAC via CMSTPLUA COM (T1548.002): This scenario attempts to bypass User Account Control (UAC) by abusing the legitimate Microsoft Connection Manager Profile Installer (CMSTP) utility. It exploits a Component Object Model (COM) interface, ICMLuaUtil, which exposes the ShellExec method that allows an adversary to execute arbitrary commands with elevated privileges.
Enable “SeBackupPrivilege” Privilege via Native API (T1134): This scenario enables the SeBackupPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeDebugPrivilege” Privilege via Native API (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable ” SeImpersonatePrivilege” Privilege via Native API (T1134): This scenario enables the SeImpersonatePrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeIncreaseQuotaPrivilege” Privilege via Native API (T1134): This scenario enables the SeIncreaseQuotaPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeLoadDriverPrivilege” Privilege via Native API (T1134): This scenario enables the SeLoadDriverPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeRestorePrivilege” Privilege via Native API (T1134): This scenario enables the SeRestorePrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeSecurityPrivilege” Privilege via Native API (T1134): This scenario enables the SeSecurityPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeSystemEnvironmentPrivilege” Privilege via Native API (T1134): This scenario enables the SeSystemEnvironmentPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable “SeTakeOwnershipPrivilege” Privilege via Native API (T1134): This scenario enables the SeTakeOwnershipPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Enable Windows Remote Symlinks (T1222.001): This scenario enables the Remote to Local and Remote to Remote symbolic links through the fsutil behavior set SymlinkEvaluation command.
Delete created Volume Shadow Copy using “vssadmin.exe” (T1490): This scenario executes the vssadmin.exe utility to delete a Volume Shadow Copy created by the emulation.
Delete created Volume Shadow Copy using “wmic.exe” (T1490): This scenario executes the wmic shadowcopy delete command to delete a Volume Shadow Copy created by the emulation.
Clear Windows Event Log via wevtutil.exe (T1070.001): The scenario employs the wevtutil.exe utility to clear Windows Event Logs from the system.
Discovery – Local System and Network Reconnaissance
This stage focuses on system reconnaissance, beginning with service status and configuration discovery through the EnumServicesStatus, QueryServiceStatusEx, and EnumDependentServices APIs. It then enumerates running processes using the CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. Next, it modifies the Maximum Number of Network Requests (MaxMpxCt) registry value, located under the LanmanServer service parameters at HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. Subsequently, it retrieves Address Resolution Protocol (ARP) information and obtains network shares information.
Service Status Discovery via “EnumServicesStatusW” Native API (T1007): This scenario executes the EnumServicesStatusW Windows API to gather critical information regarding configured services.
Service Information Discovery via “QueryServiceStatusEx” Native API (T1007): This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information pertaining to a given service.
Process Discovery via Native API (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
Get ARP Information through Windows Command Line (T1016): This scenario executes the arp –a command to obtain the system’s Address Resolution Protocol (ARP) information.
Get Network Shares Information through Windows Command Line (T1135): This scenario executes the net use utility to obtain information regarding the system’s available network shares.
Impact – BlackCat Ransomware Encryption
This stage begins by identifying local logical drives via the GetLogicalDrives API and determining each drive’s type using GetDriveTypeW. Next, it enumerates available volumes through the FindFirstVolumeW and FindNextVolumeW APIs, followed by filesystem traversal and file enumeration through FindFirstFileW and FindNextFileW. Finally, BlackCat encrypts the identified files using a combination of AES-NI CTR or ChaCha20 for file encryption and RSA-2048 for key encryption.
Logical Drives Discovery via “GetLogicalDrives” Native API (T1680): This scenario executes the GetLogicalDrives Windows API to retrieve the currently available disk drives.
Drive Type Discovery via “GetDriveTypeW” Native API (T1680): This scenario retrieves information about the system’s physical disks by executing the GetDriveTypeW Windows API call.
Volume Discovery via “FindFirstVolumeW” and “FindNextVolumeW” Native API (T1680): This scenario executes the FindFirstVolumeW and FindNextVolumeW Windows API calls to iterate through the available volumes of the system.
File and Directory Discovery via “FindFirstFileW” and “FindNextFileW” Native API (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.
BlackCat File Encryption (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by BlackCat ransomware.
Wrap-up
In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Ryuk, Conti, and BlackCat ransomware operators. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against known and dangerous threats.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
